iven
2b90db4028
CI / rust-check (push) Has been cancelled
CI / rust-test (push) Has been cancelled
CI / frontend-build (push) Has been cancelled
CI / security-audit (push) Has been cancelled
fix(health): P0 安全修复 — SQL注入 + FHIR越权 + OAuth权限 + JWT硬编码
C1: action_inbox_service.rs 中 patient_id/user_id 的 format! 拼接改为
参数化查询 ($2/$3/$4/$5 绑定),消除 SQL 注入风险
C2: fhir/handler.rs 所有患者相关端点强制执行 allowed_patient_ids 范围
过滤,search 端点用 is_in 过滤,get 端点用 enforce_patient_scope 校验
H5: oauth/handler.rs 5 个管理端点添加 require_permission 校验
M3: oauth/handler.rs 和 middleware.rs 移除 "dev-secret-key" fallback,
缺少环境变量时启动失败(token)/返回 500(middleware)
2026-05-04 23:09:25 +08:00
..
2026-05-04 18:44:22 +08:00
2026-04-30 22:41:26 +08:00
2026-05-01 17:34:43 +08:00
2026-05-03 19:31:46 +08:00
2026-05-04 20:38:56 +08:00
2026-05-04 23:09:25 +08:00
2026-05-04 18:56:52 +08:00
2026-05-03 20:09:26 +08:00
2026-04-28 12:12:47 +08:00
2026-04-19 00:56:32 +08:00
2026-04-20 09:35:27 +08:00
2026-04-19 00:56:32 +08:00
2026-04-20 09:35:27 +08:00
2026-04-27 12:34:52 +08:00
2026-04-15 00:49:20 +08:00
2026-05-04 20:57:24 +08:00
2026-05-03 19:31:46 +08:00