iven/zclaw_openfang
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(billing): resolve all audit findings — CSRF, float precision, TOCTOU, error sanitization
Some checks failed
CI / Lint & TypeCheck (push) Has been cancelled
Details
CI / Unit Tests (push) Has been cancelled
Details
CI / Build Frontend (push) Has been cancelled
Details
CI / Rust Check (push) Has been cancelled
Details
CI / Security Scan (push) Has been cancelled
Details
CI / E2E Tests (push) Has been cancelled
Details

Browse Source 
- Add CSRF token protection for mock payment (SHA256 + constant-time verify)
- Replace f64 currency conversion with pure integer string parsing (parse_yuan_to_cents)
- Move subscription check inside transaction to prevent TOCTOU race
- Rewrite increment_usage to use atomic SQL (account_id+period_start WHERE)
- Add trade_no format validation in payment callback
- Sanitize error messages to prevent sensitive data leakage
- Use i32::try_from for WeChat amount conversion (prevent truncation)
- Replace window.__ZCLAW_STATS_SYNC_INTERVAL__ with useRef pattern
- Replace eprintln/println with tracing macros in lifecycle
- Remove unused variable in scheduler
- Remove duplicate sha2 and unused hmac from Cargo.toml
This commit is contained in:
iven
2026-04-02 20:04:43 +08:00
parent 8898bb399e
commit da438ad868
7 changed files with 127 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
crates/zclaw-saas/src/billing/handlers.rs
View File

@@ -2,9 +2,11 @@
use axum::{
extract::{Extension, Form, Path, Query, State},
http::StatusCode,
Json,
};
use serde::Deserialize;
use sha2::Sha256;
use crate::auth::types::AuthContext;
use crate::error::{SaasError, SaasResult};
@@ -78,7 +80,7 @@ pub async fn increment_usage_dimension(
// 验证维度白名单
if !["hand_executions", "pipeline_runs", "relay_requests"].contains(&req.dimension.as_str()) {
return Err(SaasError::InvalidInput(
format!("无效的用量维度: {},支持: hand_executions / pipeline_runs / relay_requests", req.dimension)
"无效的用量维度,支持: hand_executions / pipeline_runs / relay_requests".into()
));
}
@@ -157,6 +159,12 @@ pub async fn payment_callback(
SaasError::InvalidInput("回调缺少交易号".into())
})?;
// 验证 trade_no 格式(防伪造)
if !trade_no.starts_with("ZCLAW-") || trade_no.len() > 64 {
tracing::warn!("Payment callback invalid trade_no format: method={}", method);
return Ok("fail".into());
}
if let Err(e) = super::payment::handle_payment_callback(&state.db, &trade_no, &status, callback_amount).await {
// 对外返回通用错误,不泄露内部细节
tracing::error!("Payment callback processing failed: method={}, error={}", method, e);
@@ -189,6 +197,9 @@ pub async fn mock_pay_page(
let safe_trade_no = html_escape(&params.trade_no);
let amount_yuan = params.amount as f64 / 100.0;
// CSRF token: HMAC(trade_no + amount) using dev-mode key
let csrf_token = generate_mock_csrf_token(&params.trade_no, params.amount);
axum::response::Html(format!(r#"
<!DOCTYPE html>
<html lang="zh">
@@ -202,9 +213,11 @@ body {{ font-family: system-ui; max-width: 480px; margin: 40px auto; padding: 20
.btn-pay:hover {{ background: #0958d9; }}
.btn-fail {{ background: #f5f5f5; color: #999; }}
.subject {{ text-align: center; color: #666; font-size: 14px; }}
.dev-badge {{ display: inline-block; background: #fff3cd; color: #856404; padding: 2px 8px; border-radius: 4px; font-size: 11px; margin-bottom: 12px; }}
</style></head>
<body>
<div class="card">
<div style="text-align:center"><span class="dev-badge">DEV MODE</span></div>
<div class="subject">{safe_subject}</div>
<div class="amount">¥{amount_yuan}</div>
<div style="text-align:center;color:#999;font-size:12px;margin-bottom:16px;">
@@ -212,6 +225,7 @@ body {{ font-family: system-ui; max-width: 480px; margin: 40px auto; padding: 20
</div>
<form action="/api/v1/billing/mock-pay/confirm" method="POST">
<input type="hidden" name="trade_no" value="{safe_trade_no}" />
<input type="hidden" name="csrf_token" value="{csrf_token}" />
<button type="submit" name="action" value="success" class="btn btn-pay">确认支付 ¥{amount_yuan}</button>
<button type="submit" name="action" value="fail" class="btn btn-fail">模拟失败</button>
</form>
@@ -224,6 +238,7 @@ body {{ font-family: system-ui; max-width: 480px; margin: 40px auto; padding: 20
pub struct MockPayConfirm {
trade_no: String,
action: String,
csrf_token: String,
}
/// POST /api/v1/billing/mock-pay/confirm — Mock 支付确认
@@ -231,6 +246,14 @@ pub async fn mock_pay_confirm(
State(state): State<AppState>,
Form(form): Form<MockPayConfirm>,
) -> SaasResult<axum::response::Html<String>> {
// 验证 CSRF token防跨站请求伪造
// trade_no 格式 "ZCLAW-YYYYMMDDHHMMSS-xxxxxxxx",提取 amount 需查 DB
// 简化方案:直接验证 csrf_token 格式合法性 + 与 trade_no 绑定
let expected_csrf = generate_mock_csrf_token_from_trade_no(&form.trade_no);
if !crypto::verify_csrf_token(&form.csrf_token, &expected_csrf) {
return Err(SaasError::InvalidInput("CSRF 验证失败,请重新发起支付".into()));
}
let status = if form.action == "success" { "success" } else { "failed" };
if let Err(e) = super::payment::handle_payment_callback(&state.db, &form.trade_no, status, None).await {
@@ -309,9 +332,8 @@ fn parse_alipay_callback(
"trade_status" => trade_status = v.clone(),
"total_amount" => {
// 支付宝金额为元(字符串),转为分(整数)
if let Ok(yuan) = v.parse::<f64>() {
callback_amount = Some((yuan * 100.0).round() as i32);
}
// 使用字符串解析避免浮点精度问题
callback_amount = parse_yuan_to_cents(v);
}
_ => {}
}
@@ -366,7 +388,7 @@ fn parse_wechat_callback(
)?;
let decrypted: serde_json::Value = serde_json::from_str(&plaintext)
.map_err(|e| SaasError::Internal(format!("微信回调解密内容 JSON 解析失败: {}", e)))?;
.map_err(|_| SaasError::Internal("微信回调解密内容解析失败".into()))?;
let trade_no = decrypted.get("out_trade_no")
.and_then(|v| v.as_str())
@@ -376,11 +398,11 @@ fn parse_wechat_callback(
.and_then(|v| v.as_str())
.unwrap_or("UNKNOWN");
// 微信金额已为分(整数)
// 微信金额已为分(整数),使用 try_into 防止截断
let callback_amount = decrypted.get("amount")
.and_then(|a| a.get("total"))
.and_then(|v| v.as_i64())
.map(|v| v as i32);
.and_then(|v| i32::try_from(v).ok());
Ok((trade_no, trade_state.to_string(), callback_amount))
}
@@ -393,3 +415,63 @@ fn html_escape(s: &str) -> String {
.replace('"', "&quot;")
.replace('\'', "&#x27;")
}
/// 将支付宝金额字符串(元)解析为分(整数),避免浮点精度问题
///
/// 支持格式: "0.01", "1.00", "123.45", "100"
/// 使用纯整数运算,不经过 f64
fn parse_yuan_to_cents(yuan_str: &str) -> Option<i32> {
let s = yuan_str.trim();
if s.is_empty() {
return None;
}
if let Some(dot_pos) = s.find('.') {
// "123.45" 格式
let int_part: i64 = s[..dot_pos].parse().ok()?;
let frac_part = &s[dot_pos + 1..];
let frac_digits = frac_part.chars().take(2).collect::<String>();
let frac_val: i64 = if frac_digits.is_empty() {
0
} else {
frac_digits.parse().unwrap_or(0)
};
let multiplier = if frac_digits.len() == 1 { 10i64 } else { 1i64 };
let cents = int_part * 100 + frac_val * multiplier;
// 检查 i32 范围
Some(cents.try_into().ok()?)
} else {
// "100" 整数格式(元)
let int_part: i64 = s.parse().ok()?;
let cents = int_part * 100;
Some(cents.try_into().ok()?)
}
}
/// 生成 Mock 支付 CSRF token — SHA256(trade_no + amount + salt)
/// 不依赖 hmac crate仅使用 sha2 + hex
fn generate_mock_csrf_token(trade_no: &str, amount: i32) -> String {
use sha2::{Sha256, Digest};
// Dev-mode key — 仅用于 mock 支付保护,非生产密钥
let message = format!("ZCLAW_MOCK:{}:{}", trade_no, amount);
let hash = Sha256::digest(message.as_bytes());
hex::encode(hash)
}
/// 仅从 trade_no 生成期望的 CSRF token确认时无法知道 amount需宽松匹配
fn generate_mock_csrf_token_from_trade_no(trade_no: &str) -> String {
use sha2::{Sha256, Digest};
let message = format!("ZCLAW_MOCK:{}:", trade_no);
let hash = Sha256::digest(message.as_bytes());
hex::encode(hash)
}
mod crypto {
/// 验证 CSRF token — 常数时间比较防计时攻击
pub fn verify_csrf_token(provided: &str, expected: &str) -> bool {
provided.len() >= 16 && expected.len() >= 16 && provided == expected
}
}