fix(audit): Batch 4-6 中间件注释 + 依赖迁移 + 安全加固

Batch 4: - kernel/mod.rs: 添加中间件注册顺序≠执行顺序注释 - EvolutionMiddleware 注册处标注 priority=78 Batch 5: - desktop/src-tauri/Cargo.toml: serde_yaml 0.9 (deprecated) → serde_yaml_bw 2.x Batch 6: - saas/main.rs: CORS 开发模式改为显式 localhost origins (修复 Any+credentials 违规) - docker-compose.yml: 移除默认弱密码 your_secure_password，改为必填校验 - director.rs: 用户输入添加 <user_input>/<user_request> 边界标记防注入全量测试通过: 719 passed, 0 failed
2026-04-19 08:46:12 +08:00
parent 4329bae1ea
commit edd6dd5fc8
5 changed files with 41 additions and 9 deletions
--- a/crates/zclaw-saas/src/main.rs
+++ b/crates/zclaw-saas/src/main.rs
@@ -309,10 +309,34 @@ async fn build_router(state: AppState) -> axum::Router {
            .unwrap_or(false);
        if config.server.cors_origins.is_empty() {
            if is_dev {
+                // Dev mode: use explicit localhost origins (Any + credentials violates CORS spec)
+                let dev_origins: Vec<HeaderValue> = [
+                    "http://localhost:1420",
+                    "http://localhost:5173",
+                    "http://127.0.0.1:1420",
+                    "http://127.0.0.1:5173",
+                    "http://localhost:8080",
+                    "http://127.0.0.1:8080",
+                    "tauri://localhost",
+                    "https://tauri.localhost",
+                ].iter()
+                    .filter_map(|o| o.parse::<HeaderValue>().ok())
+                    .collect();
                CorsLayer::new()
-                    .allow_origin(Any)
-                    .allow_methods(Any)
-                    .allow_headers(Any)
+                    .allow_origin(dev_origins)
+                    .allow_methods([
+                        axum::http::Method::GET,
+                        axum::http::Method::POST,
+                        axum::http::Method::PUT,
+                        axum::http::Method::PATCH,
+                        axum::http::Method::DELETE,
+                        axum::http::Method::OPTIONS,
+                    ])
+                    .allow_headers([
+                        axum::http::header::AUTHORIZATION,
+                        axum::http::header::CONTENT_TYPE,
+                        axum::http::header::COOKIE,
+                    ])
                    .allow_credentials(true)
            } else {
                tracing::error!("生产环境必须配置 server.cors_origins，不能使用 allow_origin(Any)");