boos/BoosAPI
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

docs: update security policy with detailed reporting guidelines and security considerations

Browse Source
This commit is contained in:
ciat-777
2026-03-15 14:17:47 +08:00
parent 916b9d6d73
commit 982c0da010
3 changed files with 436 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CODE_OF_CONDUCT.md
+91 -29
View File
@@ -1,44 +1,106 @@
# Code of Conduct
# Code of Conduct / 行为准则
## Our Commitment
## Our Pledge / 我们的承诺
We are committed to providing a welcoming, harassment-free community for everyone.
We as members, contributors, and maintainers pledge to make participation in the Metapi community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
## Expected Behavior
作为 Metapi 社区的成员、贡献者和维护者,我们承诺让每个人都能在无骚扰的环境中参与,无论年龄、体型、残疾、种族、性别认同和表达、经验水平、国籍、个人外貌、种族、宗教或性取向如何。
- Be respectful and constructive.
- Focus on technical discussion, not personal attacks.
- Assume good intent and ask clarifying questions before escalating.
## Our Standards / 我们的标准
## Unacceptable Behavior
### Expected Behavior / 期望的行为
- Harassment, discrimination, or abusive language
- Personal attacks or intimidation
- Publishing others' private information without consent
- Deliberate disruption, trolling, or bad-faith escalation
- Repeatedly ignoring maintainer moderation requests
Examples of behavior that contributes to a positive environment / 有助于营造积极环境的行为示例:
## Reporting
- Using welcoming and inclusive language / 使用友好和包容的语言
- Being respectful of differing viewpoints and experiences / 尊重不同的观点和经验
- Gracefully accepting constructive criticism / 优雅地接受建设性批评
- Focusing on what is best for the community / 关注对社区最有利的事情
- Showing empathy towards other community members / 对其他社区成员表现出同理心
- Providing helpful and constructive feedback / 提供有益和建设性的反馈
- Assuming good intent and asking clarifying questions / 假定善意并提出澄清性问题
- Email `cita-777@users.noreply.github.com` with subject prefix `[metapi conduct]`.
- Include links, screenshots, timestamps, and any context that helps reconstruct the incident.
- If the incident is happening directly on GitHub and needs urgent platform action, also use GitHub's built-in report tools.
- We will keep reporter details as private as practical and do not allow retaliation for good-faith reports.
### Unacceptable Behavior / 不可接受的行为
## Enforcement
Examples of unacceptable behavior / 不可接受行为的示例:
Project maintainers are responsible for clarifying and enforcing this code of conduct.
- Harassment, discrimination, or abusive language / 骚扰、歧视或辱骂性语言
- Trolling, insulting/derogatory comments, and personal or political attacks / 挑衅、侮辱性/贬损性评论以及人身或政治攻击
- Public or private harassment or intimidation / 公开或私下的骚扰或恐吓
- Publishing others' private information (e.g., physical or email address) without explicit permission / 未经明确许可发布他人的私人信息(例如,实际地址或电子邮件地址)
- Deliberate disruption of discussions or project activities / 故意破坏讨论或项目活动
- Repeatedly ignoring maintainer moderation requests / 反复忽视维护者的管理要求
- Other conduct which could reasonably be considered inappropriate in a professional setting / 在专业环境中可能被合理认为不当的其他行为
Possible actions include:
## Reporting / 举报
- editing or removing comments, issues, discussions, or PR content
- warning the contributor
- locking threads or limiting participation in project spaces
- rejecting contributions or blocking a contributor from repository spaces
- escalating serious cases to GitHub or another hosting provider
If you experience or witness unacceptable behavior, or have any other concerns, please report it by:
We aim to acknowledge conduct reports within 7 days when possible and will review the available evidence before taking action.
如果您遇到或目睹不可接受的行为,或有任何其他疑虑,请通过以下方式举报:
## Scope
1. **Email** / **邮件**: `cita-777@users.noreply.github.com` with subject prefix `[Metapi Conduct]` / 主题前缀为 `[Metapi Conduct]`
2. **GitHub**: Use [GitHub's built-in reporting tools](https://docs.github.com/en/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam) for urgent platform-level issues / 对于紧急的平台级问题,使用 [GitHub 的内置举报工具](https://docs.github.com/en/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam)
This policy applies to project spaces and public/private interactions where an individual is representing the project.
### What to Include / 应包含的内容
When reporting, please include / 举报时请包含:
- Your contact information / 您的联系信息
- Names (usernames, real names) of individuals involved / 涉及人员的姓名(用户名、真实姓名)
- Description of the incident / 事件描述
- Links to relevant issues, PRs, or discussions / 相关 issue、PR 或讨论的链接
- Screenshots or logs (with sensitive information redacted) / 截图或日志(删除敏感信息)
- Timestamps and context / 时间戳和上下文
- Any other information that would be helpful / 任何其他有用的信息
### Confidentiality / 保密性
All reports will be handled with discretion. We will keep reporter details as private as practical and do not allow retaliation for good-faith reports.
所有举报都将谨慎处理。我们将尽可能保持举报者信息的私密性,并且不允许对善意举报进行报复。
## Enforcement / 执行
Project maintainers are responsible for clarifying and enforcing this code of conduct. They have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned with this Code of Conduct.
项目维护者负责阐明和执行本行为准则。他们有权利和责任删除、编辑或拒绝不符合本行为准则的评论、提交、代码、wiki 编辑、issue 和其他贡献。
### Enforcement Actions / 执行措施
Depending on the severity and context, maintainers may take actions including / 根据严重程度和上下文,维护者可能采取的措施包括:
1. **Warning** / **警告**: A private or public warning about the behavior / 对行为进行私下或公开警告
2. **Temporary Ban** / **临时禁止**: Temporary restriction from interacting in project spaces / 暂时限制在项目空间中的互动
3. **Permanent Ban** / **永久禁止**: Permanent removal from all project spaces / 永久从所有项目空间中移除
4. **Content Removal** / **内容删除**: Editing or removing comments, issues, discussions, or PR content / 编辑或删除评论、issue、讨论或 PR 内容
5. **Thread Locking** / **话题锁定**: Locking threads to prevent further discussion / 锁定话题以防止进一步讨论
6. **Platform Escalation** / **平台升级**: Escalating serious cases to GitHub or other hosting providers / 将严重案例上报给 GitHub 或其他托管平台
### Response Timeline / 响应时间
- We aim to acknowledge conduct reports within **7 days** when possible. / 我们力求在 **7 天**内确认行为举报(如有可能)。
- We will review the available evidence before taking action. / 我们将在采取行动之前审查可用证据。
- Complex cases may require additional time for investigation. / 复杂案例可能需要额外时间进行调查。
## Scope / 适用范围
This Code of Conduct applies to all project spaces, including / 本行为准则适用于所有项目空间,包括:
- GitHub repository (issues, PRs, discussions, code reviews) / GitHub 仓库(issue、PR、讨论、代码审查)
- Documentation and wiki / 文档和 wiki
- Community forums and chat channels / 社区论坛和聊天频道
- Official social media accounts / 官方社交媒体账号
- Project events (online or offline) / 项目活动(线上或线下)
- Any other spaces where an individual is representing the Metapi project / 个人代表 Metapi 项目的任何其他空间
## Attribution / 归属
This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1.
本行为准则改编自 [Contributor Covenant](https://www.contributor-covenant.org/) 2.1 版本。
## Questions / 问题
If you have questions about this Code of Conduct, please open an issue or contact the maintainers at `cita-777@users.noreply.github.com`.
如果您对本行为准则有疑问,请开启 issue 或通过 `cita-777@users.noreply.github.com` 联系维护者。
CONTRIBUTING.md
+180 -57
View File
@@ -1,99 +1,222 @@
# Contributing
# Contributing / 贡献指南
Thanks for contributing to Metapi.
Thank you for your interest in contributing to Metapi! / 感谢您对 Metapi 项目的贡献!
## Local Setup
Metapi is a meta-aggregation layer for AI API platforms (New API, One API, OneHub, etc.), providing unified proxy, intelligent routing, and centralized management.
1. Install dependencies:
Metapi 是 AI API 聚合平台(New API、One API、OneHub 等)的元聚合层,提供统一代理、智能路由和集中管理。
## Before You Start / 开始之前
- Check existing [Issues](https://github.com/cita-777/metapi/issues) and [Pull Requests](https://github.com/cita-777/metapi/pulls) to avoid duplicates. / 检查现有的 [Issues](https://github.com/cita-777/metapi/issues) 和 [Pull Requests](https://github.com/cita-777/metapi/pulls) 以避免重复。
- For major changes, open an issue first to discuss your proposal. / 对于重大更改,请先开启 issue 讨论您的提案。
- Read our [Code of Conduct](CODE_OF_CONDUCT.md). / 阅读我们的[行为准则](CODE_OF_CONDUCT.md)。
## Local Development Setup / 本地开发环境设置
### Prerequisites / 前置要求
- Node.js 20+ / Node.js 20 或更高版本
- npm or compatible package manager / npm 或兼容的包管理器
### Setup Steps / 设置步骤
1. **Fork and clone the repository** / **Fork 并克隆仓库**
```bash
git clone https://github.com/YOUR_USERNAME/metapi.git
cd metapi
```
2. **Install dependencies** / **安装依赖**
```bash
npm install
```
2. Create a local environment file:
```powershell
Copy-Item .env.example .env
```
3. **Create environment file** / **创建环境文件**
```bash
# Windows PowerShell
Copy-Item .env.example .env
# Linux/macOS/Git Bash
cp .env.example .env
```
3. Initialize the default SQLite database:
Edit `.env` and set your tokens / 编辑 `.env` 并设置您的令牌:
```env
AUTH_TOKEN=your-dev-admin-token
PROXY_TOKEN=your-dev-proxy-token
```
4. **Initialize database** / **初始化数据库**
```bash
npm run db:migrate
```
## Common Commands
### App development
5. **Start development server** / **启动开发服务器**
```bash
npm run dev
npm run dev:server
restart.bat
```
- `npm run dev` starts the Fastify server and Vite together.
- `npm run dev:server` runs only the backend watcher.
- `restart.bat` is the Windows-friendly restart entrypoint; it forwards to `scripts\dev\restart.bat`, clears stale listeners, and starts `npm run dev`.
The app will be available at `http://localhost:4000` (backend) and `http://localhost:5173` (frontend).
### Docs
应用将在 `http://localhost:4000`(后端)和 `http://localhost:5173`(前端)可用。
## Development Commands / 开发命令
### Web Application / Web 应用
```bash
npm run docs:dev
npm run docs:build
npm run docs:preview
npm run dev # Start backend + frontend with hot reload / 启动后端 + 前端热更新
npm run dev:server # Start backend only / 仅启动后端
npm run build # Build all (web + server + desktop) / 构建全部
npm run build:web # Build frontend only / 仅构建前端
npm run build:server # Build backend only / 仅构建后端
```
### Desktop
### Desktop Application / 桌面应用
```bash
npm run dev:desktop
npm run build:desktop
npm run dist:desktop
npm run package:desktop
npm run dev:desktop # Start desktop app in dev mode / 开发模式启动桌面应用
npm run build:desktop # Build desktop app / 构建桌面应用
npm run dist:desktop # Package desktop app / 打包桌面应用
npm run dist:desktop:mac:intel # Package for macOS Intel / 打包 macOS Intel 版本
```
`npm run dev:desktop` expects the backend on `http://127.0.0.1:4000` and the Vite frontend on `http://127.0.0.1:5173`.
### Test, build, and smoke checks
### Documentation / 文档
```bash
npm test
npm run test:watch
npm run build
npm run build:web
npm run build:server
npm run smoke:db
npm run smoke:db:sqlite
npm run smoke:db:mysql -- --db-url mysql://user:pass@host:3306/db
npm run smoke:db:postgres -- --db-url postgres://user:pass@host:5432/db
npm run docs:dev # Start VitePress dev server / 启动 VitePress 开发服务器
npm run docs:build # Build documentation / 构建文档
npm run docs:preview # Preview built docs / 预览构建的文档
```
## Windows Notes
### Testing / 测试
- Prefer `Copy-Item` or Explorer copy/paste over `cp` if you are working in PowerShell or `cmd.exe`.
- If a previous dev process keeps ports busy, use `restart.bat` instead of manually hunting PIDs.
- If dependencies or `.cmd` shims look broken after a Node.js upgrade, rerun `npm install` before assuming the scripts are wrong.
```bash
npm test # Run all tests / 运行所有测试
npm run test:watch # Run tests in watch mode / 监听模式运行测试
npm run smoke:db # Database smoke test (SQLite) / 数据库冒烟测试(SQLite
npm run smoke:db:mysql # MySQL smoke test / MySQL 冒烟测试
npm run smoke:db:postgres # PostgreSQL smoke test / PostgreSQL 冒烟测试
```
## Pull Request Guidelines
### Database / 数据库
- Keep PRs focused and small.
- Add or update tests for behavior changes.
- Update docs when user-facing behavior, commands, ports, or configuration change.
- Run the checks that match your change set before opening a PR:
- docs only: `npm run docs:build`
- app code: `npm test` and the relevant `npm run build:*`
- runtime DB work: one of the `npm run smoke:db*` commands
- Avoid committing runtime data (`data/`) or temporary files (`tmp/`).
```bash
npm run db:generate # Generate Drizzle migration files / 生成 Drizzle 迁移文件
npm run db:migrate # Run database migrations / 运行数据库迁移
npm run schema:generate # Generate schema artifacts / 生成 schema 构件
```
## Commit Messages
## Project Structure / 项目结构
Use concise messages with clear scope, for example:
```
metapi/
├── src/
│ ├── server/ # Backend (Fastify) / 后端(Fastify
│ │ ├── routes/ # API routes / API 路由
│ │ ├── services/ # Business logic / 业务逻辑
│ │ ├── db/ # Database & ORM / 数据库与 ORM
│ │ └── middleware/ # Middleware / 中间件
│ ├── web/ # Frontend (React + Vite) / 前端(React + Vite
│ └── desktop/ # Electron desktop app / Electron 桌面应用
├── docs/ # VitePress documentation / VitePress 文档
├── drizzle/ # Database migrations / 数据库迁移
└── scripts/ # Build & dev scripts / 构建与开发脚本
```
- `feat: add token route health guard`
- `fix: handle empty model list in dashboard`
- `docs: clarify docker env setup`
## Pull Request Guidelines / Pull Request 指南
### Before Submitting / 提交之前
1. **Keep PRs focused and small** / **保持 PR 专注且小巧**
- One feature or fix per PR / 每个 PR 一个功能或修复
- Split large changes into multiple PRs / 将大型更改拆分为多个 PR
2. **Write tests** / **编写测试**
- Add tests for new features / 为新功能添加测试
- Update tests for behavior changes / 为行为变更更新测试
- Ensure all tests pass: `npm test` / 确保所有测试通过:`npm test`
3. **Update documentation** / **更新文档**
- Update README if adding user-facing features / 如果添加面向用户的功能,请更新 README
- Update docs/ for configuration or API changes / 配置或 API 更改请更新 docs/
- Add JSDoc comments for new functions / 为新函数添加 JSDoc 注释
4. **Run checks** / **运行检查**
- Documentation changes: `npm run docs:build` / 文档更改:`npm run docs:build`
- Code changes: `npm test && npm run build` / 代码更改:`npm test && npm run build`
- Database changes: `npm run smoke:db` / 数据库更改:`npm run smoke:db`
5. **Follow code style** / **遵循代码风格**
- Use TypeScript for type safety / 使用 TypeScript 确保类型安全
- Follow existing code patterns / 遵循现有代码模式
- Keep functions small and focused / 保持函数小而专注
### Commit Messages / 提交信息
Use conventional commit format / 使用约定式提交格式:
```
<type>: <description>
[optional body]
```
Types / 类型:
- `feat`: New feature / 新功能
- `fix`: Bug fix / 错误修复
- `docs`: Documentation / 文档
- `refactor`: Code refactoring / 代码重构
- `test`: Tests / 测试
- `chore`: Build/tooling / 构建/工具
Examples / 示例:
```
feat: add AnyRouter platform adapter
fix: handle empty model list in dashboard
docs: update Docker deployment guide
refactor: extract route selection logic
test: add tests for checkin reward parser
chore: upgrade Vite to 6.0
```
### What Not to Commit / 不要提交的内容
- Runtime data: `data/`, `tmp/` / 运行时数据:`data/``tmp/`
- Environment files: `.env` (only `.env.example` is tracked) / 环境文件:`.env`(仅跟踪 `.env.example`
- Build artifacts: `dist/`, `node_modules/` / 构建产物:`dist/``node_modules/`
- IDE-specific files (unless beneficial to all contributors) / IDE 特定文件(除非对所有贡献者有益)
## Platform Adapters / 平台适配器
If you're adding support for a new AI API platform / 如果您要添加对新 AI API 平台的支持:
1. Create adapter in `src/server/services/platforms/` / 在 `src/server/services/platforms/` 中创建适配器
2. Implement required interfaces: login, balance, models, proxy / 实现必需接口:登录、余额、模型、代理
3. Add platform tests / 添加平台测试
4. Update documentation with platform details / 更新文档说明平台详情
## Windows Development Notes / Windows 开发注意事项
- Use `restart.bat` to restart dev server (clears port locks) / 使用 `restart.bat` 重启开发服务器(清除端口锁定)
- Use PowerShell `Copy-Item` instead of `cp` / 使用 PowerShell 的 `Copy-Item` 而不是 `cp`
- If Node.js upgrade breaks scripts, run `npm install` again / 如果 Node.js 升级导致脚本损坏,请重新运行 `npm install`
## Getting Help / 获取帮助
- 📖 [Documentation](https://metapi.cita777.me) / [文档](https://metapi.cita777.me)
- 💬 [GitHub Discussions](https://github.com/cita-777/metapi/discussions) / [GitHub 讨论区](https://github.com/cita-777/metapi/discussions)
- 🐛 [Issue Tracker](https://github.com/cita-777/metapi/issues) / [Issue 跟踪](https://github.com/cita-777/metapi/issues)
## License / 许可证
By contributing, you agree that your contributions will be licensed under the [MIT License](LICENSE).
通过贡献,您同意您的贡献将根据 [MIT 许可证](LICENSE) 授权。
SECURITY.md
+165 -24
View File
@@ -1,37 +1,178 @@
# Security Policy
# Security Policy / 安全政策
## Supported Versions
## Overview / 概述
- The latest release on GitHub.
- The current `main` branch.
The security of Metapi is important to us. This document outlines our security policy and how to report vulnerabilities.
Older tags and ad-hoc forks may receive guidance, but they are not guaranteed security backports.
Metapi 的安全对我们很重要。本文档概述了我们的安全政策以及如何报告漏洞。
## Reporting a Vulnerability
Since Metapi is a self-hosted meta-aggregation layer that manages sensitive credentials (API keys, account passwords) and proxies AI API requests, security is a critical concern.
Please do not report security issues in public issues, discussions, or pull requests.
由于 Metapi 是一个自托管的元聚合层,管理敏感凭证(API 密钥、账号密码)并代理 AI API 请求,因此安全性至关重要。
Use one of these channels:
## Supported Versions / 支持的版本
1. GitHub Security Advisory private report: `https://github.com/cita-777/metapi/security/advisories/new`
2. Email: `cita-777@users.noreply.github.com` with subject prefix `[metapi security]`
We provide security updates for the following versions / 我们为以下版本提供安全更新:
When reporting, include:
| Version / 版本 | Supported / 支持状态 |
| -------------- | -------------------- |
| Latest release / 最新版本 | ✅ Fully supported / 完全支持 |
| `main` branch / `main` 分支 | ✅ Supported / 支持 |
| Older releases / 旧版本 | ⚠️ Best effort / 尽力而为 |
| Forks / 分支 | ❌ Not supported / 不支持 |
- Affected version, commit, or deployment mode
- Affected endpoint, module, or configuration surface
- Reproduction steps or proof-of-concept
- Expected impact and attack preconditions
- Any logs, screenshots, or packets with secrets redacted
- Suggested mitigation or patch ideas, if you already have them
**Recommendation** / **建议**: Always use the latest stable release from [GitHub Releases](https://github.com/cita-777/metapi/releases) or the `main` branch for the most up-to-date security patches.
## Response Process
始终使用 [GitHub Releases](https://github.com/cita-777/metapi/releases) 的最新稳定版本或 `main` 分支以获得最新的安全补丁。
- We aim to acknowledge private reports within 3 business days.
- We aim to provide an initial triage or follow-up questions within 7 business days.
- We may ask for extra reproduction details, redacted logs, or environment information before confirming severity.
- We coordinate disclosure with the reporter when possible. Please keep the report private until a fix or mitigation is ready.
## Security Considerations / 安全注意事项
## Handling Public Reports
When deploying Metapi, please consider / 部署 Metapi 时,请考虑:
If a vulnerability is posted publicly by mistake, maintainers may redact sensitive details, convert the report to a private channel, or close the public thread after redirecting the reporter to the private process above.
### Credential Storage / 凭证存储
- All sensitive credentials (API keys, passwords) are encrypted at rest in the database / 所有敏感凭证(API 密钥、密码)在数据库中静态加密存储
- Use strong `AUTH_TOKEN` and `PROXY_TOKEN` values / 使用强 `AUTH_TOKEN``PROXY_TOKEN`
- Never commit `.env` files or expose tokens in logs / 切勿提交 `.env` 文件或在日志中暴露令牌
### Network Security / 网络安全
- Deploy behind HTTPS/TLS in production / 在生产环境中部署在 HTTPS/TLS 后面
- Use `ADMIN_IP_ALLOWLIST` to restrict admin access / 使用 `ADMIN_IP_ALLOWLIST` 限制管理员访问
- Consider firewall rules to limit access to port 4000 / 考虑使用防火墙规则限制对端口 4000 的访问
### Database Security / 数据库安全
- Secure your database with strong credentials / 使用强凭证保护您的数据库
- Regularly backup the `data/` directory / 定期备份 `data/` 目录
- For production, consider using MySQL/PostgreSQL instead of SQLite / 对于生产环境,考虑使用 MySQL/PostgreSQL 而不是 SQLite
### Docker Security / Docker 安全
- Keep Docker images up to date / 保持 Docker 镜像最新
- Use volume mounts carefully to avoid exposing sensitive data / 谨慎使用卷挂载以避免暴露敏感数据
- Run containers with minimal privileges / 以最小权限运行容器
## Reporting a Vulnerability / 报告漏洞
**⚠️ Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
**⚠️ 请勿通过公开的 GitHub issue、讨论或 pull request 报告安全漏洞。**
### Reporting Channels / 报告渠道
Use one of these private channels / 使用以下私密渠道之一:
1. **GitHub Security Advisory** (Preferred) / **GitHub 安全公告**(首选)
- Go to: https://github.com/cita-777/metapi/security/advisories/new
- This allows for coordinated disclosure and CVE assignment / 这允许协调披露和 CVE 分配
2. **Email** / **邮件**
- Send to: `cita-777@users.noreply.github.com`
- Subject: `[Metapi Security] <brief description>` / 主题:`[Metapi Security] <简要描述>`
### What to Include / 应包含的内容
To help us understand and address the issue quickly, please include / 为了帮助我们快速理解和解决问题,请包含:
- **Description** / **描述**: Clear description of the vulnerability / 漏洞的清晰描述
- **Impact** / **影响**: What an attacker could achieve / 攻击者可能实现的目标
- **Affected versions** / **受影响的版本**: Version, commit hash, or deployment mode / 版本、提交哈希或部署模式
- **Affected components** / **受影响的组件**: Specific endpoints, modules, or configuration / 特定端点、模块或配置
- **Reproduction steps** / **复现步骤**: Step-by-step instructions to reproduce / 逐步复现说明
- **Proof of concept** / **概念验证**: Code, screenshots, or logs (with secrets redacted) / 代码、截图或日志(删除敏感信息)
- **Attack preconditions** / **攻击前提条件**: Required access level, network position, etc. / 所需访问级别、网络位置等
- **Suggested fix** / **建议修复**: If you have ideas for mitigation or patches / 如果您有缓解措施或补丁的想法
### Example Report / 报告示例
```
Subject: [Metapi Security] SQL Injection in account search
Description:
The account search endpoint is vulnerable to SQL injection through the
'name' parameter, allowing unauthorized database access.
Impact:
An authenticated attacker could extract all account credentials from
the database.
Affected Version:
v1.2.2 and earlier
Reproduction:
1. Login to Metapi admin panel
2. Navigate to /api/accounts/search?name=' OR '1'='1
3. Observe all accounts returned
Proof of Concept:
[Screenshot attached with sensitive data redacted]
Suggested Fix:
Use parameterized queries instead of string concatenation in
src/server/routes/api/accounts.ts:45
```
## Response Process / 响应流程
Our security response process / 我们的安全响应流程:
1. **Acknowledgment** / **确认**: We aim to acknowledge your report within **3 business days** / 我们力求在 **3 个工作日**内确认您的报告
2. **Initial Triage** / **初步分类**: We will provide initial assessment or follow-up questions within **7 business days** / 我们将在 **7 个工作日**内提供初步评估或后续问题
3. **Investigation** / **调查**: We may request additional details, logs, or reproduction steps / 我们可能会要求额外的细节、日志或复现步骤
4. **Fix Development** / **修复开发**: We will develop and test a fix / 我们将开发并测试修复方案
5. **Coordinated Disclosure** / **协调披露**: We will coordinate disclosure timing with you / 我们将与您协调披露时间
- Please keep the vulnerability confidential until we release a fix / 请在我们发布修复之前对漏洞保密
- We will credit you in the security advisory (unless you prefer to remain anonymous) / 我们将在安全公告中致谢您(除非您希望保持匿名)
6. **Release** / **发布**: We will release a patched version and publish a security advisory / 我们将发布修补版本并发布安全公告
### Severity Assessment / 严重性评估
We use the following severity levels / 我们使用以下严重性级别:
- **Critical** / **严重**: Remote code execution, credential theft, data breach / 远程代码执行、凭证盗窃、数据泄露
- **High** / **高**: Authentication bypass, privilege escalation / 身份验证绕过、权限提升
- **Medium** / **中**: Information disclosure, denial of service / 信息泄露、拒绝服务
- **Low** / **低**: Minor information leaks, configuration issues / 轻微信息泄露、配置问题
## Public Disclosure / 公开披露
If a vulnerability is accidentally posted publicly / 如果漏洞被意外公开发布:
1. We will immediately assess the risk / 我们将立即评估风险
2. We may redact sensitive details from the public post / 我们可能会从公开帖子中删除敏感细节
3. We will redirect the reporter to this private process / 我们将把报告者重定向到此私密流程
4. We will expedite the fix and release process / 我们将加快修复和发布流程
## Security Updates / 安全更新
Security updates will be announced through / 安全更新将通过以下方式公布:
- [GitHub Security Advisories](https://github.com/cita-777/metapi/security/advisories)
- [GitHub Releases](https://github.com/cita-777/metapi/releases) with `[SECURITY]` tag / 带有 `[SECURITY]` 标签
- Project README and documentation / 项目 README 和文档
Subscribe to repository notifications to stay informed / 订阅仓库通知以保持了解。
## Bug Bounty / 漏洞赏金
We currently do not offer a paid bug bounty program. However, we deeply appreciate security researchers who responsibly disclose vulnerabilities and will publicly acknowledge your contribution (with your permission).
我们目前不提供付费漏洞赏金计划。但是,我们非常感谢负责任地披露漏洞的安全研究人员,并将公开致谢您的贡献(经您许可)。
## Questions / 问题
If you have questions about this security policy, please contact `cita-777@users.noreply.github.com`.
如果您对本安全政策有疑问,请联系 `cita-777@users.noreply.github.com`
---
**Thank you for helping keep Metapi and its users safe!**
**感谢您帮助保护 Metapi 及其用户的安全!**