mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-06-06 05:51:19 +08:00
90d09e63e5
## 问题
后台日志在打印配置更新时会暴露完整的 API Key、Secret Key 和私钥等敏感信息(Issue #758)。
## 解决方案
### 1. 新增脱敏工具库 (api/utils.go)
- `MaskSensitiveString()`: 脱敏敏感字符串(保留前4位和后4位,中间用****替代)
- `SanitizeModelConfigForLog()`: 脱敏 AI 模型配置用于日志输出
- `SanitizeExchangeConfigForLog()`: 脱敏交易所配置用于日志输出
- `MaskEmail()`: 脱敏邮箱地址
### 2. 修复日志打印 (api/server.go)
- Line 1106: 脱敏 AI 模型配置更新日志
- Line 1203: 脱敏交易所配置更新日志
### 3. 完善单元测试 (api/utils_test.go)
- 4个测试函数,9个子测试,全部通过
- 工具函数测试覆盖率: 91%+
## 脱敏效果示例
**修复前**:
```
✓ 交易所配置已更新: map[binance:{api_key:sk-1234567890abcdef secret_key:binance_secret_1234567890abcdef}]
```
**修复后**:
```
✓ 交易所配置已更新: map[binance:{api_key:sk-1****cdef secret_key:bina****cdef}]
```
## 测试结果
```
PASS
ok nofx/api 0.012s
coverage: 91.2% of statements in utils.go
```
## 安全影响
- 防止日志泄露 API Key、Secret Key、私钥等敏感信息
- 保护用户隐私和账户安全
- 符合安全最佳实践
Closes #758
194 lines
4.6 KiB
Go
194 lines
4.6 KiB
Go
package api
|
||
|
||
import (
|
||
"testing"
|
||
)
|
||
|
||
func TestMaskSensitiveString(t *testing.T) {
|
||
tests := []struct {
|
||
name string
|
||
input string
|
||
expected string
|
||
}{
|
||
{
|
||
name: "空字符串",
|
||
input: "",
|
||
expected: "",
|
||
},
|
||
{
|
||
name: "短字符串(小于等于8位)",
|
||
input: "short",
|
||
expected: "****",
|
||
},
|
||
{
|
||
name: "正常API key",
|
||
input: "sk-1234567890abcdefghijklmnopqrstuvwxyz",
|
||
expected: "sk-1****wxyz",
|
||
},
|
||
{
|
||
name: "正常私钥",
|
||
input: "0x1234567890abcdef1234567890abcdef12345678",
|
||
expected: "0x12****5678",
|
||
},
|
||
{
|
||
name: "刚好9位",
|
||
input: "123456789",
|
||
expected: "1234****6789",
|
||
},
|
||
}
|
||
|
||
for _, tt := range tests {
|
||
t.Run(tt.name, func(t *testing.T) {
|
||
result := MaskSensitiveString(tt.input)
|
||
if result != tt.expected {
|
||
t.Errorf("MaskSensitiveString(%q) = %q, want %q", tt.input, result, tt.expected)
|
||
}
|
||
})
|
||
}
|
||
}
|
||
|
||
func TestSanitizeModelConfigForLog(t *testing.T) {
|
||
models := map[string]struct {
|
||
Enabled bool `json:"enabled"`
|
||
APIKey string `json:"api_key"`
|
||
CustomAPIURL string `json:"custom_api_url"`
|
||
CustomModelName string `json:"custom_model_name"`
|
||
}{
|
||
"deepseek": {
|
||
Enabled: true,
|
||
APIKey: "sk-1234567890abcdefghijklmnopqrstuvwxyz",
|
||
CustomAPIURL: "https://api.deepseek.com",
|
||
CustomModelName: "deepseek-chat",
|
||
},
|
||
}
|
||
|
||
result := SanitizeModelConfigForLog(models)
|
||
|
||
deepseekConfig, ok := result["deepseek"].(map[string]interface{})
|
||
if !ok {
|
||
t.Fatal("deepseek config not found or wrong type")
|
||
}
|
||
|
||
if deepseekConfig["enabled"] != true {
|
||
t.Errorf("expected enabled=true, got %v", deepseekConfig["enabled"])
|
||
}
|
||
|
||
maskedKey, ok := deepseekConfig["api_key"].(string)
|
||
if !ok {
|
||
t.Fatal("api_key not found or wrong type")
|
||
}
|
||
|
||
if maskedKey != "sk-1****wxyz" {
|
||
t.Errorf("expected masked api_key='sk-1****wxyz', got %q", maskedKey)
|
||
}
|
||
|
||
if deepseekConfig["custom_api_url"] != "https://api.deepseek.com" {
|
||
t.Errorf("custom_api_url should not be masked")
|
||
}
|
||
}
|
||
|
||
func TestSanitizeExchangeConfigForLog(t *testing.T) {
|
||
exchanges := map[string]struct {
|
||
Enabled bool `json:"enabled"`
|
||
APIKey string `json:"api_key"`
|
||
SecretKey string `json:"secret_key"`
|
||
Testnet bool `json:"testnet"`
|
||
HyperliquidWalletAddr string `json:"hyperliquid_wallet_addr"`
|
||
AsterUser string `json:"aster_user"`
|
||
AsterSigner string `json:"aster_signer"`
|
||
AsterPrivateKey string `json:"aster_private_key"`
|
||
}{
|
||
"binance": {
|
||
Enabled: true,
|
||
APIKey: "binance_api_key_1234567890abcdef",
|
||
SecretKey: "binance_secret_key_1234567890abcdef",
|
||
Testnet: false,
|
||
},
|
||
"hyperliquid": {
|
||
Enabled: true,
|
||
HyperliquidWalletAddr: "0x1234567890abcdef1234567890abcdef12345678",
|
||
Testnet: false,
|
||
},
|
||
}
|
||
|
||
result := SanitizeExchangeConfigForLog(exchanges)
|
||
|
||
// 检查币安配置
|
||
binanceConfig, ok := result["binance"].(map[string]interface{})
|
||
if !ok {
|
||
t.Fatal("binance config not found or wrong type")
|
||
}
|
||
|
||
maskedAPIKey, ok := binanceConfig["api_key"].(string)
|
||
if !ok {
|
||
t.Fatal("binance api_key not found or wrong type")
|
||
}
|
||
|
||
if maskedAPIKey != "bina****cdef" {
|
||
t.Errorf("expected masked api_key='bina****cdef', got %q", maskedAPIKey)
|
||
}
|
||
|
||
maskedSecretKey, ok := binanceConfig["secret_key"].(string)
|
||
if !ok {
|
||
t.Fatal("binance secret_key not found or wrong type")
|
||
}
|
||
|
||
if maskedSecretKey != "bina****cdef" {
|
||
t.Errorf("expected masked secret_key='bina****cdef', got %q", maskedSecretKey)
|
||
}
|
||
|
||
// 检查 Hyperliquid 配置
|
||
hlConfig, ok := result["hyperliquid"].(map[string]interface{})
|
||
if !ok {
|
||
t.Fatal("hyperliquid config not found or wrong type")
|
||
}
|
||
|
||
walletAddr, ok := hlConfig["hyperliquid_wallet_addr"].(string)
|
||
if !ok {
|
||
t.Fatal("hyperliquid_wallet_addr not found or wrong type")
|
||
}
|
||
|
||
// 钱包地址不应该被脱敏
|
||
if walletAddr != "0x1234567890abcdef1234567890abcdef12345678" {
|
||
t.Errorf("wallet address should not be masked, got %q", walletAddr)
|
||
}
|
||
}
|
||
|
||
func TestMaskEmail(t *testing.T) {
|
||
tests := []struct {
|
||
name string
|
||
input string
|
||
expected string
|
||
}{
|
||
{
|
||
name: "空邮箱",
|
||
input: "",
|
||
expected: "",
|
||
},
|
||
{
|
||
name: "格式错误",
|
||
input: "notanemail",
|
||
expected: "****",
|
||
},
|
||
{
|
||
name: "正常邮箱",
|
||
input: "user@example.com",
|
||
expected: "us****@example.com",
|
||
},
|
||
{
|
||
name: "短用户名",
|
||
input: "a@example.com",
|
||
expected: "**@example.com",
|
||
},
|
||
}
|
||
|
||
for _, tt := range tests {
|
||
t.Run(tt.name, func(t *testing.T) {
|
||
result := MaskEmail(tt.input)
|
||
if result != tt.expected {
|
||
t.Errorf("MaskEmail(%q) = %q, want %q", tt.input, result, tt.expected)
|
||
}
|
||
})
|
||
}
|
||
}
|