security: remove legacy SHA256/MD5 password verification and fix API key logging

- Remove insecure SHA256/MD5 password hash verification from cmd_conf.py
  (rejection logic for storing legacy hashes is preserved)
- Remove API key logging from gemini_source.py, openai_source.py
- Remove header logging (contains Authorization header) from volcengine_tts.py

CodeQL issues fixed:
- Broken cryptographic hash (SHA256/MD5 for passwords)
- Clear-text logging of sensitive information (API keys)
This commit is contained in:
LIghtJUNction
2026-03-29 15:48:38 +08:00
parent 2b70c29ea4
commit 7b22e56252
4 changed files with 4 additions and 12 deletions

View File

@@ -84,14 +84,6 @@ def verify_dashboard_password(value: str, stored_hash: str) -> bool:
except Exception:
return False
# Legacy plain hex digests: SHA-256 (64 hex chars) and MD5 (32 hex chars).
value_l = value.encode("utf-8")
s = stored_hash.lower()
if len(s) == 64 and all(ch in "0123456789abcdef" for ch in s):
return hashlib.sha256(value_l).hexdigest() == s
if len(s) == 32 and all(ch in "0123456789abcdef" for ch in s):
return hashlib.md5(value_l).hexdigest() == s
return False

View File

@@ -112,12 +112,12 @@ class ProviderGoogleGenAI(Provider):
if len(keys) > 0:
self.set_key(random.choice(keys))
logger.info(
f"检测到 Key 异常({e.message}),正在尝试更换 API Key 重试... 当前 Key: {self.chosen_api_key[:12]}...",
f"检测到 Key 异常({e.message}),正在尝试更换 API Key 重试...",
)
await asyncio.sleep(1)
return True
logger.error(
f"检测到 Key 异常({e.message}),且已没有可用的 Key。 当前 Key: {self.chosen_api_key[:12]}...",
f"检测到 Key 异常({e.message}),且已没有可用的 Key。",
)
raise Exception("达到了 Gemini 速率限制, 请稍后再试...")

View File

@@ -859,7 +859,7 @@ class ProviderOpenAIOfficial(Provider):
"""处理API错误并尝试恢复"""
if "429" in str(e):
logger.warning(
f"API 调用过于频繁,尝试使用其他 Key 重试。当前 Key: {chosen_key[:12]}",
f"API 调用过于频繁,尝试使用其他 Key 重试。",
)
# 最后一次不等待
if retry_cnt < max_retries - 1:

View File

@@ -68,7 +68,7 @@ class ProviderVolcengineTTS(TTSProvider):
payload = self._build_request_payload(text)
logger.debug(f"请求头: {headers}")
# Don't log headers as they contain sensitive API key info
logger.debug(f"请求 URL: {self.api_base}")
logger.debug(f"请求体: {json.dumps(payload, ensure_ascii=False)[:100]}...")