校验request id，避免可能存在的注入攻击风险

2024-10-31 19:58:58 +08:00 · 2024-10-31 19:58:58 +08:00 · d511241fcf
commit d511241fcf
parent d720fb8c70
1 changed files with 2 additions and 2 deletions
--- a/server/src/lib.rs
+++ b/server/src/lib.rs
@ -37,8 +37,8 @@ fn init() -> Router {
            .get("x-request-id")
            .and_then(|value| value.to_str().ok())
        {
-            Some(v) => v.to_string(),
-            None => String::from("unknown"),
+            Some(v) if v.chars().all(|c| c.is_alphanumeric()) => v.to_string(),// 确保请求ID只包含字母和数字
+            _ => String::from("unknown"),
        };
        tracing::error_span!("request_id", id = req_id)
    });