fix: /open/user/init 未授权修改密码漏洞修复

根本原因：初始化守卫的 authInfo 值为 undefined 时被 || {} 转换为空对象，导致 Object.keys({}).length !== 2，误判为"已初始化"而拦截所有请求（包括首次初始化）。同时守卫仅靠凭据值做启发式判断，没有状态追踪。修复：移除 || {} 回退，直接判断 authInfo 是否为 undefined（= 全新安装，放行），再判断是否为默认 {admin, admin} 凭据（= 未初始化，放行），其他情况均拦截。 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-28 02:45:08 +08:00 · 2026-05-21 18:15:28 +08:00 · 2026-05-21 18:15:28 +08:00 · cb09ca1d84
commit cb09ca1d84
parent 1d5f23bc60
1 changed files with 7 additions and 4 deletions
--- a/back/loaders/express.ts
+++ b/back/loaders/express.ts
@ -8,7 +8,7 @@ import { getPlatform, getToken } from '../config/util';
 import rewrite from 'express-urlrewrite';
 import { errors } from 'celebrate';
 import { serveEnv } from '../config/serverEnv';
-import { IKeyvStore, shareStore } from '../shared/store';
+import { shareStore } from '../shared/store';
 import { isValidToken } from '../shared/auth';
 import path from 'path';

@ -129,15 +129,18 @@ export default ({ app }: { app: Application }) => {
    ) {
      return next();
    }
-    const authInfo =
-      (await shareStore.getAuthInfo()) || ({} as IKeyvStore['authInfo']);
+    const authInfo = await shareStore.getAuthInfo();

    let isInitialized = true;
-    if (
+    if (!authInfo) {
+      // No authInfo in cache → fresh install, allow initialization
+      isInitialized = false;
+    } else if (
      Object.keys(authInfo).length === 2 &&
      authInfo.username === 'admin' &&
      authInfo.password === 'admin'
    ) {
+      // Default credentials still in use → system not yet initialized
      isInitialized = false;
    }