fix(permissions): fix 9 Server Action permission violations and add recursive CTE for indirect call detection

This commit is contained in:
SpecialX
2026-07-07 19:30:49 +08:00
parent 164dcd4c84
commit 7f26bb8f9c
6 changed files with 46 additions and 18 deletions

Binary file not shown.

View File

@@ -136,17 +136,25 @@ export function queryViolations(db: Database.Database): Violations {
const longFiles = db
.prepare("SELECT path, lines FROM files WHERE lines > 800 ORDER BY lines DESC")
.all() as { path: string; lines: number }[];
// 使用递归 CTE 识别直接或间接调用 requirePermission 的符号
// 这样可以正确识别通过辅助函数(如 requireAiPermission间接校验权限的 Action
const serverActionsWithoutPerm = db
.prepare(
`SELECT s.name, f.path FROM symbols s
`WITH RECURSIVE permission_callers(symbol_id) AS (
SELECT c.caller_id
FROM calls c
JOIN symbols cs ON c.callee_id = cs.id
WHERE cs.name = 'requirePermission'
UNION
SELECT c.caller_id
FROM calls c
JOIN permission_callers pc ON c.callee_id = pc.symbol_id
)
SELECT s.name, f.path FROM symbols s
JOIN files f ON s.file_id = f.id
WHERE s.is_server_action = 1
AND s.is_public = 0
AND NOT EXISTS (
SELECT 1 FROM calls c
JOIN symbols cs ON c.callee_id = cs.id
WHERE c.caller_id = s.id AND cs.name = 'requirePermission'
)`
AND s.id NOT IN (SELECT symbol_id FROM permission_callers)`
)
.all() as { name: string; path: string }[];
return {