security: harden system_routes.py — auth + input validation

Issues fixed: 1. [CRITICAL] No authentication on destructive routes (CWE-306) POST /api/system/cleanup/docker was unauthenticated (system_bp is CSRF-exempt, before_request only refreshes session, no login check). Any unauthenticated HTTP client could trigger docker system prune. Fix: _require_internal_key() checks X-Internal-Key header against INTERNAL_API_KEY env var on all 4 routes; fail-secure if key unset. 2. [MEDIUM] Unvalidated numeric inputs in find commands (CWE-20) max_size_mb / older_than_hours came from POST body and were interpolated into find -size / -mmin args. Negative/huge values could cause unexpected behavior. Fix: _validate_int() clamps to [1..10000] / [1..8760] with defaults. 3. [LOW] find -mmin arg missing leading '+' (logic bug) '-mmin 168' matches FILES EXACTLY 168 min old, not older-than. Fix: '-mmin', f'+{older_than_hours * 60}' (+ = older than) 4. [LOW] subprocess(['date', ...]) in health_check replaced with Python datetime.now(UTC).isoformat() — no subprocess needed. INTERNAL_API_KEY added to .env.example with generation instructions. Generate with: openssl rand -hex 32 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 05:47:04 +08:00
parent 1c03d213ac
commit 96e19b6b72
2 changed files with 324 additions and 1097 deletions
--- a/.env.example
+++ b/.env.example
@@ -86,3 +86,9 @@ ELEPHANT_ALPHA_OPENCLAW_GEMINI_ENDPOINT=https://generativelanguage.googleapis.co
 ELEPHANT_ALPHA_DEBUG_MODE=false
 ELEPHANT_ALPHA_METRICS_ENABLED=true
 ELEPHANT_ALPHA_AUDIT_LOGGING=true
+
+# ── System Maintenance API ──────────────────────────────────────────────────
+# X-Internal-Key 標頭認證金鑰（必填）
+# 用於 /api/system/cleanup/* 和 /api/system/health 等維護路由。
+# 建議使用 openssl rand -hex 32 生成。
+INTERNAL_API_KEY=your-secret-internal-key-here
--- a/routes/system_routes.py
+++ b/routes/system_routes.py