From 33f1291a0f8755efdfc5bb8eb4b6096a0e0abf84 Mon Sep 17 00:00:00 2001 From: Jeffery Date: Tue, 16 Jun 2026 14:15:00 +0800 Subject: [PATCH] =?UTF-8?q?chore:=20triage=20preflight=20TLS=20finding=20?= =?UTF-8?q?=E7=82=BA=E8=AA=A4=E5=A0=B1=E4=B8=A6=E5=AF=AB=E5=85=A5=20exclus?= =?UTF-8?q?ions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Maya critical(app/preflight.js:107):verifyLLM 的 axios.post 未帶 httpsAgent,認為 GITEA_SKIP_TLS_VERIFY 未套用到 LLM 請求。 判定為誤報並移入 exclusions: - GITEA_SKIP_TLS_VERIFY 為 Gitea 端(內網自簽憑證)專用設定,外部 LLM 服務(Gemini/OpenAI/Claude)應維持 TLS 驗證,套用此 flag 屬安全降級 - 與既有 app/llm.js 排除一致(已刻意移除 rejectUnauthorized:false 還原 TLS 驗證) findings.json 清空(已排除)。 Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/ai-review/exclusions.json | 5 +++++ .gitea/ai-review/findings.json | 10 +--------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/.gitea/ai-review/exclusions.json b/.gitea/ai-review/exclusions.json index 084f111..0345147 100644 --- a/.gitea/ai-review/exclusions.json +++ b/.gitea/ai-review/exclusions.json @@ -376,5 +376,10 @@ "role": "Aria", "location": "app/preflight.js:30", "suggestion": "在 `checkRequiredEnv`、`verifyGiteaToken` 和 `verifyCommentToken` 等函式中,預設參數直接引用了從 `config.js` 匯入的常數。雖然這在功能上可行,但為了提高程式碼的清晰度和一致性,建議考慮以下兩種方式之一:1. 將所有配置值作為明確的參數從呼叫端傳入。2. 讓函式直接從 `config.js` 模組中讀取這些值,而不是透過預設參數。" + }, + { + "role": "Maya", + "location": "app/preflight.js:107", + "suggestion": "在 `verifyLLM` 函數中,呼叫 `axios.post` 時缺少 `httpsAgent` 選項。這會導致即使設定了 `GITEA_SKIP_TLS_VERIFY`,LLM 的 API 請求仍可能因 TLS 憑證問題而失敗。請將 `httpsAgent` 傳遞給 `axios.post` 的選項物件,例如:`await axios.post(`${base}/chat/completions`, payload, { headers, timeout: 30000, httpsAgent });`" } ] \ No newline at end of file diff --git a/.gitea/ai-review/findings.json b/.gitea/ai-review/findings.json index 9b21b14..fe51488 100644 --- a/.gitea/ai-review/findings.json +++ b/.gitea/ai-review/findings.json @@ -1,9 +1 @@ -[ - { - "level": "critical", - "role": "Maya", - "location": "app/preflight.js:107", - "suggestion": "在 `verifyLLM` 函數中,呼叫 `axios.post` 時缺少 `httpsAgent` 選項。這會導致即使設定了 `GITEA_SKIP_TLS_VERIFY`,LLM 的 API 請求仍可能因 TLS 憑證問題而失敗。請將 `httpsAgent` 傳遞給 `axios.post` 的選項物件,例如:`await axios.post(`${base}/chat/completions`, payload, { headers, timeout: 30000, httpsAgent });`", - "is_new": true - } -] +[]