perf(system): optimize large data rendering in stocktake, fix N+1 in warehouse, and add upload size limits

2026-04-02 18:51:13 +08:00
parent a52ced0375
commit dbcb7d0d92
2 changed files with 16 additions and 3 deletions
--- a/inventory-backend/app/api/v1/common/upload.py
+++ b/inventory-backend/app/api/v1/common/upload.py
@ -27,6 +27,9 @@ UPLOAD_FOLDER = os.path.join(BASE_DIR, 'uploads')
 # 允许上传的文件后缀
 ALLOWED_EXTENSIONS = {'png', 'jpg', 'jpeg', 'gif', 'bmp', 'webp', 'pdf', 'doc', 'docx', 'xls', 'xlsx'}

+# ★ 文件上传安全加固：限制最大文件大小 (10MB)
+MAX_CONTENT_LENGTH = 10 * 1024 * 1024  # 10MB
+

 def allowed_file(filename):
    return '.' in filename and \
@ -58,6 +61,16 @@ def upload_file():
    if file.filename == '':
        return jsonify({"code": 400, "msg": "未选择文件"}), 400

+    # ★ 文件上传安全加固：检查文件大小
+    file.seek(0, os.SEEK_END)
+    file_size = file.tell()
+    file.seek(0)  # 重置文件指针到开头
+    if file_size > MAX_CONTENT_LENGTH:
+        return jsonify({
+            "code": 400,
+            "msg": f"文件大小超过限制 ({MAX_CONTENT_LENGTH // (1024*1024)}MB)"
+        }), 400
+
    if file and allowed_file(file.filename):
        try:
            # 获取后缀并生成唯一文件名