@tencent-ai/codebuddy-code 2.70.0 → 2.70.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +13 -0
- package/dist/codebuddy-headless.js +4 -4
- package/dist/codebuddy.js +10 -10
- package/package.json +1 -1
- package/product.cloudhosted.json +2 -2
- package/product.internal.json +2 -2
- package/product.ioa.json +2 -2
- package/product.json +2 -2
- package/product.selfhosted.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,19 @@ CodeBuddy Code 的所有重要更新都会记录在这里。
|
|
|
7
7
|
|
|
8
8
|
## [未发布]
|
|
9
9
|
|
|
10
|
+
## [2.70.1] - 2026-03-31
|
|
11
|
+
|
|
12
|
+
### 🔒 安全修复
|
|
13
|
+
|
|
14
|
+
- **CORS 跨域攻击防护**:替换 CellJS 框架默认的全局 CORS 通配符(`Access-Control-Allow-Origin: *`)为精确白名单检查,防止恶意网页通过 JavaScript 跨域访问本地 Gateway 服务执行 Agent 命令
|
|
15
|
+
- **DNS Rebinding 防护**:新增 Host 头验证中间件,验证请求的 Host 是否在白名单中(localhost/127.0.0.1/Tunnel URL),阻止攻击者通过 DNS 重绑定访问本地服务
|
|
16
|
+
- **SSE 端点 CORS 修复**:移除 SSE 流式输出端点的 CORS 通配符 fallback,仅对白名单内的源返回 CORS 头
|
|
17
|
+
- **默认绑定地址安全化**:Gateway 配置默认绑定地址从 `0.0.0.0` 改为 `127.0.0.1`,避免服务暴露到局域网
|
|
18
|
+
|
|
19
|
+
### 🔧 功能改进
|
|
20
|
+
|
|
21
|
+
- **自定义跨域规则**:支持通过环境变量 `CODEBUDDY_CODE_CORS_ORIGINS` 或 Settings 配置 `gateway.corsOrigins` 自定义允许的跨域源
|
|
22
|
+
|
|
10
23
|
## [2.70.0] - 2026-03-31
|
|
11
24
|
|
|
12
25
|
### ✨ 新功能
|