fix: 使用 csrfFetch 替换 fetch 以增强 API 请求的安全性

2026-02-12 02:37:45 +08:00 · 2026-01-13 11:42:28 +08:00
parent 6b8e73bd32
commit 4caa622942
11 changed files with 36 additions and 36 deletions
--- a/ccw/src/templates/dashboard-js/api.js
+++ b/ccw/src/templates/dashboard-js/api.js
@@ -174,7 +174,7 @@ function refreshRecentPaths() {
 */
 async function removeRecentPathFromList(path) {
  try {
-    const response = await fetch('/api/remove-recent-path', {
+    const response = await csrfFetch('/api/remove-recent-path', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ path })
--- a/ccw/src/templates/dashboard-js/components/cli-status.js
+++ b/ccw/src/templates/dashboard-js/components/cli-status.js
@@ -350,7 +350,7 @@ async function loadCliToolsConfig() {
 */
 async function updateCliToolEnabled(tool, enabled) {
  try {
-    const response = await fetch('/api/cli/tools-config/' + tool, {
+    const response = await csrfFetch('/api/cli/tools-config/' + tool, {
      method: 'PUT',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ enabled: enabled })
@@ -796,7 +796,7 @@ function setDefaultCliTool(tool) {
  // Save to config
  if (window.claudeCliToolsConfig) {
    window.claudeCliToolsConfig.defaultTool = tool;
-    fetch('/api/cli/tools-config', {
+    csrfFetch('/api/cli/tools-config', {
      method: 'PUT',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ defaultTool: tool })
@@ -851,7 +851,7 @@ function getCacheInjectionMode() {
 async function setCacheInjectionMode(mode) {
  try {
-    const response = await fetch('/api/cli/tools-config/cache', {
+    const response = await csrfFetch('/api/cli/tools-config/cache', {
      method: 'PUT',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ injectionMode: mode })
@@ -1021,7 +1021,7 @@ async function startCodexLensInstall() {
  }, 1500);
  try {
-    const response = await fetch('/api/codexlens/bootstrap', {
+    const response = await csrfFetch('/api/codexlens/bootstrap', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({})
@@ -1171,7 +1171,7 @@ async function startCodexLensUninstall() {
  }, 500);
  try {
-    const response = await fetch('/api/codexlens/uninstall', {
+    const response = await csrfFetch('/api/codexlens/uninstall', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({})
@@ -1257,7 +1257,7 @@ async function initCodexLensIndex() {
  console.log('[CodexLens] Initializing index for path:', targetPath);
  try {
-    const response = await fetch('/api/codexlens/init', {
+    const response = await csrfFetch('/api/codexlens/init', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ path: targetPath })
@@ -1424,7 +1424,7 @@ async function startSemanticInstall() {
  }, 2000);
  try {
-    const response = await fetch('/api/codexlens/semantic/install', {
+    const response = await csrfFetch('/api/codexlens/semantic/install', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({})
--- a/ccw/src/templates/dashboard-js/components/hook-manager.js
+++ b/ccw/src/templates/dashboard-js/components/hook-manager.js
@@ -449,7 +449,7 @@ async function saveHook(scope, event, hookData) {
    // Convert to Claude Code format before saving
    const convertedHookData = convertToClaudeCodeFormat(hookData);
-    const response = await fetch('/api/hooks', {
+    const response = await csrfFetch('/api/hooks', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
@@ -478,7 +478,7 @@ async function saveHook(scope, event, hookData) {
 async function removeHook(scope, event, hookIndex) {
  try {
-    const response = await fetch('/api/hooks', {
+    const response = await csrfFetch('/api/hooks', {
      method: 'DELETE',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
--- a/ccw/src/templates/dashboard-js/components/index-manager.js
+++ b/ccw/src/templates/dashboard-js/components/index-manager.js
@@ -252,7 +252,7 @@ async function cleanIndexProject(projectId) {
    // The project ID is the directory name in the index folder
    // We need to construct the full path or use a clean API
-    const response = await fetch('/api/codexlens/clean', {
+    const response = await csrfFetch('/api/codexlens/clean', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ projectId: projectId })
@@ -282,7 +282,7 @@ async function cleanAllIndexesConfirm() {
  try {
    showRefreshToast(t('index.cleaning') || 'Cleaning indexes...', 'info');
-    const response = await fetch('/api/codexlens/clean', {
+    const response = await csrfFetch('/api/codexlens/clean', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ all: true })
--- a/ccw/src/templates/dashboard-js/components/mcp-manager.js
+++ b/ccw/src/templates/dashboard-js/components/mcp-manager.js
@@ -91,7 +91,7 @@ function getCliMode() {
 */
 async function addCodexMcpServer(serverName, serverConfig) {
  try {
-    const response = await fetch('/api/codex-mcp-add', {
+    const response = await csrfFetch('/api/codex-mcp-add', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
@@ -123,7 +123,7 @@ async function addCodexMcpServer(serverName, serverConfig) {
 */
 async function removeCodexMcpServer(serverName) {
  try {
-    const response = await fetch('/api/codex-mcp-remove', {
+    const response = await csrfFetch('/api/codex-mcp-remove', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ serverName })
@@ -152,7 +152,7 @@ async function removeCodexMcpServer(serverName) {
 */
 async function toggleCodexMcpServer(serverName, enabled) {
  try {
-    const response = await fetch('/api/codex-mcp-toggle', {
+    const response = await csrfFetch('/api/codex-mcp-toggle', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ serverName, enabled })
@@ -205,7 +205,7 @@ async function copyCodexServerToClaude(serverName, serverConfig) {
 async function toggleMcpServer(serverName, enable) {
  try {
-    const response = await fetch('/api/mcp-toggle', {
+    const response = await csrfFetch('/api/mcp-toggle', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
@@ -239,7 +239,7 @@ async function copyMcpServerToProject(serverName, serverConfig, configType = nul
      configType = preferredProjectConfigType;
    }
-    const response = await fetch('/api/mcp-copy-server', {
+    const response = await csrfFetch('/api/mcp-copy-server', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
@@ -316,7 +316,7 @@ function showConfigTypeDialog() {
 async function removeMcpServerFromProject(serverName) {
  try {
-    const response = await fetch('/api/mcp-remove-server', {
+    const response = await csrfFetch('/api/mcp-remove-server', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
@@ -343,7 +343,7 @@ async function removeMcpServerFromProject(serverName) {
 async function addGlobalMcpServer(serverName, serverConfig) {
  try {
-    const response = await fetch('/api/mcp-add-global-server', {
+    const response = await csrfFetch('/api/mcp-add-global-server', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
@@ -370,7 +370,7 @@ async function addGlobalMcpServer(serverName, serverConfig) {
 async function removeGlobalMcpServer(serverName) {
  try {
-    const response = await fetch('/api/mcp-remove-global-server', {
+    const response = await csrfFetch('/api/mcp-remove-global-server', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
@@ -809,7 +809,7 @@ async function submitMcpCreateFromJson() {
  for (const [name, config] of Object.entries(servers)) {
    try {
-      const response = await fetch('/api/mcp-copy-server', {
+      const response = await csrfFetch('/api/mcp-copy-server', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -854,7 +854,7 @@ async function createMcpServerWithConfig(name, serverConfig, scope = 'project')
    if (scope === 'codex') {
      // Create in Codex config.toml
-      response = await fetch('/api/codex-mcp-add', {
+      response = await csrfFetch('/api/codex-mcp-add', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -864,7 +864,7 @@ async function createMcpServerWithConfig(name, serverConfig, scope = 'project')
      });
      scopeLabel = 'Codex';
    } else if (scope === 'global') {
-      response = await fetch('/api/mcp-add-global-server', {
+      response = await csrfFetch('/api/mcp-add-global-server', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -874,7 +874,7 @@ async function createMcpServerWithConfig(name, serverConfig, scope = 'project')
      });
      scopeLabel = 'global';
    } else {
-      response = await fetch('/api/mcp-copy-server', {
+      response = await csrfFetch('/api/mcp-copy-server', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -1006,7 +1006,7 @@ async function installCcwToolsMcp(scope = 'workspace') {
    if (scope === 'global') {
      // Install to global (~/.claude.json mcpServers)
-      const response = await fetch('/api/mcp-add-global-server', {
+      const response = await csrfFetch('/api/mcp-add-global-server', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -1028,7 +1028,7 @@ async function installCcwToolsMcp(scope = 'workspace') {
    } else {
      // Install to workspace (use preferredProjectConfigType)
      const configType = preferredProjectConfigType;
-      const response = await fetch('/api/mcp-copy-server', {
+      const response = await csrfFetch('/api/mcp-copy-server', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -1074,7 +1074,7 @@ async function updateCcwToolsMcp(scope = 'workspace') {
    if (scope === 'global') {
      // Update global (~/.claude.json mcpServers)
-      const response = await fetch('/api/mcp-add-global-server', {
+      const response = await csrfFetch('/api/mcp-add-global-server', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
@@ -1096,7 +1096,7 @@ async function updateCcwToolsMcp(scope = 'workspace') {
    } else {
      // Update workspace (use preferredProjectConfigType)
      const configType = preferredProjectConfigType;
-      const response = await fetch('/api/mcp-copy-server', {
+      const response = await csrfFetch('/api/mcp-copy-server', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
--- a/ccw/src/templates/dashboard-js/components/storage-manager.js
+++ b/ccw/src/templates/dashboard-js/components/storage-manager.js
@@ -415,7 +415,7 @@ async function cleanProjectStorage(projectId) {
  }
  try {
-    const res = await fetch('/api/storage/clean', {
+    const res = await csrfFetch('/api/storage/clean', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ projectId })
@@ -451,7 +451,7 @@ async function cleanAllStorageConfirm() {
  }
  try {
-    const res = await fetch('/api/storage/clean', {
+    const res = await csrfFetch('/api/storage/clean', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ all: true })
--- a/ccw/src/templates/dashboard-js/components/task-queue-sidebar.js
+++ b/ccw/src/templates/dashboard-js/components/task-queue-sidebar.js
@@ -568,7 +568,7 @@ async function executeSidebarUpdateTask(taskId) {
  }
  try {
-    const response = await fetch('/api/update-claude-md', {
+    const response = await csrfFetch('/api/update-claude-md', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
--- a/ccw/src/templates/dashboard-js/views/cli-manager.js
+++ b/ccw/src/templates/dashboard-js/views/cli-manager.js
@@ -2752,7 +2752,7 @@ async function installSemanticDeps() {
    '<div class="text-sm text-muted-foreground animate-pulse">' + t('codexlens.installingDeps') + '</div>';
  try {
-    var response = await fetch('/api/codexlens/semantic/install', { method: 'POST' });
+    var response = await csrfFetch('/api/codexlens/semantic/install', { method: 'POST' });
    var result = await response.json();
    if (result.success) {
--- a/ccw/src/templates/dashboard-js/views/codexlens-manager.js
+++ b/ccw/src/templates/dashboard-js/views/codexlens-manager.js
@@ -3613,7 +3613,7 @@ async function initCodexLensIndex(indexType, embeddingModel, embeddingBackend, m
          // Install semantic dependencies first
          showRefreshToast(t('codexlens.installingDeps') || 'Installing semantic dependencies...', 'info');
          try {
-            var installResponse = await fetch('/api/codexlens/semantic/install', { method: 'POST' });
+            var installResponse = await csrfFetch('/api/codexlens/semantic/install', { method: 'POST' });
            var installResult = await installResponse.json();
            if (!installResult.success) {
@@ -5383,7 +5383,7 @@ function initCodexLensManagerPageEvents(currentConfig) {
      saveBtn.disabled = true;
      saveBtn.innerHTML = '<span class="animate-pulse">' + t('common.saving') + '</span>';
      try {
-        var response = await fetch('/api/codexlens/config', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ index_dir: newIndexDir }) });
+        var response = await csrfFetch('/api/codexlens/config', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ index_dir: newIndexDir }) });
        var result = await response.json();
        if (result.success) { showRefreshToast(t('codexlens.configSaved'), 'success'); renderCodexLensManager(); }
        else { showRefreshToast(t('common.saveFailed') + ': ' + result.error, 'error'); }
--- a/ccw/src/templates/dashboard-js/views/memory.js
+++ b/ccw/src/templates/dashboard-js/views/memory.js
@@ -1114,7 +1114,7 @@ async function deleteInsight(insightId) {
  if (!confirm(t('memory.confirmDeleteInsight'))) return;
  try {
-    var response = await fetch('/api/memory/insights/' + insightId, { method: 'DELETE' });
+    var response = await csrfFetch('/api/memory/insights/' + insightId, { method: 'DELETE' });
    if (!response.ok) throw new Error('Failed to delete insight');
    selectedInsight = null;
--- a/ccw/src/templates/dashboard-js/views/prompt-history.js
+++ b/ccw/src/templates/dashboard-js/views/prompt-history.js
@@ -431,7 +431,7 @@ async function deletePromptInsight(insightId) {
  if (!confirm(isZh() ? '确定要删除这条洞察记录吗？' : 'Are you sure you want to delete this insight?')) return;
  try {
-    var response = await fetch('/api/memory/insights/' + insightId, { method: 'DELETE' });
+    var response = await csrfFetch('/api/memory/insights/' + insightId, { method: 'DELETE' });
    if (!response.ok) throw new Error('Failed to delete insight');
    selectedPromptInsight = null;