fix(plugin): sanitize local repo path telemetry

2026-05-06 20:42:43 +08:00 · 2026-04-19 05:28:40 +08:00
parent 4a4d93e7f9
commit b7ee6ca8c4
2 changed files with 52 additions and 4 deletions
--- a/app/helper/plugin.py
+++ b/app/helper/plugin.py
@@ -123,6 +123,25 @@ class PluginHelper(metaclass=WeakSingleton):
        except Exception:
            return None

+    @staticmethod
+    def sanitize_repo_url_for_statistic(repo_url: Optional[str]) -> Optional[str]:
+        """
+        统计上报前脱敏 repo_url，避免泄露本地仓库绝对路径
+        """
+        if not repo_url:
+            return repo_url
+        if not PluginHelper.is_local_repo_url(repo_url):
+            return repo_url
+
+        pid = PluginHelper.parse_local_repo_url(repo_url)
+        if not pid:
+            return LOCAL_REPO_PREFIX.rstrip("/")
+
+        return PluginHelper.make_local_repo_url(
+            pid=pid,
+            package_version=PluginHelper.parse_local_repo_package_version(repo_url)
+        )
+
    @staticmethod
    def get_local_repo_paths() -> List[Path]:
        """
@@ -410,7 +429,7 @@ class PluginHelper(metaclass=WeakSingleton):
            timeout=5
        ).post(install_reg_url, json={
            "plugin_id": pid,
-            "repo_url": repo_url
+            "repo_url": self.sanitize_repo_url_for_statistic(repo_url)
        })
        if res is not None and res.status_code == 200:
            return True
@@ -427,7 +446,10 @@ class PluginHelper(metaclass=WeakSingleton):
        if items:
            for pid, repo_url in items:
                if pid:
-                    payload_plugins.append({"plugin_id": pid, "repo_url": repo_url})
+                    payload_plugins.append({
+                        "plugin_id": pid,
+                        "repo_url": self.sanitize_repo_url_for_statistic(repo_url)
+                    })
        else:
            plugins = self.systemconfig.get(SystemConfigKey.UserInstalledPlugins)
            if not plugins:
@@ -1323,7 +1345,7 @@ class PluginHelper(metaclass=WeakSingleton):
            timeout=5
        ).post(install_reg_url, json={
            "plugin_id": pid,
-            "repo_url": repo_url
+            "repo_url": self.sanitize_repo_url_for_statistic(repo_url)
        })
        if res is not None and res.status_code == 200:
            return True
@@ -1340,7 +1362,10 @@ class PluginHelper(metaclass=WeakSingleton):
        if items:
            for pid, repo_url in items:
                if pid:
-                    payload_plugins.append({"plugin_id": pid, "repo_url": repo_url})
+                    payload_plugins.append({
+                        "plugin_id": pid,
+                        "repo_url": self.sanitize_repo_url_for_statistic(repo_url)
+                    })
        else:
            plugins = self.systemconfig.get(SystemConfigKey.UserInstalledPlugins)
            if not plugins:
--- a/tests/test_plugin_helper.py
+++ b/tests/test_plugin_helper.py
@@ -0,0 +1,23 @@
+from unittest import TestCase
+
+
+class PluginHelperTest(TestCase):
+
+    def test_sanitize_repo_url_for_statistic_keeps_remote_url(self):
+        try:
+            from app.helper.plugin import PluginHelper
+        except ModuleNotFoundError as exc:
+            self.skipTest(f"missing dependency: {exc}")
+        repo_url = "https://github.com/InfinityPacer/MoviePilot-Plugins"
+        self.assertEqual(repo_url, PluginHelper.sanitize_repo_url_for_statistic(repo_url))
+
+    def test_sanitize_repo_url_for_statistic_strips_local_path(self):
+        try:
+            from app.helper.plugin import PluginHelper
+        except ModuleNotFoundError as exc:
+            self.skipTest(f"missing dependency: {exc}")
+        repo_url = "local://TestPlugin?path=/Users/InfinityPacer/GitHub/MoviePilot/MoviePilot-Plugins&version=v2"
+        self.assertEqual(
+            "local://TestPlugin?version=v2",
+            PluginHelper.sanitize_repo_url_for_statistic(repo_url)
+        )