fix: path traversal via URL-encoded ../, Feb 29 leap year crash, missing response_model, dead code, duplicate utcnow

2026-05-17 12:36:45 +08:00
parent 5f23b8ef5b
commit 9c5ef36fe8
5 changed files with 35 additions and 33 deletions
--- a/api/app/routers/accounts.py
+++ b/api/app/routers/accounts.py
@@ -8,7 +8,7 @@ from app.database import get_db
 from app.models.account import FinancialAccount, AccountHistory, DebtInstallment
 from app.schemas.account import (
    AccountCreate, AccountUpdate, AccountResponse, BalanceUpdateRequest,
-    AccountHistoryResponse, AccountListItemResponse,
+    AccountHistoryResponse, AccountListItemResponse, PaginatedAccountHistoryResponse,
    DebtInstallmentCreate, DebtInstallmentUpdate, DebtInstallmentResponse,
 )
 from app.schemas.common import DeleteResponse
@@ -232,7 +232,7 @@ def update_balance(account_id: int, data: BalanceUpdateRequest, db: Session = De
        raise HTTPException(status_code=500, detail="更新余额失败")


-@router.get("/accounts/{account_id}/history")
+@router.get("/accounts/{account_id}/history", response_model=PaginatedAccountHistoryResponse)
 def get_account_history(
    account_id: int,
    page: int = Query(1, ge=1),
@@ -252,26 +252,13 @@ def get_account_history(
            AccountHistory.created_at.desc()
        ).offset((page - 1) * page_size).limit(page_size).all()

-        result = {
+        logger.info(f"获取账户历史成功: account_id={account_id}, total={total}")
+        return {
            "total": total,
            "page": page,
            "page_size": page_size,
-            "records": [
-                {
-                    "id": r.id,
-                    "account_id": r.account_id,
-                    "change_amount": r.change_amount,
-                    "balance_before": r.balance_before,
-                    "balance_after": r.balance_after,
-                    "note": r.note,
-                    "created_at": r.created_at,
-                }
-                for r in records
-            ]
+            "records": records,
        }
-
-        logger.info(f"获取账户历史成功: account_id={account_id}, total={total}")
-        return result
    except HTTPException:
        raise
    except Exception as e:
@@ -287,7 +274,7 @@ def get_installments(db: Session = Depends(get_db)):
    try:
        installments = db.query(DebtInstallment).order_by(
            DebtInstallment.is_completed.asc(),
-            DebtInstallment.next_payment_date.asc() if hasattr(DebtInstallment, 'next_payment_date') else DebtInstallment.id.asc()
+            DebtInstallment.id.asc()
        ).all()

        today = date.today()