fix: path traversal via URL-encoded ../, Feb 29 leap year crash, missing response_model, dead code, duplicate utcnow

api/app/routers/anniversaries.py

@@ -17,6 +17,16 @@ from app.utils.logger import logger
 router = APIRouter(prefix="/api", tags=["纪念日"])
 
 
+def _safe_date(year: int, month: int, day: int) -> date:
+    """安全构造日期，对闰年 2 月 29 日回退到 2 月 28 日"""
+    try:
+        return date(year, month, day)
+    except ValueError:
+        if month == 2 and day == 29:
+            return date(year, 2, 28)
+        raise
+
+
 def compute_next_info(anniversary: Anniversary, today: date) -> tuple:
     """计算纪念日的下一次日期、距今天数、周年数"""
     month, day = anniversary.date.month, anniversary.date.day
@@ -24,9 +34,9 @@ def compute_next_info(anniversary: Anniversary, today: date) -> tuple:
     if anniversary.is_recurring:
         # 计算今年和明年的日期
         this_year = today.year
-        next_date = date(this_year, month, day)
+        next_date = _safe_date(this_year, month, day)
         if next_date < today:
-            next_date = date(this_year + 1, month, day)
+            next_date = _safe_date(this_year + 1, month, day)
 
         days_until = (next_date - today).days
 
@@ -38,14 +48,14 @@ def compute_next_info(anniversary: Anniversary, today: date) -> tuple:
     else:
         # 非重复：使用原始日期（加上年份）
         if anniversary.year:
-            target = date(anniversary.year, month, day)
+            target = _safe_date(anniversary.year, month, day)
             if target < today:
                 return None, None, None
             days_until = (target - today).days
             return target, days_until, 0
         else:
             # 无年份的日期按今年算
-            target = date(today.year, month, day)
+            target = _safe_date(today.year, month, day)
             if target < today:
                 return None, None, None
             days_until = (target - today).days