refactor(plugins): comprehensive code review - ~35 fixes across 14 plugins

Phase 1 - Plugin code review (14/14 plugins): - Security: 3x token leak in print→logger.debug, Bearer prefix handling - Bug: bare except→specific exceptions, HorseState type safety, sync→async - Critical: response_model undefined, route dead code, sync blocking event loop - Quality: 11x print()→logger, variable name shadowing, consistent logging Phase 2 - Deep analysis: - Fix: payout int truncation→max(1, round(amount*odds)) - Fix: room_store get_lock race condition→dict.setdefault() - Verify: data_manager f-string SQL is safe (uses ? placeholders) Infrastructure: review reports generated for all plugins.
2026-05-09 23:22:28 +08:00
parent 9a8cb3ad6d
commit c01338f496
43 changed files with 4233 additions and 3645 deletions
--- a/review_reports/danding_help_review.md
+++ b/review_reports/danding_help_review.md
@@ -0,0 +1,39 @@
+# danding_help 评审报告
+
+## 修复前问题清单 (4项)
+
+| # | 严重度 | 问题 | 文件 |
+|---|--------|------|------|
+| 1 | **严重** | `rule_fun and fullmatch(...)` 逻辑错误：Python `and` 对函数对象求值时，`rule_fun` 为 truthy 对象直接被跳过，`fullmatch(...)` 的返回值成为最终 rule，group_id 检查完全失效，任何人都能触发命令 | help.py (9处) |
+| 2 | **中** | 图片文件读取无异常处理，若图片缺失则 handler 崩溃返回500 | help.py (3处) |
+| 3 | **低** | 所有 9 个 handler 函数都命名为 `_()`，调试时堆栈信息不可读 | help.py |
+| 4 | **信息** | 群组 ID 硬编码 `[621016172]`，应抽为常量便于维护 | help.py |
+
+## 已修复项
+
+| # | 文件 | 修复内容 |
+|---|------|----------|
+| 1 | help.py | `rule_fun` → `ALLOWED_GROUPS` 常量 + `_group_check` async函数 + `_group_rule = Rule(_group_check)`，9处 `and` 全部改为 `&` 正确组合 |
+| 2 | help.py | 3处图片读取全部包裹 `try/except FileNotFoundError`，降级发送文本提示 |
+| 3 | help.py | 9个handler函数重命名为有意义名称: `_handle_help`, `_handle_download`, `_handle_wd`, `_handle_free`, `_handle_pro`, `_handle_dyh`, `_handle_htr`, `_handle_order`, `_handle_daily_trial` |
+| 4 | help.py | 群组ID提取为模块级 `ALLOWED_GROUPS` 常量 |
+
+## 验证结果 (21/21 PASSED)
+
+| 检查项 | 状态 |
+|--------|------|
+| Rule import | ✓ |
+| ALLOWED_GROUPS constant | ✓ |
+| _group_check function | ✓ |
+| _group_rule = Rule | ✓ |
+| no rule_fun and fullmatch | ✓ |
+| uses _group_rule & fullmatch | ✓ |
+| count of & composition == 9 | ✓ |
+| image 1-3 try/except | ✓ (×3) |
+| logger.warning in image handler | ✓ (×3) |
+| 9个handler函数有意义名称 | ✓ (×9) |
+| no bare async def _(): | ✓ |
+
+## 代码质量总结
+修复前评级：**C-** (关键权限控制bug + 无错误处理)
+修复后评级：**B** (权限逻辑正确，错误处理完善，可调试性改善)