From 73b1291851541cd57330c3605b09c598ebf60287 Mon Sep 17 00:00:00 2001
From: mks155 <mks155@qq.com>
Date: Thu, 22 Jan 2026 22:20:48 +0800
Subject: [PATCH 1/3] =?UTF-8?q?feat:=20=E4=B8=BB=E6=9C=BA=E9=BB=91?=
 =?UTF-8?q?=E7=99=BD=E5=90=8D=E5=8D=95=E6=94=AF=E6=8C=81=E9=80=9A=E9=85=8D?=
 =?UTF-8?q?=E7=AC=A6*=E5=8C=B9=E9=85=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../cn/keking/utils/DomainIpMatcherUtil.java  | 265 ++++++++++++++++++
 .../cn/keking/web/filter/TrustHostFilter.java |   6 +-
 .../utils/DomainIpMatcherUtilTests.java       | 206 ++++++++++++++
 3 files changed, 475 insertions(+), 2 deletions(-)
 create mode 100644 server/src/main/java/cn/keking/utils/DomainIpMatcherUtil.java
 create mode 100644 server/src/test/java/cn/keking/utils/DomainIpMatcherUtilTests.java

diff --git a/server/src/main/java/cn/keking/utils/DomainIpMatcherUtil.java b/server/src/main/java/cn/keking/utils/DomainIpMatcherUtil.java
new file mode 100644
index 000000000..7c2caa4fb
--- /dev/null
+++ b/server/src/main/java/cn/keking/utils/DomainIpMatcherUtil.java
@@ -0,0 +1,265 @@
+package cn.keking.utils;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+/**
+ * @author mks155
+ * @date 2026/1/22
+ * @description 域名/IP匹配工具
+ * 支持：*.example.com, example.com, localhost, 127.0.0.1, 192.168.*, 172.16.*, 10.*
+ */
+public final class DomainIpMatcherUtil {
+
+    // IPv4地址正则
+    private static final Pattern IPV4_PATTERN =
+            Pattern.compile("^(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)\\.(25[0-5]|2[0-4]\\d|[01]?\\d\\d?)$");
+
+    // 域名正则
+    private static final Pattern DOMAIN_PATTERN =
+            Pattern.compile("^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$");
+
+    private static final String WILDCARD_PREFIX = "*.";
+
+    /**
+     * 检查域名/IP是否在允许的配置列表中
+     */
+    public static boolean isAllowed(Set<String> allowedPatterns, String host) {
+        if (allowedPatterns == null || allowedPatterns.isEmpty() || host == null) {
+            return false;
+        }
+
+        String trimmedHost = host.trim();
+        if (trimmedHost.isEmpty()) {
+            return false;
+        }
+
+        for (String pattern : allowedPatterns) {
+            if (pattern == null) continue;
+
+            String trimmedPattern = pattern.trim();
+            if (trimmedPattern.isEmpty()) continue;
+
+            if (matchPattern(trimmedPattern, trimmedHost)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * 匹配单个模式
+     */
+    private static boolean matchPattern(String pattern, String host) {
+        // 1. 精确匹配（需要验证格式，防止无效域名/IP被精确匹配）
+        if (pattern.equals(host)) {
+            // 只有格式合法才允许精确匹配
+            return isValidDomain(pattern) || isIpFormat(pattern) || isSpecialDomain(pattern);
+        }
+
+        // 2. IP段匹配（10.*, 192.168.*, 192.168.1.*）
+        if (isIpSegmentPattern(pattern)) {
+            return matchIpSegment(pattern, host);
+        }
+
+        // 3. 通配符域名（*.example.com）
+        if (pattern.startsWith(WILDCARD_PREFIX)) {
+            return matchWildcardDomain(pattern, host);
+        }
+
+        // 4. 精确IP匹配（已在第一步处理）
+        if (isIpFormat(pattern) && isIpFormat(host)) {
+            return false;
+        }
+
+        // 5. 特殊域名（localhost, 127.0.0.1）
+        if (isSpecialDomain(pattern)) {
+            return isSpecialDomain(host) && pattern.equalsIgnoreCase(host);
+        }
+
+        return false;
+    }
+
+    /**
+     * 匹配通配符域名：*.example.com
+     * 规则：
+     * - 必须以 .suffix 结尾（不区分大小写）
+     * - 不能等于suffix
+     * - 子域名部分必须有效（防止evil.com.example.com）
+     * - 只能匹配一级子域名（a.example.com 可以，a.b.example.com 不行）
+     * - 域名不区分大小写
+     */
+    private static boolean matchWildcardDomain(String pattern, String domain) {
+        // 去掉 "*." 并转换为小写
+        String suffix = pattern.substring(2).toLowerCase();
+        String domainLower = domain.toLowerCase();
+
+        // 验证后缀格式
+        if (!isValidDomain(suffix)) {
+            return false;
+        }
+
+        // 必须以 .suffix 结尾
+        if (!domainLower.endsWith("." + suffix)) {
+            return false;
+        }
+
+        // 不能等于suffix
+        if (domainLower.equals(suffix)) {
+            return false;
+        }
+
+        // 提取子域名部分
+        String subdomain = domainLower.substring(0, domainLower.length() - suffix.length() - 1);
+
+        // 防止多级子域名：a.b.example.com 不应匹配 *.example.com
+        if (subdomain.contains(".")) {
+            return false;
+        }
+
+        // 验证子域名（防止evil.com.example.com）
+        return isValidSubdomain(subdomain);
+    }
+
+    /**
+     * 匹配IP段：10.*, 192.168.*, 192.168.1.*
+     * 支持2、3、4段格式
+     */
+    private static boolean matchIpSegment(String pattern, String host) {
+        if (!isIpFormat(host)) {
+            return false;
+        }
+
+        String[] patternParts = pattern.split("\\.");
+        String[] hostParts = host.split("\\.");
+
+        // 支持2、3、4段pattern匹配4段host
+        if (hostParts.length != 4) {
+            return false;
+        }
+
+        // 只比较pattern的段数，pattern的每一段对应host的对应段
+        for (int i = 0; i < patternParts.length; i++) {
+            if ("*".equals(patternParts[i])) {
+                continue;
+            }
+            if (!patternParts[i].equals(hostParts[i])) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * 判断是否是IP段模式（10.*, 192.168.*, 192.168.1.*）
+     * 支持2、3、4段格式
+     */
+    private static boolean isIpSegmentPattern(String str) {
+        if (str == null || !str.contains("*")) {
+            return false;
+        }
+
+        String[] parts = str.split("\\.");
+        // 支持2、3、4段：10.*, 192.168.*, 192.168.1.*
+        if (parts.length < 2 || parts.length > 4) {
+            return false;
+        }
+
+        for (String part : parts) {
+            if ("*".equals(part)) {
+                continue;
+            }
+            if (!isNumeric(part)) {
+                return false;
+            }
+            int num = Integer.parseInt(part);
+            if (num < 0 || num > 255) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * 判断是否是标准IPv4格式
+     */
+    private static boolean isIpFormat(String str) {
+        return str != null && IPV4_PATTERN.matcher(str).matches();
+    }
+
+    /**
+     * 判断是否是特殊域名（localhost, 127.0.0.1）
+     */
+    private static boolean isSpecialDomain(String str) {
+        if (str == null) {
+            return false;
+        }
+        return "localhost".equalsIgnoreCase(str) || "127.0.0.1".equals(str);
+    }
+
+    /**
+     * 验证域名格式
+     */
+    private static boolean isValidDomain(String domain) {
+        if (domain == null || domain.isEmpty() || domain.length() > 253) {
+            return false;
+        }
+
+        // 特殊域名直接通过
+        if (isSpecialDomain(domain)) {
+            return true;
+        }
+
+        // 格式检查
+        if (domain.startsWith(".") || domain.endsWith(".") || domain.contains("..")) {
+            return false;
+        }
+
+        String[] parts = domain.split("\\.");
+        for (String part : parts) {
+            if (part.isEmpty() || part.length() > 63) {
+                return false;
+            }
+            if (part.startsWith("-") || part.endsWith("-")) {
+                return false;
+            }
+            if (!DOMAIN_PATTERN.matcher(part).matches()) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * 验证子域名（防止绕过）
+     */
+    private static boolean isValidSubdomain(String subdomain) {
+        if (subdomain == null || subdomain.isEmpty()) {
+            return false;
+        }
+        if (subdomain.contains("*") || subdomain.contains(" ") || subdomain.contains("@") || subdomain.contains(";")) {
+            return false;
+        }
+        if (subdomain.replace(".", "").isEmpty()) {
+            return false;
+        }
+        return isValidDomain(subdomain);
+    }
+
+    /**
+     * 判断是否是数字
+     */
+    private static boolean isNumeric(String str) {
+        if (str == null || str.isEmpty()) {
+            return false;
+        }
+        for (char c : str.toCharArray()) {
+            if (!Character.isDigit(c)) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+}
\ No newline at end of file
diff --git a/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java b/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java
index e661844f4..2a418e242 100644
--- a/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java
+++ b/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java
@@ -1,10 +1,12 @@
 package cn.keking.web.filter;
 
 import cn.keking.config.ConfigConstants;
+import cn.keking.utils.DomainIpMatcherUtil;
 import cn.keking.utils.WebUtils;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
+
 import jakarta.servlet.Filter;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.FilterConfig;
@@ -56,7 +58,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
     public boolean isNotTrustHost(String host) {
         // 如果配置了黑名单，优先检查黑名单
         if (CollectionUtils.isNotEmpty(ConfigConstants.getNotTrustHostSet())) {
-            return ConfigConstants.getNotTrustHostSet().contains(host);
+            return DomainIpMatcherUtil.isAllowed(ConfigConstants.getNotTrustHostSet(), host);
         }
 
         // 如果配置了白名单，检查是否在白名单中
@@ -66,7 +68,7 @@ public boolean isNotTrustHost(String host) {
                 logger.debug("允许所有主机访问（通配符模式）: {}", host);
                 return false;
             }
-            return !ConfigConstants.getTrustHostSet().contains(host);
+            return DomainIpMatcherUtil.isAllowed(ConfigConstants.getTrustHostSet(), host);
         }
 
         // 安全加固：默认拒绝所有未配置的主机（防止SSRF攻击）
diff --git a/server/src/test/java/cn/keking/utils/DomainIpMatcherUtilTests.java b/server/src/test/java/cn/keking/utils/DomainIpMatcherUtilTests.java
new file mode 100644
index 000000000..67dd99e17
--- /dev/null
+++ b/server/src/test/java/cn/keking/utils/DomainIpMatcherUtilTests.java
@@ -0,0 +1,206 @@
+package cn.keking.utils;
+
+import org.junit.jupiter.api.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * @author mks155
+ * @date 2026/1/22
+ * @description 域名/IP匹配工具
+ * 支持：*.example.com, example.com, localhost, 127.0.0.1, 192.168.*, 172.16.*, 10.*
+ */
+public final class DomainIpMatcherUtilTests {
+    private static final Logger log = LoggerFactory.getLogger(DomainIpMatcherUtilTests.class);
+
+    @Test
+    public void runAllTests() {
+        log.info("=== DomainIpMatcher增强测试开始 ===");
+
+        List<String> failures = new ArrayList<>();
+        int testCount = 0;
+
+        // ========== 1. 域名通配符测试 ==========
+        Set<String> patterns1 = Set.of("*.example.com", "*.test.com", "example.com", "www.example.com");
+        test("api.example.com", true, patterns1, ++testCount, failures);
+        test("localhost.example.com", true, patterns1, ++testCount, failures);
+        test("a.b.example.com", false, patterns1, ++testCount, failures);
+        test("evil.com", false, patterns1, ++testCount, failures);
+        test("example.com.evil.com", false, patterns1, ++testCount, failures);
+        test("example.test.com", true, patterns1, ++testCount, failures);
+        test("example.com.test.com", false, patterns1, ++testCount, failures);
+        test("example.com", true, patterns1, ++testCount, failures);
+        test("www.example.com", true, patterns1, ++testCount, failures);
+
+        // ========== 2. IP段匹配测试 ==========
+        Set<String> patterns2 = Set.of("192.168.*", "10.*", "172.16.*", "192.168.0.1", "172.17.*");
+        test("192.168.1.1", true, patterns2, ++testCount, failures);
+        test("192.168.0.100", true, patterns2, ++testCount, failures);
+        test("192.168.255.255", true, patterns2, ++testCount, failures);
+        test("10.0.0.1", true, patterns2, ++testCount, failures);
+        test("172.16.0.1", true, patterns2, ++testCount, failures);
+        test("192.169.1.1", false, patterns2, ++testCount, failures);
+        test("11.0.0.1", false, patterns2, ++testCount, failures);
+        test("192.168.0.1", true, patterns2, ++testCount, failures);
+
+        // ========== 3. 精确IP和特殊域名 ==========
+        Set<String> patterns3 = Set.of("127.0.0.1", "localhost");
+        test("127.0.0.1", true, patterns3, ++testCount, failures);
+        test("127.0.0.2", false, patterns3, ++testCount, failures);
+        test("128.0.0.1", false, patterns3, ++testCount, failures);
+        test("localhost", true, patterns3, ++testCount, failures);
+        test("LOCALHOST", true, patterns3, ++testCount, failures);
+        test("local", false, patterns3, ++testCount, failures);
+
+        // ========== 4. 边界和空值测试 ==========
+        Set<String> patterns4 = Set.of("*.example.com");
+        test("", false, patterns4, ++testCount, failures);
+        test("   ", false, patterns4, ++testCount, failures);
+        test(null, false, patterns4, ++testCount, failures);
+        test("example.com", false, Set.of(), ++testCount, failures);
+        test("example.com", false, null, ++testCount, failures);
+
+        // ========== 5. 恶意输入测试 ==========
+        Set<String> patterns5 = Set.of("*.example.com", "192.168.*");
+        test("example.com; DROP TABLE", false, patterns5, ++testCount, failures);
+        test("example.com/../evil.com", false, patterns5, ++testCount, failures);
+        test("example.com<script>", false, patterns5, ++testCount, failures);
+        test("example.com@evil.com", false, patterns5, ++testCount, failures);
+        test("a".repeat(100) + "." + "b".repeat(100), false, patterns5, ++testCount, failures);
+        test("a".repeat(64) + ".example.com", false, patterns5, ++testCount, failures);
+
+        // ========== 6. IP段变体测试 ==========
+        test("10.0.0.1", true, Set.of("10.0.0.*"), ++testCount, failures);
+        test("10.0.1.1", false, Set.of("10.0.0.*"), ++testCount, failures);
+        test("10.0.0.255", true, Set.of("10.0.0.*"), ++testCount, failures);
+        test("10.0.0.0", true, Set.of("10.0.0.*"), ++testCount, failures);
+        test("10.0.0.1", true, Set.of("10.0.*"), ++testCount, failures);
+        test("10.0.1.1", true, Set.of("10.0.*"), ++testCount, failures);
+        test("10.1.0.1", false, Set.of("10.0.*"), ++testCount, failures);
+
+        // ========== 7. 域名通配符变体 ==========
+        test("example.com", false, Set.of("*.example.com"), ++testCount, failures);
+        test("a.example.com", true, Set.of("*.example.com"), ++testCount, failures);
+        test("a.b.example.com", false, Set.of("*.example.com"), ++testCount, failures);
+        test("example.com.evil.com", false, Set.of("*.example.com"), ++testCount, failures);
+        test("evil.com.example.com", false, Set.of("*.example.com"), ++testCount, failures);
+        test("123.example.com", true, Set.of("*.example.com"), ++testCount, failures);
+        test("a-b.example.com", true, Set.of("*.example.com"), ++testCount, failures);
+
+        // ========== 8. 边界值测试 ==========
+        test("192.168.0.0", true, Set.of("192.168.*"), ++testCount, failures);
+        test("192.168.255.255", true, Set.of("192.168.*"), ++testCount, failures);
+        test("10.0.0.0", true, Set.of("10.*"), ++testCount, failures);
+        test("10.255.255.255", true, Set.of("10.*"), ++testCount, failures);
+        test("a.example.com", true, Set.of("*.example.com"), ++testCount, failures);
+        test("a" + "b".repeat(63) + ".example.com", false, Set.of("*.example.com"), ++testCount, failures);
+
+        // ========== 9. 格式边界测试 ==========
+        test("a_b.example.com", false, Set.of("*.example.com"), ++testCount, failures);
+        test("a.example.com.", false, Set.of("*.example.com"), ++testCount, failures);
+        test("a b.example.com", false, Set.of("*.example.com"), ++testCount, failures);
+        test("192.168.1", false, Set.of("192.168.*"), ++testCount, failures);
+        test("192.168.1.2.3", false, Set.of("192.168.*"), ++testCount, failures);
+        test("192.168.1.1.1", false, Set.of("192.168.*"), ++testCount, failures);
+        test("-example.com", false, Set.of("-example.com"), ++testCount, failures);
+        test("example-.com", false, Set.of("example-.com"), ++testCount, failures);
+        test("example..com", false, Set.of("example..com"), ++testCount, failures);
+        test(".example.com", false, Set.of(".example.com"), ++testCount, failures);
+        test("example.com.", false, Set.of("example.com."), ++testCount, failures);
+        test("example@com", false, Set.of("example@com"), ++testCount, failures);
+        test("example com", false, Set.of("example com"), ++testCount, failures);
+
+        // ========== 10. 安全绕过测试 ==========
+        test("127.0.0.1.example.com", false, Set.of("*.example.com"), ++testCount, failures);
+        test("example.com.example.com", false, Set.of("*.example.com"), ++testCount, failures);
+        test("192.168.1.1.1", false, Set.of("192.168.*"), ++testCount, failures);
+        test("10.0.0.1.1", false, Set.of("10.*"), ++testCount, failures);
+        test("evil.com; DROP TABLE", false, Set.of("*.example.com"), ++testCount, failures);
+        test("example.com/../evil.com", false, Set.of("*.example.com"), ++testCount, failures);
+
+        // ========== 11. 混合模式测试 ==========
+        Set<String> mixed = Set.of("*.example.com", "192.168.*", "localhost", "10.0.0.*");
+        test("api.example.com", true, mixed, ++testCount, failures);
+        test("192.168.1.1", true, mixed, ++testCount, failures);
+        test("localhost", true, mixed, ++testCount, failures);
+        test("10.0.0.1", true, mixed, ++testCount, failures);
+        test("10.0.1.1", false, mixed, ++testCount, failures);
+        test("evil.com", false, mixed, ++testCount, failures);
+
+        // ========== 12. 大小写测试 ==========
+        test("API.EXAMPLE.COM", true, Set.of("*.example.com"), ++testCount, failures);
+        test("api.example.com", true, Set.of("*.example.com"), ++testCount, failures);
+        test("LOCALHOST", true, Set.of("localhost"), ++testCount, failures);
+        test("192.168.1.1", true, Set.of("192.168.*"), ++testCount, failures);
+        test("192.168.1.1", true, Set.of("192.168.1.*"), ++testCount, failures);
+
+        // ========== 13. 长域名测试 ==========
+        test("a" + "b".repeat(50) + ".example.com", true, Set.of("*.example.com"), ++testCount, failures);
+        test("192.168.1.1", true, Set.of("192.168.*"), ++testCount, failures);
+        test("192.168.1.1", true, Set.of("192.168.1.*"), ++testCount, failures);
+
+        // ========== 14. 性能测试==========
+        Set<String> largeSet = new HashSet<>();
+        for (int i = 0; i < 100; i++) {
+            largeSet.add("*.sub" + i + ".example.com");
+            largeSet.add("192.168." + i + ".*");
+        }
+        largeSet.add("example.com");
+        largeSet.add("10.0.0.1");
+        long start = System.currentTimeMillis();
+        for (int i = 0; i < 1000; i++) {
+            DomainIpMatcherUtil.isAllowed(largeSet, "api.sub50.example.com");
+            DomainIpMatcherUtil.isAllowed(largeSet, "192.168.50.1");
+            DomainIpMatcherUtil.isAllowed(largeSet, "10.0.0.1");
+            DomainIpMatcherUtil.isAllowed(largeSet, "evil.com");
+        }
+        long duration = System.currentTimeMillis() - start;
+        if (duration >= 1000) {
+            String failure = "  ❌ [88] 性能测试 1000次 耗时 " + duration + "ms (期望 < 1000ms)";
+            failures.add(failure);
+            log.error(failure);
+        } else {
+            log.info("  ✅ [88] 性能测试 1000次 耗时: {}ms (期望 < 1000ms)", duration);
+        }
+
+        // ==========统一报告==========
+        log.info("=== 测试总结 ===");
+        log.info("总测试数: {}", testCount);
+        log.info("通过数: {}", testCount - failures.size());
+        log.info("失败数: {}", failures.size());
+
+        if (failures.isEmpty()) {
+            log.info("🎉 所有测试通过！");
+        } else {
+            log.error("❌ 测试失败详情:");
+            for (String failure : failures) {
+                log.error("  - {}", failure);
+            }
+            throw new AssertionError("共 " + failures.size() + " 个测试失败，请查看上方详细信息");
+        }
+    }
+
+    /**
+     * 测试辅助方法 - 实时显示结果，记录失败
+     */
+    private static void test(String input, boolean expected, Set<String> patterns, int index, List<String> failures) {
+        boolean actual = DomainIpMatcherUtil.isAllowed(patterns, input);
+        String inputStr = input == null ? "null" : (input.isEmpty() ? "\"\"" : input);
+        if (inputStr.length() > 50) {
+            inputStr = inputStr.substring(0, 47) + "...";
+        }
+        String status = actual == expected ? "✅" : "❌";
+        log.info("  {} [{}] {} -> {} (期望: {})", status, index, inputStr, actual, expected);
+
+        if (actual != expected) {
+            String failure = "[" + index + "] " + inputStr + " -> " + actual + " (期望: " + expected + ")";
+            failures.add(failure);
+        }
+    }
+
+}
\ No newline at end of file

From 473923fe87b19689b8f4c63fadb9e61389025fcc Mon Sep 17 00:00:00 2001
From: mks155 <mks155@qq.com>
Date: Thu, 22 Jan 2026 23:30:47 +0800
Subject: [PATCH 2/3] =?UTF-8?q?docs:=20=E4=BF=AE=E6=94=B9=E4=B8=BB?=
 =?UTF-8?q?=E6=9C=BA=E9=BB=91=E7=99=BD=E5=90=8D=E5=8D=95=E9=85=8D=E7=BD=AE?=
 =?UTF-8?q?=E9=80=9A=E9=85=8D=E7=AC=A6=E7=9B=B8=E5=85=B3=E6=8F=8F=E8=BF=B0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 SECURITY_CONFIG.md                            | 15 +++++++++------
 server/src/main/config/application.properties |  2 +-
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/SECURITY_CONFIG.md b/SECURITY_CONFIG.md
index ee87b300a..5a9132439 100644
--- a/SECURITY_CONFIG.md
+++ b/SECURITY_CONFIG.md
@@ -12,10 +12,10 @@
 
 ```properties
 # 方式1：通过配置文件
-trust.host = kkview.cn,yourdomain.com,cdn.example.com
+trust.host = kkview.cn,yourdomain.com,cdn.example.com,*.cdn.example.com
 
 # 方式2：通过环境变量
-KK_TRUST_HOST=kkview.cn,yourdomain.com,cdn.example.com
+KK_TRUST_HOST=kkview.cn,yourdomain.com,cdn.example.com,*.cdn.example.com
 ```
 
 **示例场景**：
@@ -23,6 +23,10 @@ KK_TRUST_HOST=kkview.cn,yourdomain.com,cdn.example.com
 ```properties
 trust.host = oss.aliyuncs.com,cdn.example.com
 ```
+- 允许预览来自 `example.com` 的域名和 `example.com` 与 `cdn.example.com` 子域名的文件
+```properties
+trust.host = example.com,*.example.com,*.cdn.example.com
+```
 
 ### 2. 允许所有主机（不推荐，仅测试环境）
 
@@ -41,7 +45,7 @@ trust.host = *
 not.trust.host = localhost,127.0.0.1,192.168.*,10.*,172.16.*,169.254.*
 
 # 禁止特定恶意域名
-not.trust.host = malicious-site.com,spam-domain.net
+not.trust.host = malicious-site.com,spam-domain.net,*.spam-domain.net
 ```
 
 **优先级**：黑名单 > 白名单
@@ -62,7 +66,7 @@ docker run -d \
 
 ```properties
 # 1. 明确配置信任主机白名单
-trust.host = your-cdn.com,your-storage.com
+trust.host = your-cdn.com,your-storage.com,*.your-storage.com
 
 # 2. 配置黑名单防止内网访问
 not.trust.host = localhost,127.0.0.1,192.168.*,10.*,172.16.*
@@ -146,9 +150,8 @@ trust.host = *
 
 ### Q4: 如何允许子域名？
 
-目前不支持通配符域名匹配，需要明确列出每个子域名：
 ```properties
-trust.host = cdn.example.com,api.example.com,storage.example.com
+trust.host = *.example.com,*.cdn.example.com
 ```
 
 ## 🚨 安全事件响应
diff --git a/server/src/main/config/application.properties b/server/src/main/config/application.properties
index 54854c037..597437d22 100644
--- a/server/src/main/config/application.properties
+++ b/server/src/main/config/application.properties
@@ -93,7 +93,7 @@ base.url = ${KK_BASE_URL:default}
 # ⚠️ 如果不配置，系统将默认拒绝所有外部文件预览请求
 #
 # 配置示例：
-# trust.host = kkview.cn,yourdomain.com,cdn.example.com
+# trust.host = kkview.cn,yourdomain.com,cdn.example.com,*.cdn.example.com
 #
 # 如果需要允许所有域名（不推荐，仅用于测试环境），请设置为：
 # trust.host = *

From ae7286c3f937202845b88e0a6dd5d37dceb5213d Mon Sep 17 00:00:00 2001
From: mks155 <mks155@qq.com>
Date: Thu, 22 Jan 2026 23:46:23 +0800
Subject: [PATCH 3/3] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E4=BF=A1=E4=BB=BB?=
 =?UTF-8?q?=E7=99=BD=E5=90=8D=E5=8D=95=E5=85=A8=E9=80=89=E5=88=A4=E6=96=AD?=
 =?UTF-8?q?=E6=9C=AA=E5=8F=96=E5=8F=8D=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/src/main/java/cn/keking/web/filter/TrustHostFilter.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java b/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java
index 2a418e242..d69b9a935 100644
--- a/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java
+++ b/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java
@@ -68,7 +68,7 @@ public boolean isNotTrustHost(String host) {
                 logger.debug("允许所有主机访问（通配符模式）: {}", host);
                 return false;
             }
-            return DomainIpMatcherUtil.isAllowed(ConfigConstants.getTrustHostSet(), host);
+            return !DomainIpMatcherUtil.isAllowed(ConfigConstants.getTrustHostSet(), host);
         }
 
         // 安全加固：默认拒绝所有未配置的主机（防止SSRF攻击）