fix(security): 安全漏洞修复与依赖升级

- 升级 Vert.x 4.5.24 → 4.5.27, postgresql 42.7.3 → 42.7.11, logback 1.5.18 → 1.5.32, axios 1.13.5 → 1.16.1
- 修复 JWT 签名验证和密码比较的时序攻击漏洞 (MessageDigest.isEqual)
- 修复 AESUtils 使用不安全 Random 改为 SecureRandom
- 修复登录用户枚举和异常信息泄露，统一错误提示
- 修复 RateLimiter count++ 非原子操作 (AtomicInteger)
- 修复 JsParserExecutor DCL 模式缺少 volatile
- 修复 Token 日志泄露，仅打印前8字符
- 修复 Playground 密码时序攻击和堆栈泄露
- 所有 window.open 添加 noopener,noreferrer
- LocalConstant 改用 ConcurrentHashMap 保证线程安全
- Dockerfile 添加非 root 用户运行，secret.yml 加入 .gitignore

parser/src/main/java/cn/qaiu/parser/customjs/JsParserExecutor.java

@@ -33,7 +33,7 @@ public class JsParserExecutor implements IPanTool, AutoCloseable {
 
     private static final Logger log = LoggerFactory.getLogger(JsParserExecutor.class);
 
-    private static WorkerExecutor EXECUTOR;
+    private static volatile WorkerExecutor EXECUTOR;
     private static final Object EXECUTOR_LOCK = new Object();
 
     private static String FETCH_RUNTIME_JS = null;

parser/src/main/java/cn/qaiu/util/AESUtils.java

@@ -14,7 +14,6 @@ import java.security.spec.X509EncodedKeySpec;
 import java.util.Base64;
 import java.util.Date;
 import java.util.HexFormat;
-import java.util.Random;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -299,7 +298,7 @@ public class AESUtils {
     //length用户要求产生字符串的长度
     public static String getRandomString(int length){
         String str="abcdefghijklmnopqrstuvwxyz0123456789";
-        Random random=new Random();
+        SecureRandom random=new SecureRandom();
         StringBuilder sb=new StringBuilder();
         for(int i=0;i<length;i++){
             int number=random.nextInt(36);