增加代码安全性，防止目录穿越

2023-08-05 09:09:19 +08:00 · 2023-08-05 09:09:19 +08:00 · 33bf27327c
parent f4fc5321a8
commit 33bf27327c
3 changed files with 19 additions and 6 deletions
--- a/app/model/StoreModel.js
+++ b/app/model/StoreModel.js
@ -16,10 +16,11 @@ function mkdirsSync(dirname) {
 } 

 function storeResource(path, url) {
+    path = handlePath(path);
    return new Promise((resolve, reject) => {
        mkdirsSync(_path.dirname(path));
        const writeableStream = fs.createWriteStream(path);
-        request.get(url).pipe(writeableStream).on('close', () => {
+        request.get({ url: url, timeout: 10000 }).pipe(writeableStream).on('close', () => {
            resolve(true);
        });
    });
@ -30,6 +31,7 @@ async function storeMusic(path, url) {
 }

 function storeLrc(path, content) {
+    path = handlePath(path);
    return new Promise((resolve, reject) => {
        mkdirsSync(_path.dirname(path));
        fs.writeFileSync(path, content, { overwrite: true });
@ -45,6 +47,12 @@ function checkMusicExists(path) {
    return fs.existsSync(path);
 }

+function handlePath(path) {
+    // 必须保存到downloads目录，过滤关键字符防止目录穿越
+    if(path.indexOf('/downloads/') != 0) path = '/downloads/' + path;
+    return path.replace('..', '').replace(/\.+/g, '.').replace(/\/+/g, '/').replace(/\\+/g, '\\');
+}
+
 module.exports = {
    storeMusic,
    storeLrc,
--- a/html/index.html
+++ b/html/index.html
@ -27,7 +27,7 @@
 </head>
 <body>
    <div id="app">
-        <div style="width:1000px;margin: 0 auto;">
+        <div style="width:1000px;margin: 0 auto;padding:5px;">
            <div style="margin: 10px 0">
                <label>选择搜索源：</label>
                <Checkbox-Group v-model="selected_sources" style="display: inline-block;">
@ -122,8 +122,7 @@
        el: "#app",
        data() {
            const ajax = axios.create({
-                baseURL: 'http://musicdlr.amuliang.top:5750',
-                //baseURL: 'http://localhost:5000',
+                baseURL: document.location.href.indexOf('localhost') >= 0 ? 'http://localhost:5750' : 'http://musicdlr.amuliang.top:5750',
                timeout: 10000,
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded',
@ -151,7 +150,9 @@
        computed: {
            renderedStorePath() {
                let current_item = this.current_item;
-                return this.store_path_root + this.store_path.replaceAll("{title}", current_item.title).replaceAll("{author}", current_item.author) + '.' + this.current_item.extension;
+                let title = current_item.title.replace(/[\/\\\:]+/g, '_');
+                let author = current_item.author.replace(/[\/\\\:]+/g, '_');
+                return this.store_path_root + this.store_path.replaceAll("{title}", title).replaceAll("{author}", author) + '.' + this.current_item.extension;
            }
        },
        methods: {
@ -179,7 +180,7 @@
            async searches() {
                let selected_sources = this.selected_sources.map(item => item);
                let keywords = this.keywords;
-                if(selected_sources.length == 0 || !keywords) {
+                if(selected_sources.length == 0 || !keywords || keywords.trim() == '') {
                    return;
                }
                this.is_searching = true;
--- a/start/start.sh
+++ b/start/start.sh
@ -1,5 +1,9 @@
 #!/bin/bash

+#修改dns
+echo "nameserver 114.114.114.114" > /etc/resolv.conf
+wait
+
 # 拉取代码
 git clone http://${REMOTE_ADDR}/amuliang/music-downloader.git /music-downloader
 wait