open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2025-09-12 05:52:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add input validation to script API routes

Browse Source 
Introduces Joi-based validation using celebrate for query, params, and body inputs on all script API endpoints. Also normalizes empty 'path' values to an empty string where necessary to prevent errors. This improves API robustness and input safety.
This commit is contained in:
涛之雨 2025-08-05 22:35:40 +08:00
parent 9ab0ff5607
commit 213ee53347
No known key found for this signature in database
GPG Key ID: A38E8DF826ECA7E3
1 changed files with 46 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
back/api/script.ts
View File

@ -24,7 +24,14 @@ const upload = multer({ storage: storage });
export default (app: Router) => { export default (app: Router) => {
app.use('/scripts', route); app.use('/scripts', route);
route.get('/', async (req: Request, res: Response, next: NextFunction) => { route.get(
'/',
celebrate({
query: Joi.object({
path: Joi.string().optional().allow(''),
}),
}),
async (req: Request, res: Response, next: NextFunction) => {
const logger: Logger = Container.get('logger'); const logger: Logger = Container.get('logger');
try { try {
let result: IFile[] = []; let result: IFile[] = [];
@ -68,6 +75,12 @@ export default (app: Router) => {
route.get( route.get(
'/detail', '/detail',
celebrate({
query: Joi.object({
path: Joi.string().required(),
file: Joi.string().required(),
}),
}),
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
const scriptService = Container.get(ScriptService); const scriptService = Container.get(ScriptService);
@ -84,12 +97,20 @@ export default (app: Router) => {
route.get( route.get(
'/:file', '/:file',
celebrate({
params: Joi.object({
file: Joi.string().required(),
}),
query: Joi.object({
path: Joi.string().optional().allow(''),
}),
}),
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
const scriptService = Container.get(ScriptService); const scriptService = Container.get(ScriptService);
const content = await scriptService.getFile( const content = await scriptService.getFile(
req.query.path as string, req.query.path as string,
req.params.file, req.params?.file || '',
); );
res.send({ code: 200, data: content }); res.send({ code: 200, data: content });
} catch (e) { } catch (e) {
@ -101,6 +122,15 @@ export default (app: Router) => {
route.post( route.post(
'/', '/',
upload.single('file'), upload.single('file'),
celebrate({
body: Joi.object({
filename: Joi.string().required(),
path: Joi.string().optional().allow(''),
content: Joi.string().optional().allow(''),
originFilename: Joi.string().optional().allow(''),
directory: Joi.string().optional().allow(''),
}),
}),
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
let { filename, path, content, originFilename, directory } = let { filename, path, content, originFilename, directory } =
@ -201,7 +231,7 @@ export default (app: Router) => {
celebrate({ celebrate({
body: Joi.object({ body: Joi.object({
filename: Joi.string().required(), filename: Joi.string().required(),
path: Joi.string().allow(''), path: Joi.string().optional().allow(''),
type: Joi.string().optional(), type: Joi.string().optional(),
}), }),
}), }),
@ -211,6 +241,9 @@ export default (app: Router) => {
filename: string; filename: string;
path: string; path: string;
}; };
if (!path) {
path = '';
}
const scriptService = Container.get(ScriptService); const scriptService = Container.get(ScriptService);
const filePath = scriptService.checkFilePath(path, filename); const filePath = scriptService.checkFilePath(path, filename);
if (!filePath) { if (!filePath) {
@ -276,6 +309,9 @@ export default (app: Router) => {
const logger: Logger = Container.get('logger'); const logger: Logger = Container.get('logger');
try { try {
let { filename, content, path } = req.body; let { filename, content, path } = req.body;
if (!path) {
path = '';
}
const { name, ext } = parse(filename); const { name, ext } = parse(filename);
const filePath = join(config.scriptPath, path, `${name}.swap${ext}`); const filePath = join(config.scriptPath, path, `${name}.swap${ext}`);
await writeFileWithLock(filePath, content || ''); await writeFileWithLock(filePath, content || '');
@ -301,6 +337,9 @@ export default (app: Router) => {
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
let { filename, path, pid } = req.body; let { filename, path, pid } = req.body;
if (!path) {
path = '';
}
const { name, ext } = parse(filename); const { name, ext } = parse(filename);
const filePath = join(config.scriptPath, path, `${name}.swap${ext}`); const filePath = join(config.scriptPath, path, `${name}.swap${ext}`);
const logPath = join(config.logPath, path, `${name}.swap`); const logPath = join(config.logPath, path, `${name}.swap`);
@ -328,12 +367,14 @@ export default (app: Router) => {
}), }),
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
let { filename, path, type, newFilename } = req.body as { let { filename, path, newFilename } = req.body as {
filename: string; filename: string;
path: string; path: string;
type: string;
newFilename: string; newFilename: string;
}; };
if (!path) {
path = '';
}
const filePath = join(config.scriptPath, path, filename); const filePath = join(config.scriptPath, path, filename);
const newPath = join(config.scriptPath, path, newFilename); const newPath = join(config.scriptPath, path, newFilename);
await fs.rename(filePath, newPath); await fs.rename(filePath, newPath);