open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2025-09-12 05:52:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add input validation to script API routes

Browse Source
This commit is contained in:
taozhiyu 2025-08-10 17:19:57 +08:00
parent 55c92dc320
commit 37a2b1267d
No known key found for this signature in database
GPG Key ID: A38E8DF826ECA7E3
1 changed files with 47 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
back/api/script.ts
View File

@ -24,7 +24,14 @@ const upload = multer({ storage: storage });
export default (app: Router) => { export default (app: Router) => {
app.use('/scripts', route); app.use('/scripts', route);
route.get('/', async (req: Request, res: Response, next: NextFunction) => { route.get(
'/',
celebrate({
query: Joi.object({
path: Joi.string().optional().allow(''),
}),
}),
async (req: Request, res: Response, next: NextFunction) => {
const logger: Logger = Container.get('logger'); const logger: Logger = Container.get('logger');
try { try {
let result: IFile[] = []; let result: IFile[] = [];
@ -68,6 +75,12 @@ export default (app: Router) => {
route.get( route.get(
'/detail', '/detail',
celebrate({
query: Joi.object({
path: Joi.string().optional().allow(''),
file: Joi.string().required(),
}),
}),
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
const scriptService = Container.get(ScriptService); const scriptService = Container.get(ScriptService);
@ -84,12 +97,20 @@ export default (app: Router) => {
route.get( route.get(
'/:file', '/:file',
celebrate({
params: Joi.object({
file: Joi.string().required(),
}),
query: Joi.object({
path: Joi.string().optional().allow(''),
}),
}),
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
const scriptService = Container.get(ScriptService); const scriptService = Container.get(ScriptService);
const content = await scriptService.getFile( const content = await scriptService.getFile(
req.query.path as string, req.query.path as string,
req.params.file, req.params?.file || '',
); );
res.send({ code: 200, data: content }); res.send({ code: 200, data: content });
} catch (e) { } catch (e) {
@ -101,6 +122,16 @@ export default (app: Router) => {
route.post( route.post(
'/', '/',
upload.single('file'), upload.single('file'),
celebrate({
body: Joi.object({
filename: Joi.string().required(),
file: Joi.string().optional().allow(''),
path: Joi.string().optional().allow(''),
content: Joi.string().optional().allow(''),
originFilename: Joi.string().optional().allow(''),
directory: Joi.string().optional().allow(''),
}),
}),
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
let { filename, path, content, originFilename, directory } = let { filename, path, content, originFilename, directory } =
@ -201,7 +232,7 @@ export default (app: Router) => {
celebrate({ celebrate({
body: Joi.object({ body: Joi.object({
filename: Joi.string().required(), filename: Joi.string().required(),
path: Joi.string().allow(''), path: Joi.string().optional().allow(''),
type: Joi.string().optional(), type: Joi.string().optional(),
}), }),
}), }),
@ -211,6 +242,9 @@ export default (app: Router) => {
filename: string; filename: string;
path: string; path: string;
}; };
if (!path) {
path = '';
}
const scriptService = Container.get(ScriptService); const scriptService = Container.get(ScriptService);
const filePath = scriptService.checkFilePath(path, filename); const filePath = scriptService.checkFilePath(path, filename);
if (!filePath) { if (!filePath) {
@ -276,6 +310,9 @@ export default (app: Router) => {
const logger: Logger = Container.get('logger'); const logger: Logger = Container.get('logger');
try { try {
let { filename, content, path } = req.body; let { filename, content, path } = req.body;
if (!path) {
path = '';
}
const { name, ext } = parse(filename); const { name, ext } = parse(filename);
const filePath = join(config.scriptPath, path, `${name}.swap${ext}`); const filePath = join(config.scriptPath, path, `${name}.swap${ext}`);
await writeFileWithLock(filePath, content || ''); await writeFileWithLock(filePath, content || '');
@ -301,6 +338,9 @@ export default (app: Router) => {
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
let { filename, path, pid } = req.body; let { filename, path, pid } = req.body;
if (!path) {
path = '';
}
const { name, ext } = parse(filename); const { name, ext } = parse(filename);
const filePath = join(config.scriptPath, path, `${name}.swap${ext}`); const filePath = join(config.scriptPath, path, `${name}.swap${ext}`);
const logPath = join(config.logPath, path, `${name}.swap`); const logPath = join(config.logPath, path, `${name}.swap`);
@ -328,12 +368,14 @@ export default (app: Router) => {
}), }),
async (req: Request, res: Response, next: NextFunction) => { async (req: Request, res: Response, next: NextFunction) => {
try { try {
let { filename, path, type, newFilename } = req.body as { let { filename, path, newFilename } = req.body as {
filename: string; filename: string;
path: string; path: string;
type: string;
newFilename: string; newFilename: string;
}; };
if (!path) {
path = '';
}
const filePath = join(config.scriptPath, path, filename); const filePath = join(config.scriptPath, path, filename);
const newPath = join(config.scriptPath, path, newFilename); const newPath = join(config.scriptPath, path, newFilename);
await fs.rename(filePath, newPath); await fs.rename(filePath, newPath);