open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2025-11-10 00:26:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add security validation to prevent path traversal attacks

Browse Source 
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2025-11-08 17:34:45 +00:00
parent ddb50a7984
commit 75d7ad4e02
5 changed files with 35 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
back/services/cron.ts
View File

@ -477,7 +477,11 @@ export default class CronService {
); );
let { id, command, log_path, log_name } = cron; let { id, command, log_path, log_name } = cron;
const uniqPath = log_name || (await getUniqPath(command, `${id}`)); // Sanitize log_name to prevent path traversal
const sanitizedLogName = log_name
? log_name.replace(/[\/\\\.]/g, '_').replace(/^_+|_+$/g, '')
: '';
const uniqPath = sanitizedLogName || (await getUniqPath(command, `${id}`));
const logTime = dayjs().format('YYYY-MM-DD-HH-mm-ss-SSS'); const logTime = dayjs().format('YYYY-MM-DD-HH-mm-ss-SSS');
const logDirPath = path.resolve(config.logPath, `${uniqPath}`); const logDirPath = path.resolve(config.logPath, `${uniqPath}`);
if (log_path?.split('/')?.every((x) => x !== uniqPath)) { if (log_path?.split('/')?.every((x) => x !== uniqPath)) {

11
back/validation/schedule.ts
View File

@ -37,5 +37,14 @@ export const commonCronSchema = {
extra_schedules: Joi.array().optional().allow(null), extra_schedules: Joi.array().optional().allow(null),
task_before: Joi.string().optional().allow('').allow(null), task_before: Joi.string().optional().allow('').allow(null),
task_after: Joi.string().optional().allow('').allow(null), task_after: Joi.string().optional().allow('').allow(null),
log_name: Joi.string().optional().allow('').allow(null), log_name: Joi.string()
.optional()
.allow('')
.allow(null)
.pattern(/^[a-zA-Z0-9_-]+$/)
.max(100)
.messages({
'string.pattern.base': '日志名称只能包含字母、数字、下划线和连字符',
'string.max': '日志名称不能超过100个字符',
}),
}; };

4
src/locales/en-US.json
View File

@ -524,5 +524,7 @@
"清除成功": "Clean successful", "清除成功": "Clean successful",
"日志名称": "Log Name", "日志名称": "Log Name",
"自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成": "Custom log folder name to distinguish logs from different tasks. Leave blank to auto-generate", "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成": "Custom log folder name to distinguish logs from different tasks. Leave blank to auto-generate",
"请输入自定义日志文件夹名称": "Please enter a custom log folder name" "请输入自定义日志文件夹名称": "Please enter a custom log folder name",
"日志名称只能包含字母、数字、下划线和连字符": "Log name can only contain letters, numbers, underscores and hyphens",
"日志名称不能超过100个字符": "Log name cannot exceed 100 characters"
} }

4
src/locales/zh-CN.json
View File

@ -524,5 +524,7 @@
"清除成功": "清除成功", "清除成功": "清除成功",
"日志名称": "日志名称", "日志名称": "日志名称",
"自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成": "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成", "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成": "自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成",
"请输入自定义日志文件夹名称": "请输入自定义日志文件夹名称" "请输入自定义日志文件夹名称": "请输入自定义日志文件夹名称",
"日志名称只能包含字母、数字、下划线和连字符": "日志名称只能包含字母、数字、下划线和连字符",
"日志名称不能超过100个字符": "日志名称不能超过100个字符"
} }

15
src/pages/crontab/modal.tsx
View File

@ -186,8 +186,21 @@ const CronModal = ({
tooltip={intl.get( tooltip={intl.get(
'自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成', '自定义日志文件夹名称,用于区分不同任务的日志,留空则自动生成',
)} )}
rules={[
{
pattern: /^[a-zA-Z0-9_-]*$/,
message: intl.get('日志名称只能包含字母、数字、下划线和连字符'),
},
{
max: 100,
message: intl.get('日志名称不能超过100个字符'),
},
]}
> >
<Input placeholder={intl.get('请输入自定义日志文件夹名称')} /> <Input
placeholder={intl.get('请输入自定义日志文件夹名称')}
maxLength={100}
/>
</Form.Item> </Form.Item>
<Form.Item <Form.Item
name="task_before" name="task_before"