mincomk/risuai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[fix] node server secutity

Browse Source
This commit is contained in:
kwaroran
2023-05-29 17:37:28 +09:00
parent 5f6b82a938
commit d084f1eb1e
3 changed files with 51 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
server/node/server.cjs
View File

@@ -5,7 +5,7 @@ const htmlparser = require('node-html-parser');
const { existsSync, mkdirSync, readFileSync, writeFileSync } = require('fs');
const bodyParser = require('body-parser');
const fs = require('fs/promises')
const crypto = require('crypto')
app.use(express.static(path.join(process.cwd(), 'dist'), {index: false}));
app.use(bodyParser.json({ limit: 100000000 }));
@@ -21,6 +21,10 @@ const passwordPath = path.join(process.cwd(), 'save', '__password')
if(existsSync(passwordPath)){
password = readFileSync(passwordPath, 'utf-8')
}
const hexRegex = /^[0-9a-fA-F]+$/;
function isHex(str) {
return hexRegex.test(str.toUpperCase().trim()) || str === '__password';
}
app.get('/', async (req, res, next) => {
console.log("connected")
@@ -82,6 +86,16 @@ app.get('/api/password', async(req, res)=> {
}
})
app.post('/api/crypto', async (req, res) => {
try {
const hash = crypto.createHash('sha256')
hash.update(Buffer.from(req.body.data, 'utf-8'))
res.send(hash.digest('hex'))
} catch (error) {
next(error)
}
})
app.post('/api/set_password', async (req, res) => {
if(password === ''){
@@ -108,6 +122,12 @@ app.get('/api/read', async (req, res, next) => {
return;
}
if(!isHex(filePath)){
res.status(400).send({
error:'Invaild Path'
});
return;
}
try {
if(!existsSync(path.join(savePath, filePath))){
res.send({
@@ -142,6 +162,12 @@ app.get('/api/remove', async (req, res, next) => {
});
return;
}
if(!isHex(filePath)){
res.status(400).send({
error:'Invaild Path'
});
return;
}
try {
await fs.rm(path.join(savePath, filePath));
@@ -190,6 +216,12 @@ app.post('/api/write', async (req, res, next) => {
});
return;
}
if(!isHex(filePath)){
res.status(400).send({
error:'Invaild Path'
});
return;
}
try {
await fs.writeFile(path.join(savePath, filePath), fileContent);