mincomk/risuai
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[fix] node server secutity

Browse Source
This commit is contained in:
kwaroran
2023-05-29 17:37:28 +09:00
parent 5f6b82a938
commit d084f1eb1e
3 changed files with 51 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
server.bat
View File

@@ -1,3 +1,3 @@
npm install call npm install
npm run build call npm run build
npm run runserver call npm run runserver

34
server/node/server.cjs
View File

@@ -5,7 +5,7 @@ const htmlparser = require('node-html-parser');
const { existsSync, mkdirSync, readFileSync, writeFileSync } = require('fs'); const { existsSync, mkdirSync, readFileSync, writeFileSync } = require('fs');
const bodyParser = require('body-parser'); const bodyParser = require('body-parser');
const fs = require('fs/promises') const fs = require('fs/promises')
const crypto = require('crypto')
app.use(express.static(path.join(process.cwd(), 'dist'), {index: false})); app.use(express.static(path.join(process.cwd(), 'dist'), {index: false}));
app.use(bodyParser.json({ limit: 100000000 })); app.use(bodyParser.json({ limit: 100000000 }));
@@ -21,6 +21,10 @@ const passwordPath = path.join(process.cwd(), 'save', '__password')
if(existsSync(passwordPath)){ if(existsSync(passwordPath)){
password = readFileSync(passwordPath, 'utf-8') password = readFileSync(passwordPath, 'utf-8')
} }
const hexRegex = /^[0-9a-fA-F]+$/;
function isHex(str) {
return hexRegex.test(str.toUpperCase().trim()) || str === '__password';
}
app.get('/', async (req, res, next) => { app.get('/', async (req, res, next) => {
console.log("connected") console.log("connected")
@@ -82,6 +86,16 @@ app.get('/api/password', async(req, res)=> {
} }
}) })
app.post('/api/crypto', async (req, res) => {
try {
const hash = crypto.createHash('sha256')
hash.update(Buffer.from(req.body.data, 'utf-8'))
res.send(hash.digest('hex'))
} catch (error) {
next(error)
}
})
app.post('/api/set_password', async (req, res) => { app.post('/api/set_password', async (req, res) => {
if(password === ''){ if(password === ''){
@@ -108,6 +122,12 @@ app.get('/api/read', async (req, res, next) => {
return; return;
} }
if(!isHex(filePath)){
res.status(400).send({
error:'Invaild Path'
});
return;
}
try { try {
if(!existsSync(path.join(savePath, filePath))){ if(!existsSync(path.join(savePath, filePath))){
res.send({ res.send({
@@ -142,6 +162,12 @@ app.get('/api/remove', async (req, res, next) => {
}); });
return; return;
} }
if(!isHex(filePath)){
res.status(400).send({
error:'Invaild Path'
});
return;
}
try { try {
await fs.rm(path.join(savePath, filePath)); await fs.rm(path.join(savePath, filePath));
@@ -190,6 +216,12 @@ app.post('/api/write', async (req, res, next) => {
}); });
return; return;
} }
if(!isHex(filePath)){
res.status(400).send({
error:'Invaild Path'
});
return;
}
try { try {
await fs.writeFile(path.join(savePath, filePath), fileContent); await fs.writeFile(path.join(savePath, filePath), fileContent);

21
src/ts/storage/nodeStorage.ts
View File

@@ -25,7 +25,6 @@ export class NodeStorage{
if(data.error){ if(data.error){
throw data.error throw data.error
} }
} }
async getItem(key:string):Promise<Buffer> { async getItem(key:string):Promise<Buffer> {
await this.checkAuth() await this.checkAuth()
@@ -125,6 +124,9 @@ export class NodeStorage{
} }
} }
} }
else{
authChecked = true
}
} }
} }
@@ -133,8 +135,15 @@ export class NodeStorage{
} }
async function digestPassword(message:string) { async function digestPassword(message:string) {
const encoder = new TextEncoder(); const crypt = await (await fetch('/api/crypto', {
const data = encoder.encode(message); body: JSON.stringify({
const hash = Buffer.from(await crypto.subtle.digest("SHA-256", data)).toString('hex'); data: message
return hash; }),
} headers: {
'content-type': 'application/json'
},
method: "POST"
})).text()
return crypt;
}