[fix] node server secutity
This commit is contained in:
kwaroran
@@ -1,3 +1,3 @@
|
||||
npm install
|
||||
npm run build
|
||||
npm run runserver
|
||||
call npm install
|
||||
call npm run build
|
||||
call npm run runserver
|
||||
@@ -5,7 +5,7 @@ const htmlparser = require('node-html-parser');
|
||||
const { existsSync, mkdirSync, readFileSync, writeFileSync } = require('fs');
|
||||
const bodyParser = require('body-parser');
|
||||
const fs = require('fs/promises')
|
||||
|
||||
const crypto = require('crypto')
|
||||
app.use(express.static(path.join(process.cwd(), 'dist'), {index: false}));
|
||||
app.use(bodyParser.json({ limit: 100000000 }));
|
||||
|
||||
@@ -21,6 +21,10 @@ const passwordPath = path.join(process.cwd(), 'save', '__password')
|
||||
if(existsSync(passwordPath)){
|
||||
password = readFileSync(passwordPath, 'utf-8')
|
||||
}
|
||||
const hexRegex = /^[0-9a-fA-F]+$/;
|
||||
function isHex(str) {
|
||||
return hexRegex.test(str.toUpperCase().trim()) || str === '__password';
|
||||
}
|
||||
|
||||
app.get('/', async (req, res, next) => {
|
||||
console.log("connected")
|
||||
@@ -82,6 +86,16 @@ app.get('/api/password', async(req, res)=> {
|
||||
}
|
||||
})
|
||||
|
||||
app.post('/api/crypto', async (req, res) => {
|
||||
try {
|
||||
const hash = crypto.createHash('sha256')
|
||||
hash.update(Buffer.from(req.body.data, 'utf-8'))
|
||||
res.send(hash.digest('hex'))
|
||||
} catch (error) {
|
||||
next(error)
|
||||
}
|
||||
})
|
||||
|
||||
|
||||
app.post('/api/set_password', async (req, res) => {
|
||||
if(password === ''){
|
||||
@@ -108,6 +122,12 @@ app.get('/api/read', async (req, res, next) => {
|
||||
return;
|
||||
}
|
||||
|
||||
if(!isHex(filePath)){
|
||||
res.status(400).send({
|
||||
error:'Invaild Path'
|
||||
});
|
||||
return;
|
||||
}
|
||||
try {
|
||||
if(!existsSync(path.join(savePath, filePath))){
|
||||
res.send({
|
||||
@@ -142,6 +162,12 @@ app.get('/api/remove', async (req, res, next) => {
|
||||
});
|
||||
return;
|
||||
}
|
||||
if(!isHex(filePath)){
|
||||
res.status(400).send({
|
||||
error:'Invaild Path'
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
await fs.rm(path.join(savePath, filePath));
|
||||
@@ -190,6 +216,12 @@ app.post('/api/write', async (req, res, next) => {
|
||||
});
|
||||
return;
|
||||
}
|
||||
if(!isHex(filePath)){
|
||||
res.status(400).send({
|
||||
error:'Invaild Path'
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
await fs.writeFile(path.join(savePath, filePath), fileContent);
|
||||
|
||||
@@ -25,7 +25,6 @@ export class NodeStorage{
|
||||
if(data.error){
|
||||
throw data.error
|
||||
}
|
||||
|
||||
}
|
||||
async getItem(key:string):Promise<Buffer> {
|
||||
await this.checkAuth()
|
||||
@@ -125,6 +124,9 @@ export class NodeStorage{
|
||||
}
|
||||
}
|
||||
}
|
||||
else{
|
||||
authChecked = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -133,8 +135,15 @@ export class NodeStorage{
|
||||
}
|
||||
|
||||
async function digestPassword(message:string) {
|
||||
const encoder = new TextEncoder();
|
||||
const data = encoder.encode(message);
|
||||
const hash = Buffer.from(await crypto.subtle.digest("SHA-256", data)).toString('hex');
|
||||
return hash;
|
||||
const crypt = await (await fetch('/api/crypto', {
|
||||
body: JSON.stringify({
|
||||
data: message
|
||||
}),
|
||||
headers: {
|
||||
'content-type': 'application/json'
|
||||
},
|
||||
method: "POST"
|
||||
})).text()
|
||||
|
||||
return crypt;
|
||||
}
|
||||
Reference in New Issue
Block a user