🎨 内核 API 校验 ID 格式 Fix https://github.com/siyuan-note/siyuan/issues/7228

2025-09-22 00:20:47 +02:00 · 2023-02-02 11:06:29 +08:00 · 2023-02-02 11:06:29 +08:00 · f37678a98b
commit f37678a98b
parent b321185248
8 changed files with 98 additions and 0 deletions
--- a/kernel/api/attr.go
+++ b/kernel/api/attr.go
@ -43,6 +43,10 @@ func getBlockAttrs(c *gin.Context) {
 	}

 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	ret.Data = model.GetBlockAttrs(id)
 }

@ -56,6 +60,10 @@ func setBlockAttrs(c *gin.Context) {
 	}

 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	attrs := arg["attrs"].(map[string]interface{})
 	if 1 == len(attrs) && "" != attrs["scroll"] {
 		// 不记录用户指南滚动位置
--- a/kernel/api/block.go
+++ b/kernel/api/block.go
@ -471,6 +471,10 @@ func getBlockKramdown(c *gin.Context) {
 	}

 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	kramdown := model.GetBlockKramdown(id)
 	ret.Data = map[string]string{
 		"id":       id,
--- a/kernel/api/block_op.go
+++ b/kernel/api/block_op.go
@ -40,6 +40,9 @@ func appendBlock(c *gin.Context) {
 	data := arg["data"].(string)
 	dataType := arg["dataType"].(string)
 	parentID := arg["parentID"].(string)
+	if util.InvalidIDPattern(parentID, ret) {
+		return
+	}
 	if "markdown" == dataType {
 		luteEngine := model.NewLute()
 		data = dataBlockDOM(data, luteEngine)
@ -82,6 +85,9 @@ func prependBlock(c *gin.Context) {
 	data := arg["data"].(string)
 	dataType := arg["dataType"].(string)
 	parentID := arg["parentID"].(string)
+	if util.InvalidIDPattern(parentID, ret) {
+		return
+	}
 	if "markdown" == dataType {
 		luteEngine := model.NewLute()
 		data = dataBlockDOM(data, luteEngine)
@ -126,12 +132,21 @@ func insertBlock(c *gin.Context) {
 	var parentID, previousID, nextID string
 	if nil != arg["parentID"] {
 		parentID = arg["parentID"].(string)
+		if util.InvalidIDPattern(parentID, ret) {
+			return
+		}
 	}
 	if nil != arg["previousID"] {
 		previousID = arg["previousID"].(string)
+		if util.InvalidIDPattern(previousID, ret) {
+			return
+		}
 	}
 	if nil != arg["nextID"] {
 		nextID = arg["nextID"].(string)
+		if util.InvalidIDPattern(nextID, ret) {
+			return
+		}
 	}

 	if "markdown" == dataType {
@ -178,6 +193,9 @@ func updateBlock(c *gin.Context) {
 	data := arg["data"].(string)
 	dataType := arg["dataType"].(string)
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}

 	luteEngine := model.NewLute()
 	if "markdown" == dataType {
@ -264,6 +282,9 @@ func deleteBlock(c *gin.Context) {
 	}

 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}

 	transactions := []*model.Transaction{
 		{
--- a/kernel/api/export.go
+++ b/kernel/api/export.go
@ -165,6 +165,10 @@ func exportMdContent(c *gin.Context) {
 	}

 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	hPath, content := model.ExportMarkdownContent(id)
 	ret.Data = map[string]interface{}{
 		"hPath":   hPath,
--- a/kernel/api/filetree.go
+++ b/kernel/api/filetree.go
@ -163,6 +163,10 @@ func getHPathByPath(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	p := arg["path"].(string)

 	hPath, err := model.GetHPathByPath(notebook, p)
@ -207,6 +211,10 @@ func getHPathByID(c *gin.Context) {
 	}

 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	hPath, err := model.GetHPathByID(id)
 	if nil != err {
 		ret.Code = -1
@ -254,6 +262,9 @@ func moveDocs(c *gin.Context) {
 	}
 	toPath := arg["toPath"].(string)
 	toNotebook := arg["toNotebook"].(string)
+	if util.InvalidIDPattern(toNotebook, ret) {
+		return
+	}

 	err := model.MoveDocs(fromPaths, toNotebook, toPath)
 	if nil != err {
@ -274,6 +285,10 @@ func removeDoc(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	p := arg["path"].(string)
 	model.RemoveDoc(notebook, p)
 }
@ -305,6 +320,10 @@ func renameDoc(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	p := arg["path"].(string)
 	title := arg["title"].(string)

@ -447,6 +466,10 @@ func createDocWithMd(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	hPath := arg["path"].(string)
 	markdown := arg["markdown"].(string)

--- a/kernel/api/notebook.go
+++ b/kernel/api/notebook.go
@ -67,6 +67,10 @@ func renameNotebook(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	name := arg["name"].(string)
 	err := model.RenameBox(notebook, name)
 	if nil != err {
@ -94,6 +98,10 @@ func removeNotebook(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	err := model.RemoveBox(notebook)
 	if nil != err {
 		ret.Code = -1
@ -155,6 +163,10 @@ func openNotebook(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	msgId := util.PushMsg(model.Conf.Language(45), 1000*60*15)
 	defer util.PushClearMsg(msgId)
 	existed, err := model.Mount(notebook)
@ -183,6 +195,9 @@ func closeNotebook(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
 	model.Unmount(notebook)
 }

@ -196,6 +211,10 @@ func getNotebookConf(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	box := model.Conf.Box(notebook)
 	ret.Data = map[string]interface{}{
 		"box":  box.ID,
@ -214,6 +233,10 @@ func setNotebookConf(c *gin.Context) {
 	}

 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	box := model.Conf.Box(notebook)

 	param, err := gulu.JSON.MarshalJSON(arg["conf"])
--- a/kernel/api/template.go
+++ b/kernel/api/template.go
@ -56,6 +56,10 @@ func renderTemplate(c *gin.Context) {

 	p := arg["path"].(string)
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	content, err := model.RenderTemplate(p, id)
 	if nil != err {
 		ret.Code = -1
--- a/kernel/util/net.go
+++ b/kernel/util/net.go
@ -17,6 +17,7 @@
 package util

 import (
+	"github.com/88250/lute/ast"
 	"github.com/imroc/req/v3"
 	"github.com/siyuan-note/httpclient"
 	"net/http"
@ -65,6 +66,16 @@ func JsonArg(c *gin.Context, result *gulu.Result) (arg map[string]interface{}, o
 	return
 }

+func InvalidIDPattern(idArg string, result *gulu.Result) bool {
+	if ast.IsNodeIDPattern(idArg) {
+		return false
+	}
+
+	result.Code = -1
+	result.Msg = "invalid ID argument"
+	return true
+}
+
 func initHttpClient() {
 	http.DefaultClient = httpclient.GetCloudFileClient2Min()
 	http.DefaultTransport = httpclient.NewTransport(false)