Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-17 07:00:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🎨 内核 API 校验 ID 格式 Fix https://github.com/siyuan-note/siyuan/issues/7228

Browse source
This commit is contained in:
Liang Ding 2023-02-02 11:06:29 +08:00
parent b321185248
commit f37678a98b
No known key found for this signature in database
GPG key ID: 136F30F901A2231D
8 changed files with 98 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
kernel/api/attr.go
View file

@ -43,6 +43,10 @@ func getBlockAttrs(c *gin.Context) {
} }
id := arg["id"].(string) id := arg["id"].(string)
if util.InvalidIDPattern(id, ret) {
return
}
ret.Data = model.GetBlockAttrs(id) ret.Data = model.GetBlockAttrs(id)
} }
@ -56,6 +60,10 @@ func setBlockAttrs(c *gin.Context) {
} }
id := arg["id"].(string) id := arg["id"].(string)
if util.InvalidIDPattern(id, ret) {
return
}
attrs := arg["attrs"].(map[string]interface{}) attrs := arg["attrs"].(map[string]interface{})
if 1 == len(attrs) && "" != attrs["scroll"] { if 1 == len(attrs) && "" != attrs["scroll"] {
// 不记录用户指南滚动位置 // 不记录用户指南滚动位置

4
kernel/api/block.go
View file

@ -471,6 +471,10 @@ func getBlockKramdown(c *gin.Context) {
} }
id := arg["id"].(string) id := arg["id"].(string)
if util.InvalidIDPattern(id, ret) {
return
}
kramdown := model.GetBlockKramdown(id) kramdown := model.GetBlockKramdown(id)
ret.Data = map[string]string{ ret.Data = map[string]string{
"id": id, "id": id,

21
kernel/api/block_op.go
View file

@ -40,6 +40,9 @@ func appendBlock(c *gin.Context) {
data := arg["data"].(string) data := arg["data"].(string)
dataType := arg["dataType"].(string) dataType := arg["dataType"].(string)
parentID := arg["parentID"].(string) parentID := arg["parentID"].(string)
if util.InvalidIDPattern(parentID, ret) {
return
}
if "markdown" == dataType { if "markdown" == dataType {
luteEngine := model.NewLute() luteEngine := model.NewLute()
data = dataBlockDOM(data, luteEngine) data = dataBlockDOM(data, luteEngine)
@ -82,6 +85,9 @@ func prependBlock(c *gin.Context) {
data := arg["data"].(string) data := arg["data"].(string)
dataType := arg["dataType"].(string) dataType := arg["dataType"].(string)
parentID := arg["parentID"].(string) parentID := arg["parentID"].(string)
if util.InvalidIDPattern(parentID, ret) {
return
}
if "markdown" == dataType { if "markdown" == dataType {
luteEngine := model.NewLute() luteEngine := model.NewLute()
data = dataBlockDOM(data, luteEngine) data = dataBlockDOM(data, luteEngine)
@ -126,12 +132,21 @@ func insertBlock(c *gin.Context) {
var parentID, previousID, nextID string var parentID, previousID, nextID string
if nil != arg["parentID"] { if nil != arg["parentID"] {
parentID = arg["parentID"].(string) parentID = arg["parentID"].(string)
if util.InvalidIDPattern(parentID, ret) {
return
}
} }
if nil != arg["previousID"] { if nil != arg["previousID"] {
previousID = arg["previousID"].(string) previousID = arg["previousID"].(string)
if util.InvalidIDPattern(previousID, ret) {
return
}
} }
if nil != arg["nextID"] { if nil != arg["nextID"] {
nextID = arg["nextID"].(string) nextID = arg["nextID"].(string)
if util.InvalidIDPattern(nextID, ret) {
return
}
} }
if "markdown" == dataType { if "markdown" == dataType {
@ -178,6 +193,9 @@ func updateBlock(c *gin.Context) {
data := arg["data"].(string) data := arg["data"].(string)
dataType := arg["dataType"].(string) dataType := arg["dataType"].(string)
id := arg["id"].(string) id := arg["id"].(string)
if util.InvalidIDPattern(id, ret) {
return
}
luteEngine := model.NewLute() luteEngine := model.NewLute()
if "markdown" == dataType { if "markdown" == dataType {
@ -264,6 +282,9 @@ func deleteBlock(c *gin.Context) {
} }
id := arg["id"].(string) id := arg["id"].(string)
if util.InvalidIDPattern(id, ret) {
return
}
transactions := []*model.Transaction{ transactions := []*model.Transaction{
{ {

4
kernel/api/export.go
View file

@ -165,6 +165,10 @@ func exportMdContent(c *gin.Context) {
} }
id := arg["id"].(string) id := arg["id"].(string)
if util.InvalidIDPattern(id, ret) {
return
}
hPath, content := model.ExportMarkdownContent(id) hPath, content := model.ExportMarkdownContent(id)
ret.Data = map[string]interface{}{ ret.Data = map[string]interface{}{
"hPath": hPath, "hPath": hPath,

23
kernel/api/filetree.go
View file

@ -163,6 +163,10 @@ func getHPathByPath(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
p := arg["path"].(string) p := arg["path"].(string)
hPath, err := model.GetHPathByPath(notebook, p) hPath, err := model.GetHPathByPath(notebook, p)
@ -207,6 +211,10 @@ func getHPathByID(c *gin.Context) {
} }
id := arg["id"].(string) id := arg["id"].(string)
if util.InvalidIDPattern(id, ret) {
return
}
hPath, err := model.GetHPathByID(id) hPath, err := model.GetHPathByID(id)
if nil != err { if nil != err {
ret.Code = -1 ret.Code = -1
@ -254,6 +262,9 @@ func moveDocs(c *gin.Context) {
} }
toPath := arg["toPath"].(string) toPath := arg["toPath"].(string)
toNotebook := arg["toNotebook"].(string) toNotebook := arg["toNotebook"].(string)
if util.InvalidIDPattern(toNotebook, ret) {
return
}
err := model.MoveDocs(fromPaths, toNotebook, toPath) err := model.MoveDocs(fromPaths, toNotebook, toPath)
if nil != err { if nil != err {
@ -274,6 +285,10 @@ func removeDoc(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
p := arg["path"].(string) p := arg["path"].(string)
model.RemoveDoc(notebook, p) model.RemoveDoc(notebook, p)
} }
@ -305,6 +320,10 @@ func renameDoc(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
p := arg["path"].(string) p := arg["path"].(string)
title := arg["title"].(string) title := arg["title"].(string)
@ -447,6 +466,10 @@ func createDocWithMd(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
hPath := arg["path"].(string) hPath := arg["path"].(string)
markdown := arg["markdown"].(string) markdown := arg["markdown"].(string)

23
kernel/api/notebook.go
View file

@ -67,6 +67,10 @@ func renameNotebook(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
name := arg["name"].(string) name := arg["name"].(string)
err := model.RenameBox(notebook, name) err := model.RenameBox(notebook, name)
if nil != err { if nil != err {
@ -94,6 +98,10 @@ func removeNotebook(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
err := model.RemoveBox(notebook) err := model.RemoveBox(notebook)
if nil != err { if nil != err {
ret.Code = -1 ret.Code = -1
@ -155,6 +163,10 @@ func openNotebook(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
msgId := util.PushMsg(model.Conf.Language(45), 1000*60*15) msgId := util.PushMsg(model.Conf.Language(45), 1000*60*15)
defer util.PushClearMsg(msgId) defer util.PushClearMsg(msgId)
existed, err := model.Mount(notebook) existed, err := model.Mount(notebook)
@ -183,6 +195,9 @@ func closeNotebook(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
model.Unmount(notebook) model.Unmount(notebook)
} }
@ -196,6 +211,10 @@ func getNotebookConf(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
box := model.Conf.Box(notebook) box := model.Conf.Box(notebook)
ret.Data = map[string]interface{}{ ret.Data = map[string]interface{}{
"box": box.ID, "box": box.ID,
@ -214,6 +233,10 @@ func setNotebookConf(c *gin.Context) {
} }
notebook := arg["notebook"].(string) notebook := arg["notebook"].(string)
if util.InvalidIDPattern(notebook, ret) {
return
}
box := model.Conf.Box(notebook) box := model.Conf.Box(notebook)
param, err := gulu.JSON.MarshalJSON(arg["conf"]) param, err := gulu.JSON.MarshalJSON(arg["conf"])

4
kernel/api/template.go
View file

@ -56,6 +56,10 @@ func renderTemplate(c *gin.Context) {
p := arg["path"].(string) p := arg["path"].(string)
id := arg["id"].(string) id := arg["id"].(string)
if util.InvalidIDPattern(id, ret) {
return
}
content, err := model.RenderTemplate(p, id) content, err := model.RenderTemplate(p, id)
if nil != err { if nil != err {
ret.Code = -1 ret.Code = -1

11
kernel/util/net.go
View file

@ -17,6 +17,7 @@
package util package util
import ( import (
"github.com/88250/lute/ast"
"github.com/imroc/req/v3" "github.com/imroc/req/v3"
"github.com/siyuan-note/httpclient" "github.com/siyuan-note/httpclient"
"net/http" "net/http"
@ -65,6 +66,16 @@ func JsonArg(c *gin.Context, result *gulu.Result) (arg map[string]interface{}, o
return return
} }
func InvalidIDPattern(idArg string, result *gulu.Result) bool {
if ast.IsNodeIDPattern(idArg) {
return false
}
result.Code = -1
result.Msg = "invalid ID argument"
return true
}
func initHttpClient() { func initHttpClient() {
http.DefaultClient = httpclient.GetCloudFileClient2Min() http.DefaultClient = httpclient.GetCloudFileClient2Min()
http.DefaultTransport = httpclient.NewTransport(false) http.DefaultTransport = httpclient.NewTransport(false)