fix(PictureMaker.default): Fix a xss vuln (unsafe jinja2 template rendering). Thanks to @.yucheng2663. ; chore(interface): update format of context.

2025-05-10 02:23:35 +08:00 · 2025-05-10 02:23:35 +08:00 · 1bc1497113
commit 1bc1497113
parent 5baac1e696
5 changed files with 23 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,9 +9,4 @@ config/traceback.json
 ## testing files
 test
 testfiles
-test.py
-## for sljh
-utils/sljh
-PictureMaker/sljh.py
-interface/sljh.py
-frontend/sljh
+test.py
--- a/PictureMaker/default.py
+++ b/PictureMaker/default.py
@ -4,7 +4,8 @@ import time
 from typing import List

 from playwright.sync_api import sync_playwright
-from jinja2 import Environment, FileSystemLoader
+from jinja2 import Environment, FileSystemLoader, StrictUndefined
+from jinja2.sandbox import SandboxedEnvironment

 from config.config import TMP, TZINFO
 from utils.err import easyExceptionHandler
@ -31,7 +32,12 @@ def render(post_context:dict) -> tuple[list[str], int]:
            page = context.new_page()

            # render template
-            env = Environment(loader=FileSystemLoader(TEMPLATE_DIR))
+            env = SandboxedEnvironment( # sandbox -> 降低SSTI的影響範圍
+                loader=FileSystemLoader(TEMPLATE_DIR), 
+                autoescape=True # auto escape -> prevent xss
+            )
+            env.undefined = StrictUndefined
+
            template = env.get_template('index.jinja2')
            main = {
                "id": post_context["id"],
@ -105,7 +111,7 @@ def gen(context:dict) -> List[str]:
    # generate image
    files, err = render(context)
    if err:
-        return None
+        return []
    
    return files

--- a/4
+++ b/4
@ -1,3 +1,7 @@
+[ ] Vuln: XSS in PictureMaker.default : jinja2沒開模板轉義
+[ ] Hash只用timestamp當作seed可能不夠(會撞)
+[ ] backend.utils.fileProcessor那邊，考慮改善寫法跟加強安全(尤其是考慮關閉管道)
+
 [ ] 處理因為ig媒體畫面比例固定，但是使用者圖片畫面比例不固定導致的問題
    看要不要幫使用者的媒體填充畫面到正確的比例
 [ ] api: ID查IGID，IGID反查ID
--- a/backend/utils/fileProcessor.py
+++ b/backend/utils/fileProcessor.py
@ -28,14 +28,14 @@ def image_conventer(filename:str, binary: bytes) -> int:
        return 1

 ## video (and gif)
-def read_output(pipe, q):
-    """ 用於非阻塞讀取 ffmpeg 的 stdout """
-    while True:
-        data = pipe.read(4096)
-        if not data:
-            break
-        q.put(data)
-    q.put(None)  # 標記輸出結束
+#def read_output(pipe, q):
+#    """ 用於非阻塞讀取 ffmpeg 的 stdout """
+#    while True:
+#        data = pipe.read(4096)
+#        if not data:
+#            break
+#        q.put(data)
+#    q.put(None)  # 標記輸出結束


 def video_conventor(filename:str, oriFormat:str, binary:bytes) -> int:
--- a/interface/example.py
+++ b/interface/example.py
@ -64,7 +64,7 @@ def get(index:int, media:bool=True) -> dict | None:
 an_example_of_context = {
    "id": int,
    "metadata": {
-        "create_time": int | datetime.datetime,
+        "create_time": datetime.datetime,
        "author": str,
        "tags": list[str],
        "category": str,