From 1bc14971136834ada43422a5dd64bb7f5b3556ed Mon Sep 17 00:00:00 2001 From: p23 Date: Sat, 10 May 2025 02:23:35 +0800 Subject: [PATCH] fix(PictureMaker.default): Fix a xss vuln (unsafe jinja2 template rendering). Thanks to @.yucheng2663. ; chore(interface): update format of context. --- .gitignore | 7 +------ PictureMaker/default.py | 12 +++++++++--- TODO | 4 ++++ backend/utils/fileProcessor.py | 16 ++++++++-------- interface/example.py | 2 +- 5 files changed, 23 insertions(+), 18 deletions(-) diff --git a/.gitignore b/.gitignore index 8038d71..40c8757 100644 --- a/.gitignore +++ b/.gitignore @@ -9,9 +9,4 @@ config/traceback.json ## testing files test testfiles -test.py -## for sljh -utils/sljh -PictureMaker/sljh.py -interface/sljh.py -frontend/sljh \ No newline at end of file +test.py \ No newline at end of file diff --git a/PictureMaker/default.py b/PictureMaker/default.py index 402dc38..be5edd9 100644 --- a/PictureMaker/default.py +++ b/PictureMaker/default.py @@ -4,7 +4,8 @@ import time from typing import List from playwright.sync_api import sync_playwright -from jinja2 import Environment, FileSystemLoader +from jinja2 import Environment, FileSystemLoader, StrictUndefined +from jinja2.sandbox import SandboxedEnvironment from config.config import TMP, TZINFO from utils.err import easyExceptionHandler @@ -31,7 +32,12 @@ def render(post_context:dict) -> tuple[list[str], int]: page = context.new_page() # render template - env = Environment(loader=FileSystemLoader(TEMPLATE_DIR)) + env = SandboxedEnvironment( # sandbox -> 降低SSTI的影響範圍 + loader=FileSystemLoader(TEMPLATE_DIR), + autoescape=True # auto escape -> prevent xss + ) + env.undefined = StrictUndefined + template = env.get_template('index.jinja2') main = { "id": post_context["id"], @@ -105,7 +111,7 @@ def gen(context:dict) -> List[str]: # generate image files, err = render(context) if err: - return None + return [] return files diff --git a/TODO b/TODO index 9346bc4..f711fbb 100644 --- a/TODO +++ b/TODO @@ -1,3 +1,7 @@ +[ ] Vuln: XSS in PictureMaker.default : jinja2沒開模板轉義 +[ ] Hash只用timestamp當作seed可能不夠(會撞) +[ ] backend.utils.fileProcessor那邊,考慮改善寫法跟加強安全(尤其是考慮關閉管道) + [ ] 處理因為ig媒體畫面比例固定,但是使用者圖片畫面比例不固定導致的問題 看要不要幫使用者的媒體填充畫面到正確的比例 [ ] api: ID查IGID,IGID反查ID diff --git a/backend/utils/fileProcessor.py b/backend/utils/fileProcessor.py index 8d36c72..494514c 100644 --- a/backend/utils/fileProcessor.py +++ b/backend/utils/fileProcessor.py @@ -28,14 +28,14 @@ def image_conventer(filename:str, binary: bytes) -> int: return 1 ## video (and gif) -def read_output(pipe, q): - """ 用於非阻塞讀取 ffmpeg 的 stdout """ - while True: - data = pipe.read(4096) - if not data: - break - q.put(data) - q.put(None) # 標記輸出結束 +#def read_output(pipe, q): +# """ 用於非阻塞讀取 ffmpeg 的 stdout """ +# while True: +# data = pipe.read(4096) +# if not data: +# break +# q.put(data) +# q.put(None) # 標記輸出結束 def video_conventor(filename:str, oriFormat:str, binary:bytes) -> int: diff --git a/interface/example.py b/interface/example.py index c803fdf..5db1765 100644 --- a/interface/example.py +++ b/interface/example.py @@ -64,7 +64,7 @@ def get(index:int, media:bool=True) -> dict | None: an_example_of_context = { "id": int, "metadata": { - "create_time": int | datetime.datetime, + "create_time": datetime.datetime, "author": str, "tags": list[str], "category": str,