p23/niming_igapi
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(PictureMaker.default): Fix a xss vuln (unsafe jinja2 template rendering). Thanks to @.yucheng2663. ; chore(interface): update format of context.

Browse source
This commit is contained in:
p23 2025-05-10 02:23:35 +08:00
parent 5baac1e696
commit 1bc1497113
5 changed files with 23 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.gitignore vendored
View file

@ -9,9 +9,4 @@ config/traceback.json
## testing files ## testing files
test test
testfiles testfiles
test.py test.py
## for sljh
utils/sljh
PictureMaker/sljh.py
interface/sljh.py
frontend/sljh

12
PictureMaker/default.py
View file

@ -4,7 +4,8 @@ import time
from typing import List from typing import List
from playwright.sync_api import sync_playwright from playwright.sync_api import sync_playwright
from jinja2 import Environment, FileSystemLoader from jinja2 import Environment, FileSystemLoader, StrictUndefined
from jinja2.sandbox import SandboxedEnvironment
from config.config import TMP, TZINFO from config.config import TMP, TZINFO
from utils.err import easyExceptionHandler from utils.err import easyExceptionHandler
@ -31,7 +32,12 @@ def render(post_context:dict) -> tuple[list[str], int]:
page = context.new_page() page = context.new_page()
# render template # render template
env = Environment(loader=FileSystemLoader(TEMPLATE_DIR)) env = SandboxedEnvironment( # sandbox -> 降低SSTI的影響範圍
loader=FileSystemLoader(TEMPLATE_DIR),
autoescape=True # auto escape -> prevent xss
)
env.undefined = StrictUndefined
template = env.get_template('index.jinja2') template = env.get_template('index.jinja2')
main = { main = {
"id": post_context["id"], "id": post_context["id"],
@ -105,7 +111,7 @@ def gen(context:dict) -> List[str]:
# generate image # generate image
files, err = render(context) files, err = render(context)
if err: if err:
return None return []
return files return files

4
TODO
View file

@ -1,3 +1,7 @@
[ ] Vuln: XSS in PictureMaker.default : jinja2沒開模板轉義
[ ] Hash只用timestamp當作seed可能不夠(會撞)
[ ] backend.utils.fileProcessor那邊考慮改善寫法跟加強安全(尤其是考慮關閉管道)
[ ] 處理因為ig媒體畫面比例固定但是使用者圖片畫面比例不固定導致的問題 [ ] 處理因為ig媒體畫面比例固定但是使用者圖片畫面比例不固定導致的問題
看要不要幫使用者的媒體填充畫面到正確的比例 看要不要幫使用者的媒體填充畫面到正確的比例
[ ] api: ID查IGIDIGID反查ID [ ] api: ID查IGIDIGID反查ID

16
backend/utils/fileProcessor.py
View file

@ -28,14 +28,14 @@ def image_conventer(filename:str, binary: bytes) -> int:
return 1 return 1
## video (and gif) ## video (and gif)
def read_output(pipe, q): #def read_output(pipe, q):
""" 用於非阻塞讀取 ffmpeg 的 stdout """ # """ 用於非阻塞讀取 ffmpeg 的 stdout """
while True: # while True:
data = pipe.read(4096) # data = pipe.read(4096)
if not data: # if not data:
break # break
q.put(data) # q.put(data)
q.put(None) # 標記輸出結束 # q.put(None) # 標記輸出結束
def video_conventor(filename:str, oriFormat:str, binary:bytes) -> int: def video_conventor(filename:str, oriFormat:str, binary:bytes) -> int:

2
interface/example.py
View file

@ -64,7 +64,7 @@ def get(index:int, media:bool=True) -> dict | None:
an_example_of_context = { an_example_of_context = {
"id": int, "id": int,
"metadata": { "metadata": {
"create_time": int | datetime.datetime, "create_time": datetime.datetime,
"author": str, "author": str,
"tags": list[str], "tags": list[str],
"category": str, "category": str,