From 118241ba6dbbe66f58355920b860f6970c99f665 Mon Sep 17 00:00:00 2001
From: naibo <naibowang@foxmail.com>
Date: Sat, 10 Aug 2024 17:32:01 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E4=BB=BB=E6=84=8F=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E8=AF=BB=E5=8F=96=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ElectronJS/server.js      | 16 +++++++++++++++-
 ElectronJS/tasks/323.json |  1 +
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 ElectronJS/tasks/323.json

diff --git a/ElectronJS/server.js b/ElectronJS/server.js
index 4f11a33..bbaea1f 100644
--- a/ElectronJS/server.js
+++ b/ElectronJS/server.js
@@ -121,6 +121,12 @@ exports.start = function (port = 8074) {
       res.setHeader("Access-Control-Allow-Origin", "*"); // 设置可访问的源
       // 解析参数
       const pathName = url.parse(req.url).pathname;
+      const safeBase = path.join(__dirname, "src");
+
+      const safeJoin = (base, target) => {
+        const targetPath = "." + path.posix.normalize("/" + target);
+        return path.join(base, targetPath);
+      };
       if (pathName == "/excelUpload" && req.method.toLowerCase() === "post") {
         // // parse a file upload
         // let form = new formidable.IncomingForm();
@@ -160,8 +166,16 @@ exports.start = function (port = 8074) {
       else {
         //如果有后缀名, 则为前端请求
         // console.log(path.join(__dirname,"src/taskGrid", pathName));
+        const filePath = safeJoin(safeBase, pathName);
+
+        if (!filePath.startsWith(safeBase)) {
+          res.writeHead(400, { "Content-Type": 'text/html;charset="utf-8"' });
+          res.end("Invalid path");
+          return;
+        }
+        
         fs.readFile(
-          path.join(__dirname, "src", pathName),
+          filePath,
           async (err, data) => {
             if (err) {
               res.writeHead(404, {
diff --git a/ElectronJS/tasks/323.json b/ElectronJS/tasks/323.json
new file mode 100644
index 0000000..5d56066
--- /dev/null
+++ b/ElectronJS/tasks/323.json
@@ -0,0 +1 @@
+{"id":323,"name":"新web采集任务","url":"https://www.baidu.com","links":"https://www.baidu.com","create_time":"","update_time":"2024-08-10 17:29:04","version":"0.6.2","saveThreshold":10,"quitWaitTime":60,"environment":0,"maximizeWindow":0,"maxViewLength":15,"recordLog":1,"outputFormat":"csv","saveName":"current_time","dataWriteMode":1,"inputExcel":"","startFromExit":0,"pauseKey":"p","containJudge":false,"browser":"chrome","removeDuplicate":0,"desc":"https://www.baidu.com","inputParameters":[{"id":0,"name":"urlList_0","nodeId":1,"nodeName":"打开网页","value":"https://www.baidu.com","desc":"要采集的网址列表，多行以\\n分开","type":"text","exampleValue":"https://www.baidu.com"}],"outputParameters":[],"graph":[{"index":0,"id":0,"parentId":0,"type":-1,"option":0,"title":"root","sequence":[1],"parameters":{"history":1,"tabIndex":0,"useLoop":false,"xpath":"","iframe":false,"wait":0,"waitType":0,"beforeJS":"","beforeJSWaitTime":0,"afterJS":"","afterJSWaitTime":0,"waitElement":"","waitElementTime":10,"waitElementIframeIndex":0},"isInLoop":false},{"id":1,"index":1,"parentId":0,"type":0,"option":1,"title":"打开网页","sequence":[],"isInLoop":false,"position":0,"parameters":{"useLoop":false,"xpath":"","wait":0,"waitType":0,"beforeJS":"","beforeJSWaitTime":0,"afterJS":"","afterJSWaitTime":0,"waitElement":"","waitElementTime":10,"waitElementIframeIndex":0,"url":"https://www.baidu.com","links":"https://www.baidu.com","maxWaitTime":10,"scrollType":0,"scrollCount":1,"scrollWaitTime":1,"cookies":""}}]}
\ No newline at end of file