mirror of
https://github.com/NaiboWang/EasySpider.git
synced 2025-04-22 12:09:35 +08:00
修复任意文件读取漏洞
This commit is contained in:
parent
de47e8516a
commit
118241ba6d
@ -121,6 +121,12 @@ exports.start = function (port = 8074) {
|
|||||||
res.setHeader("Access-Control-Allow-Origin", "*"); // 设置可访问的源
|
res.setHeader("Access-Control-Allow-Origin", "*"); // 设置可访问的源
|
||||||
// 解析参数
|
// 解析参数
|
||||||
const pathName = url.parse(req.url).pathname;
|
const pathName = url.parse(req.url).pathname;
|
||||||
|
const safeBase = path.join(__dirname, "src");
|
||||||
|
|
||||||
|
const safeJoin = (base, target) => {
|
||||||
|
const targetPath = "." + path.posix.normalize("/" + target);
|
||||||
|
return path.join(base, targetPath);
|
||||||
|
};
|
||||||
if (pathName == "/excelUpload" && req.method.toLowerCase() === "post") {
|
if (pathName == "/excelUpload" && req.method.toLowerCase() === "post") {
|
||||||
// // parse a file upload
|
// // parse a file upload
|
||||||
// let form = new formidable.IncomingForm();
|
// let form = new formidable.IncomingForm();
|
||||||
@ -160,8 +166,16 @@ exports.start = function (port = 8074) {
|
|||||||
else {
|
else {
|
||||||
//如果有后缀名, 则为前端请求
|
//如果有后缀名, 则为前端请求
|
||||||
// console.log(path.join(__dirname,"src/taskGrid", pathName));
|
// console.log(path.join(__dirname,"src/taskGrid", pathName));
|
||||||
|
const filePath = safeJoin(safeBase, pathName);
|
||||||
|
|
||||||
|
if (!filePath.startsWith(safeBase)) {
|
||||||
|
res.writeHead(400, { "Content-Type": 'text/html;charset="utf-8"' });
|
||||||
|
res.end("Invalid path");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
fs.readFile(
|
fs.readFile(
|
||||||
path.join(__dirname, "src", pathName),
|
filePath,
|
||||||
async (err, data) => {
|
async (err, data) => {
|
||||||
if (err) {
|
if (err) {
|
||||||
res.writeHead(404, {
|
res.writeHead(404, {
|
||||||
|
1
ElectronJS/tasks/323.json
Normal file
1
ElectronJS/tasks/323.json
Normal file
@ -0,0 +1 @@
|
|||||||
|
{"id":323,"name":"新web采集任务","url":"https://www.baidu.com","links":"https://www.baidu.com","create_time":"","update_time":"2024-08-10 17:29:04","version":"0.6.2","saveThreshold":10,"quitWaitTime":60,"environment":0,"maximizeWindow":0,"maxViewLength":15,"recordLog":1,"outputFormat":"csv","saveName":"current_time","dataWriteMode":1,"inputExcel":"","startFromExit":0,"pauseKey":"p","containJudge":false,"browser":"chrome","removeDuplicate":0,"desc":"https://www.baidu.com","inputParameters":[{"id":0,"name":"urlList_0","nodeId":1,"nodeName":"打开网页","value":"https://www.baidu.com","desc":"要采集的网址列表,多行以\\n分开","type":"text","exampleValue":"https://www.baidu.com"}],"outputParameters":[],"graph":[{"index":0,"id":0,"parentId":0,"type":-1,"option":0,"title":"root","sequence":[1],"parameters":{"history":1,"tabIndex":0,"useLoop":false,"xpath":"","iframe":false,"wait":0,"waitType":0,"beforeJS":"","beforeJSWaitTime":0,"afterJS":"","afterJSWaitTime":0,"waitElement":"","waitElementTime":10,"waitElementIframeIndex":0},"isInLoop":false},{"id":1,"index":1,"parentId":0,"type":0,"option":1,"title":"打开网页","sequence":[],"isInLoop":false,"position":0,"parameters":{"useLoop":false,"xpath":"","wait":0,"waitType":0,"beforeJS":"","beforeJSWaitTime":0,"afterJS":"","afterJSWaitTime":0,"waitElement":"","waitElementTime":10,"waitElementIframeIndex":0,"url":"https://www.baidu.com","links":"https://www.baidu.com","maxWaitTime":10,"scrollType":0,"scrollCount":1,"scrollWaitTime":1,"cookies":""}}]}
|
Loading…
x
Reference in New Issue
Block a user