(Core:Security) request 全局转义

AntSwordProject · Oct 30, 2019 · b1ed898 · b1ed898
1 parent f28f086
commit b1ed898
Show file tree

Hide file tree

Showing 8 changed files with 53 additions and 54 deletions.
diff --git a/modules/request.js b/modules/request.js
@@ -192,7 +192,7 @@ class Request {
         _request.send = _request.field;
         for (var key in _postData) {
           if (_postData.hasOwnProperty(key)) {
-            let _tmp = encodeURIComponent(_postData[key]).replace(/asunescape\((.+?)\)/g, function ($, $1) {
+            let _tmp = (_postData[key]).replace(/asunescape\((.+?)\)/g, function ($, $1) {
               return unescape($1)
             });
             _postarr[key] = _tmp;

diff --git a/source/app.entry.js b/source/app.entry.js
@@ -37,6 +37,24 @@ const antSword = window.antSword = {
     }
     return _html;
   },
+  /**
+   * unxss
+   * @param  {String}  html 转义的字符串
+   * @param  {Boolean} wrap 是否反转义换行
+   * @return {String}       反转义后的字符串
+   */
+  unxss: (html = '', wrap = true) => {
+    let _html = String(html)
+      .replace(/&apos;/g, "'")
+      .replace(/&gt;/g, ">")
+      .replace(/&lt;/g, "<")
+      .replace(/&quot;/g, '"')
+      .replace(/&amp;/g, "&");
+    if (wrap) {
+      _html = _html.replace(/<br\/>/g, '\n'); // 只替换 noxss 转义过的
+    }
+    return _html;
+  },
   /**
    * 终端日志数据
    * @type {Array}

diff --git a/source/core/base.js b/source/core/base.js
@@ -303,8 +303,8 @@ class Base {
           let text = antSword.Decodes.decode(buff, encoding);
           return res({
             'encoding': encoding || "",
-            'text': text,
-            'buff': buff
+            'text': antSword.noxss(text, false),
+            'buff': Buffer.from(antSword.noxss(buff.toString()), false)
           });
         })
         // HTTP请求返回字节流

diff --git a/source/modules/database/asp/index.js b/source/modules/database/asp/index.js
@@ -553,11 +553,11 @@ class ASP {
             return
           };
           const _db = Buffer
-            .from(_)
+            .from(antSword.unxss(_))
             .toString('base64');
           this
             .tree
-            .insertNewItem(`conn::${id}`, `database::${id}:${_db}`, antSword.noxss(_), null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
+            .insertNewItem(`conn::${id}`, `database::${id}:${_db}`, _, null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
         });
         this
           .manager
@@ -613,11 +613,11 @@ class ASP {
             return
           };
           const _table = Buffer
-            .from(_)
+            .from(antSword.unxss(_))
             .toString('base64');
           this
             .tree
-            .insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, antSword.noxss(_), null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
+            .insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, _, null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
         });
         this
           .manager
@@ -692,8 +692,9 @@ class ASP {
           if (!_) {
             return
           };
+          _ = antSword.unxss(_);
           const _column = Buffer
-            .from(_.substr(0, _.length - _.lastIndexOf(' ')))
+            .from(_.substr(0, _.lastIndexOf(' ')))
             .toString('base64');
           this
             .tree
@@ -782,10 +783,7 @@ class ASP {
       return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
     };
     // 3.行头
-    let header_arr = antSword
-      .noxss(arr[0])
-      .replace(/,/g, '&#44;')
-      .split('\t|\t');
+    let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
     if (header_arr.length === 1) {
       return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
     };
@@ -797,9 +795,6 @@ class ASP {
     let data_arr = [];
     arr.map((_) => {
       let _data = _.split('\t|\t');
-      for (let i = 0; i < _data.length; i++) {
-        _data[i] = antSword.noxss(_data[i], false);
-      }
       data_arr.push(_data);
     });
     data_arr.pop();

diff --git a/source/modules/database/custom/index.js b/source/modules/database/custom/index.js
@@ -516,11 +516,7 @@ class CUSTOM {
 
   // 获取数据库列表
   getDatabases(id) {
-    this
-      .manager
-      .list
-      .layout
-      .progressOn();
+    this.manager.list.layout.progressOn();
     // 获取配置
     const conf = antSword['ipcRenderer'].sendSync('shell-getDataConf', {
       _id: this.manager.opt['_id'],
@@ -546,20 +542,14 @@ class CUSTOM {
             .progressOff();
         };
         // 删除子节点
-        this
-          .tree
-          .deleteChildItems(`conn::${id}`);
+        this.tree.deleteChildItems(`conn::${id}`);
         // 添加子节点
         arr.map((_) => {
           if (!_) {
             return
           };
-          const _db = Buffer
-            .from(_)
-            .toString('base64');
-          this
-            .tree
-            .insertNewItem(`conn::${id}`, `database::${id}:${_db}`, antSword.noxss(_), null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
+          const _db = Buffer.from(antSword.unxss(_)).toString('base64');
+          this.tree.insertNewItem(`conn::${id}`, `database::${id}:${_db}`, _, null, this.manager.list.imgs[1], this.manager.list.imgs[1], this.manager.list.imgs[1]);
         });
         this
           .manager
@@ -600,24 +590,20 @@ class CUSTOM {
       .then((res) => {
         let ret = res['text'];
         const arr = ret.split('\t');
-        const _db = Buffer
-          .from(db)
-          .toString('base64');
+        const _db = Buffer.from(db).toString('base64');
         // 删除子节点
-        this
-          .tree
-          .deleteChildItems(`database::${id}:${_db}`);
+        this.tree.deleteChildItems(`database::${id}:${_db}`);
         // 添加子节点
         arr.map((_) => {
           if (!_) {
             return
           };
           const _table = Buffer
-            .from(_)
+            .from(antSword.unxss(_))
             .toString('base64');
           this
             .tree
-            .insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, antSword.noxss(_), null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
+            .insertNewItem(`database::${id}:${_db}`, `table::${id}:${_db}:${_table}`, _, null, this.manager.list.imgs[2], this.manager.list.imgs[2], this.manager.list.imgs[2]);
         });
         this
           .manager
@@ -674,8 +660,9 @@ class CUSTOM {
           if (!_) {
             return
           };
+          _ = antSword.unxss(_);
           const _column = Buffer
-            .from(_.substr(0, _.length - _.lastIndexOf(' ')))
+            .from(_.substr(0, _.lastIndexOf(' ')))
             .toString('base64');
           this
             .tree
@@ -751,10 +738,7 @@ class CUSTOM {
       return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
     };
     // 3.行头
-    let header_arr = antSword
-      .noxss(arr[0])
-      .replace(/,/g, '&#44;')
-      .split('\t|\t');
+    let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
     if (header_arr.length === 1) {
       return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
     };

diff --git a/source/modules/database/php/index.js b/source/modules/database/php/index.js
@@ -1271,7 +1271,7 @@ class PHP {
     let dbname = Buffer.from(treeselect.split('::')[1].split(":")[1],"base64").toString();
     let tablename = Buffer.from(treeselect.split('::')[1].split(":")[2],"base64").toString();
     let columnname = Buffer.from(treeselect.split('::')[1].split(":")[3],"base64").toString();
-    let columntyperaw = this.tree.getSelectedItemText();
+    let columntyperaw = antSword.unxss(this.tree.getSelectedItemText());
     let columntype = null;
     var ctypereg = new RegExp(columnname+'\\s\\((.+?\\))\\)');
     var res = columntyperaw.match(ctypereg);
@@ -1383,11 +1383,11 @@ class PHP {
       // 添加子节点
       arr.map((_) => {
         if (!_) { return };
-        const _db = Buffer.from(_).toString('base64');
+        const _db = Buffer.from(antSword.unxss(_, false)).toString('base64');
         this.tree.insertNewItem(
           `conn::${id}`,
           `database::${id}:${_db}`,
-          antSword.noxss(_), null,
+          _, null,
           this.manager.list.imgs[1],
           this.manager.list.imgs[1],
           this.manager.list.imgs[1]);
@@ -1427,11 +1427,11 @@ class PHP {
       // 添加子节点
       arr.map((_) => {
         if (!_) { return };
-        const _table = Buffer.from(_).toString('base64');
+        const _table = Buffer.from(antSword.unxss(_, false)).toString('base64');
         this.tree.insertNewItem(
           `database::${id}:${_db}`,
           `table::${id}:${_db}:${_table}`,
-          antSword.noxss(_),
+          _,
           null,
           this.manager.list.imgs[2],
           this.manager.list.imgs[2],
@@ -1475,7 +1475,9 @@ class PHP {
       // 添加子节点
       arr.map((_) => {
         if (!_) { return };
-        const _column = Buffer.from(_.substr(0, _.length - _.lastIndexOf(' '))).toString('base64');
+        _ = antSword.unxss(_, false);
+        const _column = Buffer.from(_.substr(0, _.lastIndexOf(' '))).toString('base64');
+
         this.tree.insertNewItem(
           `table::${id}:${_db}:${_table}`,
           `column::${id}:${_db}:${_table}:${_column}`,
@@ -1562,7 +1564,7 @@ class PHP {
       return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
     };
     // 3.行头
-    let header_arr = antSword.noxss(arr[0]).replace(/,/g, '&#44;').split('\t|\t');
+    let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
     if (header_arr.length === 1) {
       return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
     };
@@ -1623,7 +1625,7 @@ class PHP {
       return toastr.error(LANG['result']['error']['parse'], LANG_T['error']);
     };
     // 3.行头
-    let header_arr = antSword.noxss(arr[0]).replace(/,/g, '&#44;').split('\t|\t');
+    let header_arr = (arr[0]).replace(/,/g, '&#44;').split('\t|\t');
     if (header_arr.length === 1) {
       return toastr.warning(LANG['result']['error']['noresult'], LANG_T['warning']);
     };

diff --git a/source/modules/filemanager/index.js b/source/modules/filemanager/index.js
@@ -172,7 +172,7 @@ class FileManager {
         path: path
       })
     ).then((res) => {
-      let ret = res['text'];
+      let ret = antSword.unxss(res['text']);
       // 判断是否出错
       if (ret.startsWith('ERROR://')) {
         callback([]);
@@ -1036,8 +1036,8 @@ class FileManager {
         path: path
       })
     ).then((res) => {
-      let ret = res['text'];
-      codes = res['buff'];
+      let ret = antSword.unxss(res['text'], false);
+      codes = Buffer.from(antSword.unxss(res['buff'].toString(), false));
       let encoding = res['encoding'] || this.opts['encode'];
       if (encoding.toUpperCase() == "UTF-8") {
         encoding = "UTF8";

diff --git a/source/modules/terminal/index.js b/source/modules/terminal/index.js
@@ -311,7 +311,7 @@ class Terminal {
           bin: _bin
         }))
         .then((ret) => {
-          let _ = ret['text'];
+          let _ = antSword.unxss(ret['text'], false);
           // 解析出命令执行路径
           const indexS = _.lastIndexOf('[S]');
           const indexE = _.lastIndexOf('[E]');