search

XMOJ-Script-dev / XMOJ-Script

XMOJ增强脚本
https://www.xmoj-bbs.me
GNU General Public License v3.0
4 stars 5 forks source link

[Feature Request] GetAnalytics的前端 #249

Closed boomzero closed 8 months ago

boomzero commented 10 months ago

检查项

描述

        GetAnalytics: async (Data: object): Promise<Result> => {
            ThrowErrorIfFailed(this.CheckParams(Data, {
                "Username": "string"
            }));
            if (Data["Username"] !== this.Username && !this.IsAdmin()) {
                return new Result(false, "没有权限获取此用户日志");
            }
            const query = "SELECT index1 AS username, blob1 AS ip, blob2 AS path, timestamp FROM logdb WHERE index1=\'" + Data["Username"] + "\' ORDER BY timestamp ASC"
            const API = `https://api.cloudflare.com/client/v4/accounts/${this.ACCOUNT_ID}/analytics_engine/sql`;
            const response = await fetch(API, {
                method: 'POST',
                headers: {
                    'Authorization': `Bearer ${this.API_TOKEN}`,
                },
                body: query,
            });
            const responseJSON = await response.json();
            return new Result(true, "获得分析数据成功", responseJSON);
        },
    };

原因

No response

PythonSmall-Q commented 10 months ago

approve

langningchen commented 10 months ago

@boomzero @PythonSmall-Q 这是谁写的后段代码?

langningchen commented 10 months ago

直接用字符串拼接查询SQL

langningchen commented 10 months ago

而且两个字符串过滤也没有

langningchen commented 10 months ago

你们好好想想安全性吧

PythonSmall-Q commented 10 months ago

Boomzero写的

boomzero commented 10 months ago

...

On Nov 26, 2023, at 17:19, Chen LangNing @.***> wrote:

@boomzero https://github.com/boomzero @PythonSmall-Q https://github.com/PythonSmall-Q 这是谁写的后段代码?

— Reply to this email directly, view it on GitHub https://github.com/XMOJ-Script-dev/XMOJ-Script/issues/249#issuecomment-1826731909, or unsubscribe https://github.com/notifications/unsubscribe-auth/AULMJZOUZ5KMZ7ATUMFVUBLYGMCSRAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTCOJQHE. You are receiving this because you were mentioned.

boomzero commented 10 months ago

这个没法hack吧, 你试试?

On Nov 26, 2023, at 17:20, Chen LangNing @.***> wrote:

直接用字符串拼接查询SQL

— Reply to this email directly, view it on GitHub https://github.com/XMOJ-Script-dev/XMOJ-Script/issues/249#issuecomment-1826732107, or unsubscribe https://github.com/notifications/unsubscribe-auth/AULMJZJEIRG6S4FX5BS3J7DYGMCVNAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJQG4. You are receiving this because you were mentioned.

boomzero commented 10 months ago

原因:这只是SQL API,不是数据库,只支持select

On Nov 26, 2023, at 17:20, Chen LangNing @.***> wrote:

直接用字符串拼接查询SQL

— Reply to this email directly, view it on GitHub https://github.com/XMOJ-Script-dev/XMOJ-Script/issues/249#issuecomment-1826732107, or unsubscribe https://github.com/notifications/unsubscribe-auth/AULMJZJEIRG6S4FX5BS3J7DYGMCVNAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJQG4. You are receiving this because you were mentioned.

boomzero commented 10 months ago

所以你能干什么?

On Nov 26, 2023, at 17:20, Chen LangNing @.***> wrote:

你们好好想想安全性吧

— Reply to this email directly, view it on GitHub https://github.com/XMOJ-Script-dev/XMOJ-Script/issues/249#issuecomment-1826732179, or unsubscribe https://github.com/notifications/unsubscribe-auth/AULMJZJG677G27G7MO2JCFTYGMCWXAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJXHE. You are receiving this because you were mentioned.

langningchen commented 10 months ago

如果一个人是 Admin ,那他就能 Hack

langningchen commented 10 months ago

比如最简单的,' OR 1=1 ORDER BY timestamp ASC#

langningchen commented 10 months ago

@boomzero

boomzero commented 10 months ago

加了sqlstring 的 escape,fixed

On Nov 28, 2023, at 20:50, Chen LangNing @.***> wrote:

比如最简单的,' OR 1=1 ORDER BY timestamp ASC#

— Reply to this email directly, view it on GitHub https://github.com/XMOJ-Script-dev/XMOJ-Script/issues/249#issuecomment-1829780394, or unsubscribe https://github.com/notifications/unsubscribe-auth/AULMJZLKWHDKAI5ZWNB6JATYGXM2VAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRZG44DAMZZGQ. You are receiving this because you were mentioned.

boomzero commented 10 months ago

你看一下

On Nov 28, 2023, at 20:50, Chen LangNing @.***> wrote:

@boomzero https://github.com/boomzero — Reply to this email directly, view it on GitHub https://github.com/XMOJ-Script-dev/XMOJ-Script/issues/249#issuecomment-1829780648, or unsubscribe https://github.com/notifications/unsubscribe-auth/AULMJZOCAZ6XEQLBODXQHM3YGXM3HAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRZG44DANRUHA. You are receiving this because you were mentioned.

boomzero commented 10 months ago

@langningchen

langningchen commented 10 months ago

@boomzero 我看了,很好! :+1:

PythonSmall-Q commented 9 months ago

我tm怎么又被close了

langningchen commented 9 months ago

@PythonSmall-Q 你们自己设置的 actions

boomzero commented 9 months ago

… (stale的标准可以改一下)

On Dec 15, 2023, at 18:29, Langning Chen @.***> wrote:

@PythonSmall-Q https://github.com/PythonSmall-Q 你们自己设置的 actions

— Reply to this email directly, view it on GitHub https://github.com/XMOJ-Script-dev/XMOJ-Script/issues/249#issuecomment-1857637088, or unsubscribe https://github.com/notifications/unsubscribe-auth/AULMJZLKSTOTED47OAK6IZ3YJQRBBAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJXGYZTOMBYHA. You are receiving this because you were mentioned.

boomzero commented 8 months ago

~没事, 没人用, 不写了~