fix xss

周伟奇
Showing 3 changed files with 15 additions and 0 deletions
src/apps/account/views.py
src/apps/doc/mixins.py
src/apps/doc/views.py
--- a/src/apps/account/views.py
View file @4c33a6e
+++ b/src/apps/account/views.py
View file @4c33a6e
@@ -11,6 +11,7 @@ from .consts import LOGIN_TIMES_LIMIT_EXPIRES, LOGIN_TIMES_LIMIT
 class LoginView(ObtainJSONWebToken, GenericView):

    def post(self, request, *args, **kwargs):
+        # 登录次数限制
        user_name = request.data.get('username', '')
        times = rh.get_login_times(user_name)
        if isinstance(times, int) and times >= LOGIN_TIMES_LIMIT:
--- a/src/apps/doc/mixins.py
View file @4c33a6e
+++ b/src/apps/doc/mixins.py
View file @4c33a6e
+import re
 from .named_enum import DocStatus
 from .models import HILDoc, AFCDoc
 from . import consts
@@ -6,6 +7,15 @@ from . import consts
 class DocHandler:

    @staticmethod
+    def xss_pass(file):
+        for pno in range(file.pageCount):
+            page = file.loadPage(pno)
+            page_text = page.getText()
+            if re.search(r'/JS(.*)', page_text) and re.search(r'/S /JavaScript', page_text):
+                return False
+        return True
+
+    @staticmethod
    def get_name(info, key, length):
        if not isinstance(info, dict):
            return ''
--- a/src/apps/doc/views.py
View file @4c33a6e
+++ b/src/apps/doc/views.py
View file @4c33a6e
@@ -898,6 +898,10 @@ class DocView(GenericView, DocHandler):
                file.close()
                os.remove(tmp_save_path)
                raise self.invalid_params(msg='invalid params: not a PDF file')
+            elif not self.xss_pass(file):
+                os.remove(tmp_save_path)
+                raise self.invalid_params(msg='invalid params: PDF file XSS')
+

        file.close()
        # 1. 上传信息记录