Skip to content

Commit

Permalink
Merge pull request #195 from dom-jiang/main
Browse files Browse the repository at this point in the history 
Fix SQL injection and script injection
  • Loading branch information
@WillaGao1
WillaGao1 authored Aug 15, 2024
2 parents 576cf25 + d8cdd42 commit 9d4325f
Show file tree
Hide file tree
Showing 5 changed files with 80 additions and 77 deletions.
15 changes: 9 additions & 6 deletions app.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,9 @@
import datetime
from auth.crypto_utl import decrypt
import time
import bleach

service_version = "20240625.01"
service_version = "20240812.01"
Welcome = 'Welcome to ref datacenter API server, version ' + service_version + ', indexer %s' % \
Cfg.NETWORK[Cfg.NETWORK_ID]["INDEXER_HOST"][-3:]
# Instantiation, which can be regarded as fixed format
Expand Down Expand Up @@ -64,11 +65,13 @@ def before_request():
logger.error("decrypt error:", e)
return 'Authentication error'
data = request.args
allowed_tags = []
allowed_attributes = {}
for v in data.values():
v = str(v).lower()
pattern = r"(<.*?>)"
r = re.search(pattern, v)
if r:
v = str(v)
cleaned_value = bleach.clean(v, tags=allowed_tags, attributes=allowed_attributes)

if v != cleaned_value:
return 'Please enter the parameters of the specification!'


Expand Down Expand Up @@ -513,7 +516,7 @@ def handle_burrow_records():
account_id = request.args.get("account_id")
page_number = request.args.get("page_number", type=int, default=1)
page_size = request.args.get("page_size", type=int, default=10)
if account_id is None or account_id == '':
if account_id is None or account_id == '' or page_size == 0:
return ""
burrow_log_list, count_number = query_burrow_log(Cfg.NETWORK_ID, account_id, page_number, page_size)
if count_number % page_size == 0:
Expand Down
3 changes: 2 additions & 1 deletion config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -578,7 +578,8 @@ class Cfg:
{"SYMBOL": "SBF", "MD_ID": "sam-bankmeme-fried"},
{"SYMBOL": "GLORY", "MD_ID": "sekai-glory"},
{"SYMBOL": "CBR", "MD_ID": "cyberblast-token"},
{"SYMBOL": "MIA", "MD_ID": "mia-2d4b"},
{"SYMBOL": "MIA", "MD_ID": "miaswap"},
{"SYMBOL": "mia-2d4b", "MD_ID": "mia"},
{"SYMBOL": "BINU", "MD_ID": "baseinu"},
{"SYMBOL": "FINGER", "MD_ID": "finger-blast"},
{"SYMBOL": "BCat", "MD_ID": "bananacat"},
Expand Down
8 changes: 4 additions & 4 deletions data_utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ def add_redis_data(network_id, key, redis_key, values):

def get_redis_data(network_id, key, redis_key):
db_conn = get_db_connect(network_id)
sql = "select `redis_values` from t_indexer_redis_data where `key` = '%s' and redis_key = '%s'" % (key, redis_key)
sql = "select `redis_values` from t_indexer_redis_data where `key` = %s and redis_key = %s"
cursor = db_conn.cursor(cursor=pymysql.cursors.DictCursor)
try:
cursor.execute(sql)
cursor.execute(sql, (key, redis_key))
row = cursor.fetchone()
return row["redis_values"]
except Exception as e:
Expand All @@ -53,10 +53,10 @@ def get_redis_data(network_id, key, redis_key):

def batch_get_redis_data(network_id, key):
db_conn = get_db_connect(network_id)
sql = "select redis_key, redis_values from t_indexer_redis_data where `key` = '%s'" % key
sql = "select redis_key, redis_values from t_indexer_redis_data where `key` = %s"
cursor = db_conn.cursor(cursor=pymysql.cursors.DictCursor)
try:
cursor.execute(sql)
cursor.execute(sql, key)
rows = cursor.fetchall()
return rows
except Exception as e:
Expand Down
Loading

0 comments on commit 9d4325f

Please sign in to comment.