fix: potential XSS vulnerabilities (#7923)

* fix: potential XSS vulnerabilities * feat: support filter and render for readme.md * chore: set ReadMeAutoRender to true * fix attachFileName undefined --------- Co-authored-by: Andy Hsu <i@nn.ci>
2025-03-15 23:28:40 +08:00
parent 04f5525f20
commit c82e632ee1
5 changed files with 82 additions and 2 deletions
--- a/server/common/proxy.go
+++ b/server/common/proxy.go
@ -1,23 +1,87 @@
 package common

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
+	"strconv"
 	"strings"

+	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/net"
+	"github.com/alist-org/alist/v3/internal/setting"
 	"github.com/alist-org/alist/v3/internal/stream"
 	"github.com/alist-org/alist/v3/pkg/http_range"
 	"github.com/alist-org/alist/v3/pkg/utils"
+	"github.com/microcosm-cc/bluemonday"
 	log "github.com/sirupsen/logrus"
+	"github.com/yuin/goldmark"
 )

+func processMarkdown(content []byte) ([]byte, error) {
+	var buf bytes.Buffer
+	if err := goldmark.New().Convert(content, &buf); err != nil {
+		return nil, fmt.Errorf("markdown conversion failed: %w", err)
+	}
+	return bluemonday.UGCPolicy().SanitizeBytes(buf.Bytes()), nil
+}
+
 func Proxy(w http.ResponseWriter, r *http.Request, link *model.Link, file model.Obj) error {
+
+	//优先处理md文件
+	if utils.Ext(file.GetName()) == "md" && setting.GetBool(conf.FilterReadMeScripts) {
+		var markdownContent []byte
+		var err error
+
+		if link.MFile != nil {
+			defer link.MFile.Close()
+			attachHeader(w, file)
+			markdownContent, err = io.ReadAll(link.MFile)
+			if err != nil {
+				return fmt.Errorf("failed to read markdown content: %w", err)
+			}
+
+		} else {
+			header := net.ProcessHeader(r.Header, link.Header)
+			res, err := net.RequestHttp(r.Context(), r.Method, header, link.URL)
+			if err != nil {
+				return err
+			}
+			defer res.Body.Close()
+			for h, v := range res.Header {
+				w.Header()[h] = v
+			}
+			w.WriteHeader(res.StatusCode)
+			if r.Method == http.MethodHead {
+				return nil
+			}
+			markdownContent, err = io.ReadAll(res.Body)
+			if err != nil {
+				return fmt.Errorf("failed to read markdown content: %w", err)
+			}
+
+		}
+
+		safeHTML, err := processMarkdown(markdownContent)
+		if err != nil {
+			return err
+		}
+
+		safeHTMLReader := bytes.NewReader(safeHTML)
+		w.Header().Set("Content-Length", strconv.FormatInt(int64(len(safeHTML)), 10))
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		_, err = utils.CopyWithBuffer(w, safeHTMLReader)
+		if err != nil {
+			return err
+		}
+		return nil
+	}
+
 	if link.MFile != nil {
 		defer link.MFile.Close()
 		attachHeader(w, file)