XMOJ-Script-dev/XMOJ-Script

[Feature Request] GetAnalytics的前端

Closed this issue 5 months ago · 21 comments

boomzero commented 7 months ago

检查项

我已确认了XMOJ增强脚本已为最新版，且最新版未实现这一功能。
我已在 Issues 页面中搜索，确认了这一提案未被提交过。

描述

        GetAnalytics: async (Data: object): Promise<Result> => {
            ThrowErrorIfFailed(this.CheckParams(Data, {
                "Username": "string"
            }));
            if (Data["Username"] !== this.Username && !this.IsAdmin()) {
                return new Result(false, "没有权限获取此用户日志");
            }
            const query = "SELECT index1 AS username, blob1 AS ip, blob2 AS path, timestamp FROM logdb WHERE index1=\'" + Data["Username"] + "\' ORDER BY timestamp ASC"
            const API = `https://api.cloudflare.com/client/v4/accounts/${this.ACCOUNT_ID}/analytics_engine/sql`;
            const response = await fetch(API, {
                method: 'POST',
                headers: {
                    'Authorization': `Bearer ${this.API_TOKEN}`,
                },
                body: query,
            });
            const responseJSON = await response.json();
            return new Result(true, "获得分析数据成功", responseJSON);
        },
    };

原因

No response

PythonSmall-Q commented 7 months ago

approve

langningchen commented 7 months ago

@boomzero @PythonSmall-Q 这是谁写的后段代码？

langningchen commented 7 months ago

直接用字符串拼接查询SQL

langningchen commented 7 months ago

而且两个字符串过滤也没有

langningchen commented 7 months ago

你们好好想想安全性吧

PythonSmall-Q commented 7 months ago

Boomzero写的

boomzero commented 7 months ago

...

On Nov 26, 2023, at 17:19, Chen LangNing ***@***.***> wrote: @boomzero <https://github.com/boomzero> @PythonSmall-Q <https://github.com/PythonSmall-Q> 这是谁写的后段代码？ — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZOUZ5KMZ7ATUMFVUBLYGMCSRAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTCOJQHE>. You are receiving this because you were mentioned.

boomzero commented 7 months ago

这个没法hack吧，你试试？

On Nov 26, 2023, at 17:20, Chen LangNing ***@***.***> wrote: 直接用字符串拼接查询SQL — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZJEIRG6S4FX5BS3J7DYGMCVNAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJQG4>. You are receiving this because you were mentioned.

boomzero commented 7 months ago

原因：这只是SQL API,不是数据库，只支持select

On Nov 26, 2023, at 17:20, Chen LangNing ***@***.***> wrote: 直接用字符串拼接查询SQL — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZJEIRG6S4FX5BS3J7DYGMCVNAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJQG4>. You are receiving this because you were mentioned.

boomzero commented 7 months ago

所以你能干什么？

On Nov 26, 2023, at 17:20, Chen LangNing ***@***.***> wrote: 你们好好想想安全性吧 — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZJG677G27G7MO2JCFTYGMCWXAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJXHE>. You are receiving this because you were mentioned.

langningchen commented 7 months ago

如果一个人是 Admin ，那他就能 Hack

langningchen commented 7 months ago

比如最简单的，' OR 1=1 ORDER BY timestamp ASC#

langningchen commented 7 months ago

boomzero commented 7 months ago

加了sqlstring 的 escape，fixed

On Nov 28, 2023, at 20:50, Chen LangNing ***@***.***> wrote: 比如最简单的，' OR 1=1 ORDER BY timestamp ASC# — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZLKWHDKAI5ZWNB6JATYGXM2VAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRZG44DAMZZGQ>. You are receiving this because you were mentioned.

boomzero commented 7 months ago

你看一下

On Nov 28, 2023, at 20:50, Chen LangNing ***@***.***> wrote: @boomzero <https://github.com/boomzero> — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZOCAZ6XEQLBODXQHM3YGXM3HAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRZG44DANRUHA>. You are receiving this because you were mentioned.

boomzero commented 7 months ago

langningchen commented 7 months ago

@boomzero 我看了，很好！ 👍

PythonSmall-Q commented 7 months ago

我tm怎么又被close了

langningchen commented 7 months ago

@PythonSmall-Q 你们自己设置的 actions

boomzero commented 7 months ago

… (stale的标准可以改一下）

On Dec 15, 2023, at 18:29, Langning Chen ***@***.***> wrote: @PythonSmall-Q <https://github.com/PythonSmall-Q> 你们自己设置的 actions — Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZLKSTOTED47OAK6IZ3YJQRBBAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJXGYZTOMBYHA>. You are receiving this because you were mentioned.

boomzero commented 5 months ago

~~没事, 没人用, 不写了~~