[Feature Request] GetAnalytics的前端
Closed this issue · 21 comments
boomzero commented
检查项
- 我已确认了XMOJ增强脚本已为最新版,且最新版未实现这一功能。
- 我已在 Issues 页面 中搜索,确认了这一提案未被提交过。
描述
GetAnalytics: async (Data: object): Promise<Result> => {
ThrowErrorIfFailed(this.CheckParams(Data, {
"Username": "string"
}));
if (Data["Username"] !== this.Username && !this.IsAdmin()) {
return new Result(false, "没有权限获取此用户日志");
}
const query = "SELECT index1 AS username, blob1 AS ip, blob2 AS path, timestamp FROM logdb WHERE index1=\'" + Data["Username"] + "\' ORDER BY timestamp ASC"
const API = `https://api.cloudflare.com/client/v4/accounts/${this.ACCOUNT_ID}/analytics_engine/sql`;
const response = await fetch(API, {
method: 'POST',
headers: {
'Authorization': `Bearer ${this.API_TOKEN}`,
},
body: query,
});
const responseJSON = await response.json();
return new Result(true, "获得分析数据成功", responseJSON);
},
};
原因
No response
PythonSmall-Q commented
approve
langningchen commented
@boomzero @PythonSmall-Q 这是谁写的后段代码?
langningchen commented
直接用字符串拼接查询SQL
langningchen commented
而且两个字符串过滤也没有
langningchen commented
你们好好想想安全性吧
PythonSmall-Q commented
Boomzero写的
boomzero commented
...
… On Nov 26, 2023, at 17:19, Chen LangNing ***@***.***> wrote:
@boomzero <https://github.com/boomzero> @PythonSmall-Q <https://github.com/PythonSmall-Q> 这是谁写的后段代码?
—
Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZOUZ5KMZ7ATUMFVUBLYGMCSRAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTCOJQHE>.
You are receiving this because you were mentioned.
boomzero commented
这个没法hack吧, 你试试?
… On Nov 26, 2023, at 17:20, Chen LangNing ***@***.***> wrote:
直接用字符串拼接查询SQL
—
Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZJEIRG6S4FX5BS3J7DYGMCVNAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJQG4>.
You are receiving this because you were mentioned.
boomzero commented
原因:这只是SQL API,不是数据库,只支持select
… On Nov 26, 2023, at 17:20, Chen LangNing ***@***.***> wrote:
直接用字符串拼接查询SQL
—
Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZJEIRG6S4FX5BS3J7DYGMCVNAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJQG4>.
You are receiving this because you were mentioned.
boomzero commented
所以你能干什么?
… On Nov 26, 2023, at 17:20, Chen LangNing ***@***.***> wrote:
你们好好想想安全性吧
—
Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZJG677G27G7MO2JCFTYGMCWXAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWG4ZTEMJXHE>.
You are receiving this because you were mentioned.
langningchen commented
如果一个人是 Admin ,那他就能 Hack
langningchen commented
比如最简单的,' OR 1=1 ORDER BY timestamp ASC#
langningchen commented
boomzero commented
加了sqlstring 的 escape,fixed
… On Nov 28, 2023, at 20:50, Chen LangNing ***@***.***> wrote:
比如最简单的,' OR 1=1 ORDER BY timestamp ASC#
—
Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZLKWHDKAI5ZWNB6JATYGXM2VAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRZG44DAMZZGQ>.
You are receiving this because you were mentioned.
boomzero commented
你看一下
… On Nov 28, 2023, at 20:50, Chen LangNing ***@***.***> wrote:
@boomzero <https://github.com/boomzero>
—
Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZOCAZ6XEQLBODXQHM3YGXM3HAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRZG44DANRUHA>.
You are receiving this because you were mentioned.
boomzero commented
langningchen commented
@boomzero 我看了,很好! 👍
PythonSmall-Q commented
我tm怎么又被close了
langningchen commented
@PythonSmall-Q 你们自己设置的 actions
boomzero commented
… (stale的标准可以改一下)
… On Dec 15, 2023, at 18:29, Langning Chen ***@***.***> wrote:
@PythonSmall-Q <https://github.com/PythonSmall-Q> 你们自己设置的 actions
—
Reply to this email directly, view it on GitHub <#249 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AULMJZLKSTOTED47OAK6IZ3YJQRBBAVCNFSM6AAAAAA72DCKE6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJXGYZTOMBYHA>.
You are receiving this because you were mentioned.
boomzero commented
没事, 没人用, 不写了