🐞 fix(view/api.py):修复一处代码安全隐患

9383eeb7 · wanli · 1566733f · 9383eeb7 · 9383eeb7
Commit 9383eeb7 authored Aug 10, 2021 by wanli
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 4 deletions

.gitignore .gitignore +1 -0

backend/view/api.py backend/view/api.py +13 -4

No files found.
--- a/.gitignore
+++ b/.gitignore
@@ -54,6 +54,7 @@ backend/backupData.json
 */app-store.db
 config.ini
 *.epk
+*.bc

 tools/build_out/application/config.py
 tools/build_out/logs

--- a/backend/view/api.py
+++ b/backend/view/api.py
@@ -170,6 +170,10 @@ def action_build():
    z = zipfile.ZipFile(zip_filepath, 'w')
    for f in request.files.getlist('binfile'):
        target = target_path.joinpath(f.filename)
+
+        if target.suffix != ".evue":
+            continue
+
        with open(target.resolve().as_posix(), "wb+") as fd:
            fd.write(f.stream.read())

@@ -198,10 +202,15 @@ def action_build():
        shutil.move(file.resolve().as_posix(), target_path.joinpath(file.name).resolve().as_posix())

    # 压缩
-    z.close()
-
-    result = Path(zip_filepath).resolve().relative_to(Path(config.get("UPLOAD_PATH"))).as_posix()
-    return response_result(ResponseCode.OK, data=result)
+    if len(dst_files):
+        z.close()
+        result = Path(zip_filepath).resolve().relative_to(Path(config.get("UPLOAD_PATH"))).as_posix()
+        return response_result(ResponseCode.OK, data={
+            'url': result,
+            'filename': os.path.basename(zip_filepath)
+        })
+    else:
+        return response_result(ResponseCode.SERVER_ERROR)

 @api.route("/monitor", methods=['GET', 'POST'])
 def action_monitor():