防止传入非法的属性key
This commit is contained in:
@@ -72,6 +72,13 @@ var safePropertyRE = regexp.MustCompile(`[/"'\\\/]`)
|
|||||||
|
|
||||||
// 设置某些字段只允许包含字母、数字和下划线
|
// 设置某些字段只允许包含字母、数字和下划线
|
||||||
var onlyWordRE = regexp.MustCompile(`\W`)
|
var onlyWordRE = regexp.MustCompile(`\W`)
|
||||||
|
var nonWordCharRes = regexp.MustCompile(`[^\w]`)
|
||||||
|
|
||||||
|
func hasNonWordChar(s string) bool {
|
||||||
|
// 匹配非 \w 字符的正则表达式
|
||||||
|
return nonWordCharRes.MatchString(s)
|
||||||
|
}
|
||||||
|
|
||||||
var onlyWordPropertyNames = map[string]struct{}{
|
var onlyWordPropertyNames = map[string]struct{}{
|
||||||
"nickname": {},
|
"nickname": {},
|
||||||
}
|
}
|
||||||
@@ -83,7 +90,12 @@ func SetOnlyWordProperty(propertyNames ...string) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func safeProperty(property map[string]any) {
|
func safeProperty(property map[string]any) {
|
||||||
|
delkeys := []string{}
|
||||||
for k, v := range property {
|
for k, v := range property {
|
||||||
|
if hasNonWordChar(k) {
|
||||||
|
delkeys = append(delkeys, k)
|
||||||
|
continue
|
||||||
|
}
|
||||||
if _, ok := onlyWordPropertyNames[k]; ok {
|
if _, ok := onlyWordPropertyNames[k]; ok {
|
||||||
if _, ok := v.(string); ok {
|
if _, ok := v.(string); ok {
|
||||||
property[k] = onlyWordRE.ReplaceAllString(gconv.String(v), "*")
|
property[k] = onlyWordRE.ReplaceAllString(gconv.String(v), "*")
|
||||||
@@ -93,6 +105,9 @@ func safeProperty(property map[string]any) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
for _, delkey := range delkeys {
|
||||||
|
delete(property, delkey)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func getLocationMapValue(key string) *time.Location {
|
func getLocationMapValue(key string) *time.Location {
|
||||||
|
|||||||
Reference in New Issue
Block a user