From 9469c95b14b655722b8db0f68083dcbcf338c6cf Mon Sep 17 00:00:00 2001 From: hshpy Date: Thu, 31 Jul 2025 12:57:20 +0800 Subject: [PATCH] fix(security): potential XSS vulnerabilities (#896) --- internal/op/storage.go | 25 ++++++++++++++++++++++++- pkg/utils/html.go | 9 +++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 pkg/utils/html.go diff --git a/internal/op/storage.go b/internal/op/storage.go index d2406556..f24a098d 100644 --- a/internal/op/storage.go +++ b/internal/op/storage.go @@ -3,6 +3,7 @@ package op import ( "context" "fmt" + "reflect" "runtime" "sort" "strings" @@ -135,7 +136,11 @@ func initStorage(ctx context.Context, storage model.Storage, storageDriver drive } storagesMap.Store(driverStorage.MountPath, storageDriver) if err != nil { - driverStorage.SetStatus(err.Error()) + if IsUseOnlineAPI(storageDriver) { + driverStorage.SetStatus(utils.SanitizeHTML(err.Error())) + } else { + driverStorage.SetStatus(err.Error()) + } err = errors.Wrap(err, "failed init storage") } else { driverStorage.SetStatus(WORK) @@ -144,6 +149,24 @@ func initStorage(ctx context.Context, storage model.Storage, storageDriver drive return err } +func IsUseOnlineAPI(storageDriver driver.Driver) bool { + v := reflect.ValueOf(storageDriver.GetAddition()) + if v.Kind() == reflect.Ptr { + v = v.Elem() + } + if !v.IsValid() || v.Kind() != reflect.Struct { + return false + } + field_v := v.FieldByName("UseOnlineAPI") + if !field_v.IsValid() { + return false + } + if field_v.Kind() != reflect.Bool { + return false + } + return field_v.Bool() +} + func EnableStorage(ctx context.Context, id uint) error { storage, err := db.GetStorageById(id) if err != nil { diff --git a/pkg/utils/html.go b/pkg/utils/html.go new file mode 100644 index 00000000..0f5fd491 --- /dev/null +++ b/pkg/utils/html.go @@ -0,0 +1,9 @@ +package utils + +import "github.com/microcosm-cc/bluemonday" + +var htmlSanitizePolicy = bluemonday.StrictPolicy() + +func SanitizeHTML(s string) string { + return htmlSanitizePolicy.Sanitize(s) +}