fix(security): potential XSS vulnerabilities (#896)

2025-09-19 04:06:18 +08:00 · 2025-07-31 12:57:20 +08:00
parent cf912dcf7a
commit 9469c95b14
2 changed files with 33 additions and 1 deletions
--- a/internal/op/storage.go
+++ b/internal/op/storage.go
@ -3,6 +3,7 @@ package op
 import (
 	"context"
 	"fmt"
+	"reflect"
 	"runtime"
 	"sort"
 	"strings"
@ -135,7 +136,11 @@ func initStorage(ctx context.Context, storage model.Storage, storageDriver drive
 	}
 	storagesMap.Store(driverStorage.MountPath, storageDriver)
 	if err != nil {
+		if IsUseOnlineAPI(storageDriver) {
+			driverStorage.SetStatus(utils.SanitizeHTML(err.Error()))
+		} else {
 			driverStorage.SetStatus(err.Error())
+		}
 		err = errors.Wrap(err, "failed init storage")
 	} else {
 		driverStorage.SetStatus(WORK)
@ -144,6 +149,24 @@ func initStorage(ctx context.Context, storage model.Storage, storageDriver drive
 	return err
 }

+func IsUseOnlineAPI(storageDriver driver.Driver) bool {
+	v := reflect.ValueOf(storageDriver.GetAddition())
+	if v.Kind() == reflect.Ptr {
+		v = v.Elem()
+	}
+	if !v.IsValid() || v.Kind() != reflect.Struct {
+		return false
+	}
+	field_v := v.FieldByName("UseOnlineAPI")
+	if !field_v.IsValid() {
+		return false
+	}
+	if field_v.Kind() != reflect.Bool {
+		return false
+	}
+	return field_v.Bool()
+}
+
 func EnableStorage(ctx context.Context, id uint) error {
 	storage, err := db.GetStorageById(id)
 	if err != nil {
--- a/pkg/utils/html.go
+++ b/pkg/utils/html.go
@ -0,0 +1,9 @@
+package utils
+
+import "github.com/microcosm-cc/bluemonday"
+
+var htmlSanitizePolicy = bluemonday.StrictPolicy()
+
+func SanitizeHTML(s string) string {
+	return htmlSanitizePolicy.Sanitize(s)
+}