mirror of
https://github.com/labring/FastGPT.git
synced 2025-10-15 15:41:05 +00:00
@@ -1,4 +1,33 @@
|
||||
// Function to escape CSV fields to prevent injection attacks
|
||||
export const sanitizeCsvField = (field: String): string => {
|
||||
if (field == null) return '';
|
||||
|
||||
let fieldStr = String(field);
|
||||
|
||||
// Check for dangerous starting characters that could cause CSV injection
|
||||
if (fieldStr.match(/^[\=\+\-\@\|]/)) {
|
||||
// Add prefix to neutralize potential formula injection
|
||||
fieldStr = `'${fieldStr}`;
|
||||
}
|
||||
|
||||
// Handle special characters that need escaping in CSV
|
||||
if (
|
||||
fieldStr.includes(',') ||
|
||||
fieldStr.includes('"') ||
|
||||
fieldStr.includes('\n') ||
|
||||
fieldStr.includes('\r')
|
||||
) {
|
||||
// Escape quotes and wrap field in quotes
|
||||
fieldStr = `"${fieldStr.replace(/"/g, '""')}"`;
|
||||
}
|
||||
|
||||
return fieldStr;
|
||||
};
|
||||
|
||||
export const generateCsv = (headers: string[], data: string[][]) => {
|
||||
const csv = [headers.join(','), ...data.map((row) => row.join(','))].join('\n');
|
||||
const sanitizedHeaders = headers.map((header) => sanitizeCsvField(header));
|
||||
const sanitizedData = data.map((row) => row.map((cell) => sanitizeCsvField(cell)));
|
||||
|
||||
const csv = [sanitizedHeaders.join(','), ...sanitizedData.map((row) => row.join(','))].join('\n');
|
||||
return csv;
|
||||
};
|
||||
|
@@ -1,7 +1,7 @@
|
||||
import Cookie from 'cookie';
|
||||
import { ERROR_ENUM } from '@fastgpt/global/common/error/errorCode';
|
||||
import jwt from 'jsonwebtoken';
|
||||
import { type NextApiResponse } from 'next';
|
||||
import { type NextApiResponse, type NextApiRequest } from 'next';
|
||||
import type { AuthModeType, ReqHeaderAuthType } from './type.d';
|
||||
import type { PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
|
||||
import { AuthUserTypeEnum } from '@fastgpt/global/support/permission/constant';
|
||||
@@ -231,7 +231,7 @@ export async function parseHeaderCert({
|
||||
return Promise.reject(ERROR_ENUM.unAuthorization);
|
||||
}
|
||||
|
||||
return authUserSession(cookieToken);
|
||||
return { ...(await authUserSession(cookieToken)), sessionId: cookieToken };
|
||||
}
|
||||
// from authorization get apikey
|
||||
async function parseAuthorization(authorization?: string) {
|
||||
@@ -283,7 +283,7 @@ export async function parseHeaderCert({
|
||||
|
||||
const { cookie, token, rootkey, authorization } = (req.headers || {}) as ReqHeaderAuthType;
|
||||
|
||||
const { uid, teamId, tmbId, appId, openApiKey, authType, isRoot, sourceName } =
|
||||
const { uid, teamId, tmbId, appId, openApiKey, authType, isRoot, sourceName, sessionId } =
|
||||
await (async () => {
|
||||
if (authApiKey && authorization) {
|
||||
// apikey from authorization
|
||||
@@ -309,7 +309,8 @@ export async function parseHeaderCert({
|
||||
appId: '',
|
||||
openApiKey: '',
|
||||
authType: AuthUserTypeEnum.token,
|
||||
isRoot: res.isRoot
|
||||
isRoot: res.isRoot,
|
||||
sessionId: res.sessionId
|
||||
};
|
||||
}
|
||||
if (authRoot && rootkey) {
|
||||
@@ -341,7 +342,8 @@ export async function parseHeaderCert({
|
||||
authType,
|
||||
sourceName,
|
||||
apikey: openApiKey,
|
||||
isRoot: !!isRoot
|
||||
isRoot: !!isRoot,
|
||||
sessionId
|
||||
};
|
||||
}
|
||||
|
||||
@@ -353,6 +355,7 @@ export const setCookie = (res: NextApiResponse, token: string) => {
|
||||
`${TokenName}=${token}; Path=/; HttpOnly; Max-Age=604800; Samesite=Strict;`
|
||||
);
|
||||
};
|
||||
|
||||
/* clear cookie */
|
||||
export const clearCookie = (res: NextApiResponse) => {
|
||||
res.setHeader('Set-Cookie', `${TokenName}=; Path=/; Max-Age=0`);
|
||||
|
@@ -83,12 +83,11 @@ const getSession = async (key: string): Promise<SessionType> => {
|
||||
return Promise.reject(ERROR_ENUM.unAuthorization);
|
||||
}
|
||||
};
|
||||
|
||||
export const delUserAllSession = async (userId: string, whileList?: string[]) => {
|
||||
const formatWhileList = whileList?.map((item) => getSessionKey(item));
|
||||
export const delUserAllSession = async (userId: string, whiteList?: (string | undefined)[]) => {
|
||||
const formatWhiteList = whiteList?.map((item) => item && getSessionKey(item));
|
||||
const redis = getGlobalRedisConnection();
|
||||
const keys = (await getAllKeysByPrefix(`${redisPrefix}${userId}`)).filter(
|
||||
(item) => !formatWhileList?.includes(item)
|
||||
(item) => !formatWhiteList?.includes(item)
|
||||
);
|
||||
|
||||
if (keys.length > 0) {
|
||||
|
Reference in New Issue
Block a user