llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-02 11:20:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add FieldValidationFilter to check object names (#3877)

Browse Source
This commit is contained in:
千石
2025-06-17 01:11:35 -07:00
committed by GitHub
parent 6dc7b4d533
commit af231bf946
2 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
main.go
View File

@ -63,6 +63,7 @@ func main() {
beego.InsertFilter("*", beego.BeforeRouter, routers.ApiFilter) beego.InsertFilter("*", beego.BeforeRouter, routers.ApiFilter)
beego.InsertFilter("*", beego.BeforeRouter, routers.PrometheusFilter) beego.InsertFilter("*", beego.BeforeRouter, routers.PrometheusFilter)
beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage) beego.InsertFilter("*", beego.BeforeRouter, routers.RecordMessage)
beego.InsertFilter("*", beego.BeforeRouter, routers.FieldValidationFilter)
beego.InsertFilter("*", beego.AfterExec, routers.AfterRecordMessage, false) beego.InsertFilter("*", beego.AfterExec, routers.AfterRecordMessage, false)
beego.BConfig.WebConfig.Session.SessionOn = true beego.BConfig.WebConfig.Session.SessionOn = true

56
routers/field_validation_filter.go Normal file
View File

@ -0,0 +1,56 @@
// Copyright 2025 The Casdoor Authors. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package routers
import (
"encoding/json"
"fmt"
"io"
"strings"
"github.com/beego/beego/context"
)
var forbiddenChars = `/?:@#&%=+;`
func FieldValidationFilter(ctx *context.Context) {
if ctx.Input.Method() != "POST" {
return
}
urlPath := ctx.Request.URL.Path
if !(strings.HasPrefix(urlPath, "/api/add-") || strings.HasPrefix(urlPath, "/api/update-")) {
return
}
bodyBytes, err := io.ReadAll(ctx.Request.Body)
if err != nil || len(bodyBytes) == 0 {
return
}
ctx.Request.Body = io.NopCloser(strings.NewReader(string(bodyBytes)))
var requestData map[string]interface{}
if err := json.Unmarshal(bodyBytes, &requestData); err != nil {
return
}
if value, ok := requestData["name"].(string); ok {
if strings.ContainsAny(value, forbiddenChars) {
responseError(ctx, fmt.Sprintf("Field 'name' contains forbidden characters: %q", forbiddenChars))
return
}
}
}