yuanhau/news-analyze
1
0
Fork 0
mirror of https://github.com/hpware/news-analyze.git synced 2025-06-23 13:04:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add getUserTokenMinusSQLInjection to prevent SQL Injection in via the
Some checks are pending
Build and Push Docker Image / build-and-push (push) Waiting to run
Details

Browse source 
cookies (that may be not possible, but it is a safety guard I want to
add. (Chat: https://t3.chat/chat/c1883e6a-6c38-4af3-9818-0e927449c61c)
This commit is contained in:
yuanhau 2025-06-10 09:39:11 +08:00
parent bd3a81dfbc
commit 2895263e52
10 changed files with 90 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

6
components/app/windows/news.vue
View file

@ -168,9 +168,11 @@ const jaccardSimilarity = (v1: any, v2: any) => {
return intersection.size / union.size; return intersection.size / union.size;
}; };
const findRel = async (title: string) => { /*
const findRel =
async (title: string) => {
const req = await fetch("/api/sort"); const req = await fetch("/api/sort");
}; };*/
// Check words // Check words
const checkIfEmptyArray = []; const checkIfEmptyArray = [];

2
components/app/windows/settings.vue
View file

@ -99,6 +99,8 @@ const deleteAccount = async () => {
const req = await fetch("/api/user/sendUserChanges", { const req = await fetch("/api/user/sendUserChanges", {
method: "DELETE", method: "DELETE",
}); });
const res = await res.json();
console.log(res);
}; };
const submitChangeAction = async (action: string) => { const submitChangeAction = async (action: string) => {

2
i18n/locales/en.json
View file

@ -138,7 +138,7 @@
"opennewwindow": "This will open a new window", "opennewwindow": "This will open a new window",
"similararticles": "Similar Articles", "similararticles": "Similar Articles",
"similarity": "Similarity", "similarity": "Similarity",
"nosimilararticles": "There isn't any similar articles.", "nosimilararticles": "There aren't any similar articles.",
"articleopenpart1": "This will open a open a new window about this new org", "articleopenpart1": "This will open a open a new window about this new org",
"articleopenpart2": "" "articleopenpart2": ""
} }

1
server/api/user/delete.ts
View file

@ -1 +0,0 @@
export default defineEventHandler(async (event) => {});

9
server/api/user/logout.ts
View file

@ -1,15 +1,16 @@
import getUserTokenMinusSQLInjection from "~/server/components/getUserToken";
export default defineEventHandler(async (event) => { export default defineEventHandler(async (event) => {
const loginCookie = getCookie(event, "session"); const loginCookie = await getUserTokenMinusSQLInjection(event);
const lastCheckCookie = getCookie(event, "last_check");
const nowDate = new Date().toLocaleString();
try { try {
if (loginCookie) { if (false) {
deleteCookie(event, "token"); deleteCookie(event, "token");
return { return {
success: true, success: true,
error: null, error: null,
}; };
} }
return "testing";
} catch (e) { } catch (e) {
return { return {
success: false, success: false,

36
server/api/user/sendUserChanges.delete.ts
View file

@ -1,6 +1,34 @@
import sql from "~/server/components/postgres";
import getUserTokenMinusSQLInjection from "~/server/components/getUserToken";
export default defineEventHandler(async (event) => { export default defineEventHandler(async (event) => {
const userToken = getCookie(event, "token"); try {
return { const userToken = await getUserTokenMinusSQLInjection(event);
token: userToken, if (userToken.error.length !== 0) {
}; return {
error: userToken.error,
};
}
// REMOVE OLD TOKENS
const removeToken = await sql`
DELETE FROM usertokens
WHERE username = ${userToken.user}
`;
console.log(removeToken);
// DELETE USER
const deleteUserAccount = await sql`
DELETE FROM users
WHERE username = ${userToken.user}
`;
console.log(deleteUserAccount);
deleteCookie(event, "token");
return {
success: true,
};
} catch (e) {
console.log(e);
return {
error: "INTERNAL_SERVER_ERROR",
e: e.message,
};
}
}); });

33
server/api/user/sendUserChanges.post.ts
View file

@ -1,17 +1,9 @@
import sql from "~/server/components/postgres"; import sql from "~/server/components/postgres";
import getUserTokenMinusSQLInjection from "~/server/components/getUserToken";
export default defineEventHandler(async (event) => { export default defineEventHandler(async (event) => {
// Check user data. // Check user data.
const userToken = getCookie(event, "token"); const token = await getUserTokenMinusSQLInjection(event);
if (!userToken) { if (token.error.length !== 0) {
return {
error: "ERR_NOT_ALLOWED",
};
}
const checkUserToken = await sql`
select * from usertokens
where token=${userToken}
`;
if (checkUserToken.length === 0) {
return { return {
error: "ERR_NOT_ALLOWED", error: "ERR_NOT_ALLOWED",
}; };
@ -37,26 +29,11 @@ export default defineEventHandler(async (event) => {
` `
UPDATE user_other_data SET ${requestChange} = $1 UPDATE user_other_data SET ${requestChange} = $1
WHERE username = $2`, WHERE username = $2`,
[apiKeyqq[0], checkUserToken[0].username], [apiKeyqq[0], token.user],
); );
/**
* // Example of how requestChange might be validated
const allowedColumns = ['groq_api_key', 'another_column_name'];
if (!allowedColumns.includes(requestChange)) {
throw new Error('Invalid column name provided');
}
const sqlC = await sql`
UPDATE user_other_data SET ${sql.identifier([requestChange])} = ${apiKeyqq[0]}
WHERE username = ${checkUserToken[0].username}`;
*/
return { return {
body: body,
allowed: allowed,
data: body.value.match(clearBadDataRegex),
sqlC: sqlC, sqlC: sqlC,
success: true,
}; };
} }
}); });

18
server/api/user/submitGroqKey.ts
View file

@ -1,19 +1,11 @@
import sql from "~/server/components/postgres"; import sql from "~/server/components/postgres";
import getUserTokenMinusSQLInjection from "~/server/components/getUserToken";
export default defineEventHandler(async (event) => { export default defineEventHandler(async (event) => {
// Check user data. // Check user data.
const userToken = getCookie(event, "token"); const user = getUserTokenMinusSQLInjection(event);
if (!userToken) { if (user.error.length !== 0) {
return { return {
error: "ERR_NOT_ALLOWED", error: user.error,
};
}
const checkUserToken = await sql`
select * from usertokens
where token=${userToken}
`;
if (checkUserToken.length === 0) {
return {
error: "ERR_NOT_ALLOWED",
}; };
} }
// Actual function // Actual function
@ -26,7 +18,7 @@ export default defineEventHandler(async (event) => {
` `
UPDATE user_other_data SET ${requestChange} = $1 UPDATE user_other_data SET ${requestChange} = $1
WHERE username = $2`, WHERE username = $2`,
[apiKeyqq[0], checkUserToken[0].username], [apiKeyqq[0], user.user],
); );
return { return {
body: body, body: body,

35
server/components/getUserToken.ts Normal file
View file

@ -0,0 +1,35 @@
import sql from "~/server/components/postgres";
export default async function getUserTokenMinusSQLInjection(event) {
const userToken = await getCookie(event, "token");
if (!userToken) {
return {
token: null,
user: null,
error: "NO_TOKEN",
};
}
const uuidRegex =
/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
if (!uuidRegex.test(userToken)) {
return {
token: null,
user: null,
error: "INVALID_TOKEN_FORMAT",
};
}
const getUser = await sql`
select * from usertokens
where token = ${userToken}`;
if (getUser.length === 0) {
return {
token: null,
user: null,
error: "NOT_AUTHED",
};
}
return {
token: userToken,
user: getUser[0].username,
error: "",
};
}

2
server_fixes.md
View file

@ -17,7 +17,7 @@ And also I wrote a super stupid cron fix, which is below.
## My stupid cron fix: ## My stupid cron fix:
Cron Job: Cron Job:
``` ```
0 1 * * * "bun run /hardpushrevolvconf.ts" > /dev/null 0 * * * * "bun run /hardpushrevolvconf.ts" > /dev/null
``` ```
Here is the script I used to force the change of my resolv.conf file: Here is the script I used to force the change of my resolv.conf file: