perf:过滤内容中的非法字符，增强安全性

commands/command.go

@@ -71,7 +71,7 @@ func RegisterDataBase() {
 		dbPath := filepath.Dir(database)
 
 		if _, err := os.Stat(dbPath); err != nil && os.IsNotExist(err) {
-			os.MkdirAll(dbPath, 0777)
+			_ = os.MkdirAll(dbPath, 0777)
 		}
 
 		err := orm.RegisterDataBase("default", "sqlite3", database)
@@ -117,7 +117,7 @@ func RegisterModel() {
 func RegisterLogger(log string) {
 
 	logs.SetLogFuncCall(true)
-	logs.SetLogger("console")
+	_ = logs.SetLogger("console")
 	logs.EnableFuncCallDepth(true)
 
 	if beego.AppConfig.DefaultBool("log_is_async", true) {
@@ -135,7 +135,7 @@ func RegisterLogger(log string) {
 	logPath := filepath.Join(log, "log.log")
 
 	if _, err := os.Stat(log); os.IsNotExist(err) {
-		os.MkdirAll(log, 0777)
+		_ = os.MkdirAll(log, 0755)
 	}
 
 	config := make(map[string]interface{}, 1)
@@ -159,37 +159,37 @@ func RegisterLogger(log string) {
 	if level := beego.AppConfig.DefaultString("log_level", "Trace"); level != "" {
 		switch level {
 		case "Emergency":
-			config["level"] = beego.LevelEmergency;
+			config["level"] = beego.LevelEmergency
 			break
 		case "Alert":
-			config["level"] = beego.LevelAlert;
+			config["level"] = beego.LevelAlert
 			break
 		case "Critical":
-			config["level"] = beego.LevelCritical;
+			config["level"] = beego.LevelCritical
 			break
 		case "Error":
-			config["level"] = beego.LevelError;
+			config["level"] = beego.LevelError
 			break
 		case "Warning":
-			config["level"] = beego.LevelWarning;
+			config["level"] = beego.LevelWarning
 			break
 		case "Notice":
-			config["level"] = beego.LevelNotice;
+			config["level"] = beego.LevelNotice
 			break
 		case "Informational":
-			config["level"] = beego.LevelInformational;
+			config["level"] = beego.LevelInformational
 			break
 		case "Debug":
-			config["level"] = beego.LevelDebug;
+			config["level"] = beego.LevelDebug
 			break
 		}
 	}
-	b, err := json.Marshal(config);
+	b, err := json.Marshal(config)
 	if err != nil {
 		beego.Error("初始化文件日志时出错 ->", err)
-		beego.SetLogger("file", `{"filename":"`+logPath+`"}`)
+		_ = beego.SetLogger("file", `{"filename":"`+logPath+`"}`)
 	} else {
-		beego.SetLogger(logs.AdapterFile, string(b))
+		_ = beego.SetLogger(logs.AdapterFile, string(b))
 	}
 
 	beego.SetLogFuncCall(true)
@@ -283,7 +283,9 @@ func ResolveCommand(args []string) {
 	flagSet.StringVar(&conf.WorkingDirectory, "dir", "", "MinDoc working directory.")
 	flagSet.StringVar(&conf.LogFile, "log", "", "MinDoc log file path.")
 
-	flagSet.Parse(args)
+	if err := flagSet.Parse(args); err != nil {
+		log.Fatal("解析命令失败 ->", err)
+	}
 
 	if conf.WorkingDirectory == "" {
 		if p, err := filepath.Abs(os.Args[0]); err == nil {
@@ -295,7 +297,7 @@ func ResolveCommand(args []string) {
 		conf.ConfigurationFile = conf.WorkingDir("conf", "app.conf")
 		config := conf.WorkingDir("conf", "app.conf.example")
 		if !filetil.FileExists(conf.ConfigurationFile) && filetil.FileExists(config) {
-			filetil.CopyFile(conf.ConfigurationFile, config)
+			_ = filetil.CopyFile(conf.ConfigurationFile, config)
 		}
 	}
 	if err := gocaptcha.ReadFonts(conf.WorkingDir("static", "fonts"), ".ttf"); err != nil {
@@ -317,7 +319,7 @@ func ResolveCommand(args []string) {
 	conf.AutoLoadDelay = beego.AppConfig.DefaultInt("config_auto_delay", 0)
 	uploads := conf.WorkingDir("uploads")
 
-	os.MkdirAll(uploads, 0666)
+	_ = os.MkdirAll(uploads, 0666)
 
 	beego.BConfig.WebConfig.StaticDir["/static"] = filepath.Join(conf.WorkingDirectory, "static")
 	beego.BConfig.WebConfig.StaticDir["/uploads"] = uploads
@@ -328,7 +330,9 @@ func ResolveCommand(args []string) {
 	if !filetil.FileExists(fonts) {
 		log.Fatal("Font path not exist.")
 	}
-	gocaptcha.ReadFonts(filepath.Join(conf.WorkingDirectory, "static", "fonts"), ".ttf")
+	if err := gocaptcha.ReadFonts(filepath.Join(conf.WorkingDirectory, "static", "fonts"), ".ttf"); err != nil {
+		log.Fatal("读取字体失败 ->", err)
+	}
 
 	RegisterDataBase()
 	RegisterCache()
@@ -368,7 +372,7 @@ func RegisterCache() {
 			os.Exit(1)
 		}
 
-		fileCache.StartAndGC(string(bc))
+		_ = fileCache.StartAndGC(string(bc))
 
 		cache.Init(fileCache)
 
@@ -461,7 +465,7 @@ func RegisterAutoLoadConfig() {
 						RegisterLogger("")
 						beego.Info("配置文件已加载 ->", conf.ConfigurationFile)
 					} else if ev.IsRename() {
-						watcher.WatchFlags(conf.ConfigurationFile, fsnotify.FSN_MODIFY|fsnotify.FSN_RENAME)
+						_ = watcher.WatchFlags(conf.ConfigurationFile, fsnotify.FSN_MODIFY|fsnotify.FSN_RENAME)
 					}
 					beego.Info(ev.String())
 				case err := <-watcher.Error:
@@ -489,9 +493,9 @@ func RegisterError() {
 		data["ErrorMessage"] = "页面未找到或已删除"
 
 		if err := beego.ExecuteViewPathTemplate(&buf, "errors/error.tpl", beego.BConfig.WebConfig.ViewsPath, data); err == nil {
-			fmt.Fprint(writer, buf.String())
+			_, _ = fmt.Fprint(writer, buf.String())
 		} else {
-			fmt.Fprint(writer, data["ErrorMessage"])
+			_, _ = fmt.Fprint(writer, data["ErrorMessage"])
 		}
 	})
 	beego.ErrorHandler("401", func(writer http.ResponseWriter, request *http.Request) {
@@ -502,9 +506,9 @@ func RegisterError() {
 		data["ErrorMessage"] = "请与 Web 服务器的管理员联系，以确认您是否具有访问所请求资源的权限。"
 
 		if err := beego.ExecuteViewPathTemplate(&buf, "errors/error.tpl", beego.BConfig.WebConfig.ViewsPath, data); err == nil {
-			fmt.Fprint(writer, buf.String())
+			_, _ = fmt.Fprint(writer, buf.String())
 		} else {
-			fmt.Fprint(writer, data["ErrorMessage"])
+			_, _ = fmt.Fprint(writer, data["ErrorMessage"])
 		}
 	})
 }
@@ -514,7 +518,9 @@ func init() {
 	if configPath, err := filepath.Abs(conf.ConfigurationFile); err == nil {
 		conf.ConfigurationFile = configPath
 	}
-	gocaptcha.ReadFonts(conf.WorkingDir("static", "fonts"), ".ttf")
+	if err := gocaptcha.ReadFonts(conf.WorkingDir("static", "fonts"), ".ttf"); err != nil {
+		log.Fatal("读取字体文件失败 ->", err)
+	}
 	gob.Register(models.Member{})
 
 	if p, err := filepath.Abs(os.Args[0]); err == nil {

controllers/BookController.go

@@ -84,6 +84,7 @@ func (c *BookController) Dashboard() {
 			c.Abort("403")
 		}
 		c.Abort("500")
+		return
 	}
 
 	c.Data["Description"] = template.HTML(blackfriday.Run([]byte(book.Description)))
@@ -110,6 +111,7 @@ func (c *BookController) Setting() {
 			c.Abort("403")
 		}
 		c.Abort("500")
+		return
 	}
 	//如果不是创始人也不是管理员则不能操作
 	if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
@@ -231,6 +233,7 @@ func (c *BookController) PrivatelyOwned() {
 
 	if err != nil {
 		c.JsonResult(6001, err.Error())
+		return
 	}
 	//只有创始人才能变更私有状态
 	if bookResult.RoleId != conf.BookFounder {
@@ -241,6 +244,7 @@ func (c *BookController) PrivatelyOwned() {
 
 	if err != nil {
 		c.JsonResult(6005, "项目不存在")
+		return
 	}
 	book.PrivatelyOwned = state
 
@@ -278,6 +282,7 @@ func (c *BookController) Transfer() {
 
 	if err != nil {
 		c.JsonResult(6001, err.Error())
+		return
 	}
 
 	err = models.NewRelationship().Transfer(bookResult.BookId, c.Member.MemberId, member.MemberId)
@@ -296,6 +301,7 @@ func (c *BookController) UploadCover() {
 
 	if err != nil {
 		c.JsonResult(6001, err.Error())
+		return
 	}
 	book, err := models.NewBook().Find(bookResult.BookId)
 
@@ -309,6 +315,7 @@ func (c *BookController) UploadCover() {
 	if err != nil {
 		logs.Error("获取上传文件失败 ->", err.Error())
 		c.JsonResult(500, "读取文件异常")
+		return
 	}
 	defer file.Close()
 
@@ -405,6 +412,7 @@ func (c *BookController) Users() {
 			c.Abort("403")
 		}
 		c.Abort("500")
+		return
 	}
 	//如果不是创始人也不是管理员则不能操作
 	if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
@@ -692,6 +700,7 @@ func (c *BookController) Delete() {
 
 	if err != nil {
 		c.JsonResult(6001, err.Error())
+		return
 	}
 
 	if bookResult.RoleId != conf.BookFounder {
@@ -721,7 +730,9 @@ func (c *BookController) Release() {
 	if c.Member.IsAdministrator() {
 		book, err := models.NewBook().FindByFieldFirst("identify", identify)
 		if err != nil {
-
+			beego.Error("发布文档失败 ->", err)
+			c.JsonResult(6003, "文档不存在")
+			return
 		}
 		bookId = book.BookId
 	} else {
@@ -747,7 +758,7 @@ func (c *BookController) Release() {
 
 		//当文档发布后，需要删除已缓存的转换项目
 		outputPath := filepath.Join(conf.GetExportOutputPath(), strconv.Itoa(bookId))
-		os.RemoveAll(outputPath)
+		_ = os.RemoveAll(outputPath)
 
 	}(identify)
 
@@ -763,13 +774,14 @@ func (c *BookController) SaveSort() {
 		c.Abort("404")
 	}
 
-	book_id := 0
+	bookId := 0
 	if c.Member.IsAdministrator() {
 		book, err := models.NewBook().FindByFieldFirst("identify", identify)
-		if err != nil {
+		if err != nil || book == nil {
-
+			c.JsonResult(6001,"项目不存在")
+			return
 		}
-		book_id = book.BookId
+		bookId = book.BookId
 	} else {
 		bookResult, err := models.NewBookResult().FindByIdentify(identify, c.Member.MemberId)
 		if err != nil {
@@ -780,7 +792,7 @@ func (c *BookController) SaveSort() {
 		if bookResult.RoleId == conf.BookObserver {
 			c.JsonResult(6002, "项目不存在或权限不足")
 		}
-		book_id = bookResult.BookId
+		bookId = bookResult.BookId
 	}
 
 	content := c.Ctx.Input.RequestBody
@@ -795,13 +807,13 @@ func (c *BookController) SaveSort() {
 	}
 
 	for _, item := range docs {
-		if doc_id, ok := item["id"].(float64); ok {
+		if docId, ok := item["id"].(float64); ok {
-			doc, err := models.NewDocument().Find(int(doc_id))
+			doc, err := models.NewDocument().Find(int(docId))
 			if err != nil {
 				beego.Error(err)
 				continue
 			}
-			if doc.BookId != book_id {
+			if doc.BookId != bookId {
 				logs.Info("%s", "权限错误")
 				continue
 			}
@@ -810,18 +822,18 @@ func (c *BookController) SaveSort() {
 				beego.Info("排序数字转换失败 => ", item)
 				continue
 			}
-			parent_id, ok := item["parent"].(float64)
+			parentId, ok := item["parent"].(float64)
 			if !ok {
 				beego.Info("父分类转换失败 => ", item)
 				continue
 			}
-			if parent_id > 0 {
+			if parentId > 0 {
-				if parent, err := models.NewDocument().Find(int(parent_id)); err != nil || parent.BookId != book_id {
+				if parent, err := models.NewDocument().Find(int(parentId)); err != nil || parent.BookId != bookId {
 					continue
 				}
 			}
 			doc.OrderSort = int(sort)
-			doc.ParentId = int(parent_id)
+			doc.ParentId = int(parentId)
 			if err := doc.InsertOrUpdate(); err != nil {
 				fmt.Printf("%s", err.Error())
 				beego.Error(err)
@@ -846,11 +858,12 @@ func (c *BookController) Team() {
 	}
 
 	book, err := models.NewBookResult().FindByIdentify(key, c.Member.MemberId)
-	if err != nil {
+	if err != nil || book == nil {
 		if err == models.ErrPermissionDenied {
 			c.ShowErrorPage(403, "权限不足")
 		}
 		c.ShowErrorPage(500, "系统错误")
+		return
 	}
 	//如果不是创始人也不是管理员则不能操作
 	if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
@@ -884,6 +897,7 @@ func (c *BookController) TeamAdd() {
 
 	if err != nil {
 		c.JsonResult(500, err.Error())
+		return
 	}
 	//如果不是创始人也不是管理员则不能操作
 	if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {
@@ -905,6 +919,7 @@ func (c *BookController) TeamAdd() {
 	err = teamRel.Save()
 	if err != nil {
 		c.JsonResult(5004, "加入项目失败")
+		return
 	}
 	teamRel.Include()
 
@@ -924,6 +939,7 @@ func (c *BookController) TeamDelete() {
 
 	if err != nil {
 		c.JsonResult(5002, err.Error())
+		return
 	}
 	//如果不是创始人也不是管理员则不能操作
 	if book.RoleId != conf.BookFounder && book.RoleId != conf.BookAdmin {

controllers/DocumentController.go

@@ -2,30 +2,30 @@ package controllers
 
 import (
 	"encoding/json"
-	"html/template"
-	"net/http"
-	"os"
-	"path/filepath"
-	"regexp"
-	"strconv"
-	"strings"
-	"time"
-	"net/url"
-	"image/png"
 	"fmt"
 	"github.com/astaxie/beego"
+	"github.com/astaxie/beego/logs"
 	"github.com/astaxie/beego/orm"
 	"github.com/boombuler/barcode"
 	"github.com/boombuler/barcode/qr"
 	"github.com/lifei6671/mindoc/conf"
 	"github.com/lifei6671/mindoc/models"
 	"github.com/lifei6671/mindoc/utils"
-	"github.com/lifei6671/mindoc/utils/pagination"
-	"gopkg.in/russross/blackfriday.v2"
 	"github.com/lifei6671/mindoc/utils/cryptil"
 	"github.com/lifei6671/mindoc/utils/filetil"
 	"github.com/lifei6671/mindoc/utils/gopool"
-	"github.com/astaxie/beego/logs"
+	"github.com/lifei6671/mindoc/utils/pagination"
+	"gopkg.in/russross/blackfriday.v2"
+	"html/template"
+	"image/png"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
 )
 
 // DocumentController struct
@@ -113,19 +113,21 @@ func (c *DocumentController) Read() {
 
 	if docId, err := strconv.Atoi(id); err == nil {
 		doc, err = doc.FromCacheById(docId)
-		if err != nil {
+		if err != nil || doc == nil {
 			beego.Error("从缓存中读取文档时失败 ->", err)
 			c.ShowErrorPage(404, "文档不存在或已删除")
+			return
 		}
 	} else {
 		doc, err = doc.FromCacheByIdentify(id, bookResult.BookId)
-		if err != nil {
+		if err != nil || doc == nil {
 			if err == orm.ErrNoRows {
 				c.ShowErrorPage(404, "文档不存在或已删除")
 			} else {
 				beego.Error("从缓存查询文档时出错 ->", err)
 				c.ShowErrorPage(500, "未知异常")
 			}
+			return
 		}
 	}
 
@@ -341,11 +343,12 @@ func (c *DocumentController) Upload() {
 	name := "editormd-file-file"
 
 	file, moreFile, err := c.GetFile(name)
-	if err == http.ErrMissingFile {
+	if err == http.ErrMissingFile || moreFile == nil {
 		name = "editormd-image-file"
 		file, moreFile, err = c.GetFile(name)
-		if err == http.ErrMissingFile {
+		if err == http.ErrMissingFile || moreFile == nil {
 			c.JsonResult(6003, "没有发现需要上传的文件")
+			return
 		}
 	}
 
@@ -427,7 +430,7 @@ func (c *DocumentController) Upload() {
 
 	path := filepath.Dir(filePath)
 
-	os.MkdirAll(path, os.ModePerm)
+	_ = os.MkdirAll(path, os.ModePerm)
 
 	err = c.SaveToFile(name, filePath)
 
@@ -452,7 +455,6 @@ func (c *DocumentController) Upload() {
 		attachment.DocumentId = docId
 	}
 
-
 	if filetil.IsImageExt(moreFile.Filename) {
 		attachment.HttpPath = "/" + strings.Replace(strings.TrimPrefix(filePath, conf.WorkingDirectory), "\\", "/", -1)
 		if strings.HasPrefix(attachment.HttpPath, "//") {
@@ -675,8 +677,9 @@ func (c *DocumentController) Content() {
 	// 如果是超级管理员，则忽略权限
 	if c.Member.IsAdministrator() {
 		book, err := models.NewBook().FindByFieldFirst("identify", identify)
-		if err != nil {
+		if err != nil || book == nil {
 			c.JsonResult(6002, "项目不存在或权限不足")
+			return
 		}
 
 		bookId = book.BookId
@@ -705,8 +708,9 @@ func (c *DocumentController) Content() {
 
 		doc, err := models.NewDocument().Find(docId)
 
-		if err != nil {
+		if err != nil || doc == nil {
 			c.JsonResult(6003, "读取文档错误")
+			return
 		}
 
 		if doc.BookId != bookId {
@@ -781,25 +785,7 @@ func (c *DocumentController) Content() {
 	c.JsonResult(0, "ok", doc)
 }
 
-//
+// Export 导出
-//func (c *DocumentController) GetDocumentById(id string) (doc *models.Document, err error) {
-//	doc = models.NewDocument()
-//	if doc_id, err := strconv.Atoi(id); err == nil {
-//		doc, err = doc.Find(doc_id)
-//		if err != nil {
-//			return nil, err
-//		}
-//	} else {
-//		doc, err = doc.FindByFieldFirst("identify", id)
-//		if err != nil {
-//			return nil, err
-//		}
-//	}
-//
-//	return doc, nil
-//}
-
-// 导出
 func (c *DocumentController) Export() {
 	c.Prepare()
 
@@ -1201,8 +1187,9 @@ func (c *DocumentController) Compare() {
 	}
 
 	doc, err := models.NewDocument().Find(history.DocumentId)
-	if doc.BookId != bookId {
+	if err != nil || doc == nil || doc.BookId != bookId {
-		c.ShowErrorPage(60002, "参数错误")
+		c.ShowErrorPage(60002, "文档不存在或已删除")
+		return
 	}
 
 	c.Data["HistoryId"] = historyId

models/BookModel.go

@@ -594,7 +594,7 @@ func (book *Book) ReleaseContent(bookId int) {
 	}
 	for _, item := range docs {
 		item.BookId = bookId
-		item.ReleaseContent()
+		_ = item.ReleaseContent()
 	}
 }
 

models/DocumentModel.go

@@ -6,16 +6,16 @@ import (
 	"fmt"
 	"strconv"
 
+	"bytes"
+	"github.com/PuerkitoBio/goquery"
 	"github.com/astaxie/beego"
 	"github.com/astaxie/beego/orm"
 	"github.com/lifei6671/mindoc/cache"
 	"github.com/lifei6671/mindoc/conf"
+	"github.com/lifei6671/mindoc/utils"
 	"os"
 	"path/filepath"
-	"github.com/PuerkitoBio/goquery"
-	"bytes"
 	"strings"
-	"github.com/lifei6671/mindoc/utils"
 )
 
 // Document struct.
@@ -317,15 +317,48 @@ func (item *Document) Processor() *Document {
 					selector.First().AppendHtml(release)
 				}
 			}
+			cdnimg := beego.AppConfig.String("cdnimg")
+
+			docQuery.Find("img").Each(func(i int, selection *goquery.Selection) {
+
+				if src, ok := selection.Attr("src"); ok {
+					src = strings.TrimSpace(strings.ToLower(src))
+					//过滤掉没有链接的图片标签
+					if src == "" || strings.HasPrefix(src,"data:text/html"){
+						selection.Remove()
+						return
+					}
 
 					//设置图片为CDN地址
-			if cdnimg := beego.AppConfig.String("cdnimg"); cdnimg != "" {
+					if cdnimg != "" && strings.HasPrefix(src, "/uploads/") {
-				docQuery.Find("img").Each(func(i int, contentSelection *goquery.Selection) {
+						selection.SetAttr("src", utils.JoinURI(cdnimg, src))
-					if src, ok := contentSelection.Attr("src"); ok && strings.HasPrefix(src, "/uploads/") {
-						contentSelection.SetAttr("src", utils.JoinURI(cdnimg, src))
 					}
+
+				}
+				selection.RemoveAttr("onerror").RemoveAttr("onload")
 			})
+			//过滤A标签的非法连接
+			docQuery.Find("a").Each(func(i int, selection *goquery.Selection) {
+				if val, exists := selection.Attr("href"); exists {
+					if val == "" {
+						selection.SetAttr("href", "#")
+						return
 					}
+					val = strings.ReplaceAll(strings.ToLower(val), " ", "")
+					//移除危险脚本链接
+					if strings.HasPrefix(val, "data:text/html") ||
+						strings.HasPrefix(val, "vbscript:") ||
+						strings.HasPrefix(val, "javascript:") {
+						selection.SetAttr("href", "#")
+					}
+				}
+				//移除所有 onerror 属性
+				selection.RemoveAttr("onerror").RemoveAttr("onload").RemoveAttr("onclick")
+			})
+
+			docQuery.Find("script").Remove()
+			docQuery.Find("link").Remove()
+			docQuery.Find("vbscript").Remove()
 
 			if html, err := docQuery.Html(); err == nil {
 				item.Release = strings.TrimSuffix(strings.TrimPrefix(strings.TrimSpace(html), "<html><head></head><body>"), "</body></html>")

routers/filter.go

@@ -41,6 +41,7 @@ func init() {
 	var FinishRouter = func(ctx *context.Context) {
 		ctx.ResponseWriter.Header().Add("MinDoc-Version", conf.VERSION)
 		ctx.ResponseWriter.Header().Add("MinDoc-Site", "https://www.iminho.me")
+		ctx.ResponseWriter.Header().Add("X-XSS-Protection", "1; mode=block")
 	}
 
 	var StartRouter = func(ctx *context.Context) {