admin/claw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: replace eval() with safe template resolver and add empty MODES guard

Browse Source 
Issue #1 (Critical): Replaced eval() in buildModeRequest with a safe
resolveTemplateValue function that only supports args.fieldName and
args['fieldName'] patterns, eliminating XSS/injection vulnerability.

Issue #2 (Critical): Added defensive guard in detectMode that throws a
clear error when MODES array is empty, preventing undefined property access.

🤖 Generated with [Qoder][https://qoder.com]
This commit is contained in:
木炎
2026-04-17 13:20:55 +08:00
parent 7420af8f31
commit a6aa18c6d9
1 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/generated_scene/generator.rs
View File

@@ -570,6 +570,9 @@ function validateArgs(args) {{
}} }}
function detectMode(args) {{ function detectMode(args) {{
if (!MODES || MODES.length === 0) {{
throw new Error('No modes configured for this scene');
}}
const modeValue = args[MODE_SWITCH_FIELD] || DEFAULT_MODE; const modeValue = args[MODE_SWITCH_FIELD] || DEFAULT_MODE;
return MODES.find(m => m.condition.value === modeValue) || MODES[0]; return MODES.find(m => m.condition.value === modeValue) || MODES[0];
}} }}
@@ -581,20 +584,28 @@ function buildModeRequest(args, mode) {{
const url = endpoint.url; const url = endpoint.url;
const method = endpoint.method || 'POST'; const method = endpoint.method || 'POST';
// Safe template resolver - supports args.fieldName and args['fieldName']
function resolveTemplateValue(value) {{
if (typeof value !== 'string') return value;
if (!value.startsWith('${{') || !value.endsWith('}}')) return value;
const expr = value.slice(2, -1).trim();
// Support: args.fieldName
const dotMatch = expr.match(/^args\\.(\w+)$/);
if (dotMatch) return args[dotMatch[1]];
// Support: args['fieldName']
const bracketMatch = expr.match(/^args\['(\w+)'\]$/);
if (bracketMatch) return args[bracketMatch[1]];
// Fallback: return raw value
return value;
}}
let body; let body;
if (contentType === 'application/x-www-form-urlencoded') {{ if (contentType === 'application/x-www-form-urlencoded') {{
body = {{ ...template }}; body = {{}};
for (const [key, value] of Object.entries(body)) {{ for (const [key, value] of Object.entries(template)) {{
if (typeof value === 'string' && value.startsWith('${{') && value.endsWith('}}')) {{ body[key] = resolveTemplateValue(value);
const expr = value.slice(2, -1);
try {{
body[key] = eval(expr);
}} catch (e) {{
body[key] = args.org_code;
}}
}}
}} }}
body.orgno = args.org_code; if (!body.orgno) body.orgno = args.org_code;
}} else {{ }} else {{
body = JSON.stringify({{ ...template, ...args }}); body = JSON.stringify({{ ...template, ...args }});
}} }}