fix: replace eval() with safe template resolver and add empty MODES guard

Issue #1 (Critical): Replaced eval() in buildModeRequest with a safe resolveTemplateValue function that only supports args.fieldName and args['fieldName'] patterns, eliminating XSS/injection vulnerability. Issue #2 (Critical): Added defensive guard in detectMode that throws a clear error when MODES array is empty, preventing undefined property access. 🤖 Generated with [Qoder][https://qoder.com]
2026-04-17 13:20:55 +08:00
parent 7420af8f31
commit a6aa18c6d9
1 changed files with 22 additions and 11 deletions
--- a/src/generated_scene/generator.rs
+++ b/src/generated_scene/generator.rs
@@ -570,6 +570,9 @@ function validateArgs(args) {{
 }}

 function detectMode(args) {{
+  if (!MODES || MODES.length === 0) {{
+    throw new Error('No modes configured for this scene');
+  }}
  const modeValue = args[MODE_SWITCH_FIELD] || DEFAULT_MODE;
  return MODES.find(m => m.condition.value === modeValue) || MODES[0];
 }}
@@ -581,20 +584,28 @@ function buildModeRequest(args, mode) {{
  const url = endpoint.url;
  const method = endpoint.method || 'POST';

+  // Safe template resolver - supports args.fieldName and args['fieldName']
+  function resolveTemplateValue(value) {{
+    if (typeof value !== 'string') return value;
+    if (!value.startsWith('${{') || !value.endsWith('}}')) return value;
+    const expr = value.slice(2, -1).trim();
+    // Support: args.fieldName
+    const dotMatch = expr.match(/^args\\.(\w+)$/);
+    if (dotMatch) return args[dotMatch[1]];
+    // Support: args['fieldName']
+    const bracketMatch = expr.match(/^args\['(\w+)'\]$/);
+    if (bracketMatch) return args[bracketMatch[1]];
+    // Fallback: return raw value
+    return value;
+  }}
+
  let body;
  if (contentType === 'application/x-www-form-urlencoded') {{
-    body = {{ ...template }};
-    for (const [key, value] of Object.entries(body)) {{
-      if (typeof value === 'string' && value.startsWith('${{') && value.endsWith('}}')) {{
-        const expr = value.slice(2, -1);
-        try {{
-          body[key] = eval(expr);
-        }} catch (e) {{
-          body[key] = args.org_code;
-        }}
-      }}
+    body = {{}};
+    for (const [key, value] of Object.entries(template)) {{
+      body[key] = resolveTemplateValue(value);
    }}
-    body.orgno = args.org_code;
+    if (!body.orgno) body.orgno = args.org_code;
  }} else {{
    body = JSON.stringify({{ ...template, ...args }});
  }}