Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

files 需要增加文件后缀白名单 #693

Closed
fengmk2 opened this issue May 30, 2024 · 10 comments
Closed

files 需要增加文件后缀白名单 #693

fengmk2 opened this issue May 30, 2024 · 10 comments
Assignees
@fengmk2
Labels
enhancement New feature or request

Comments

@fengmk2
Copy link
Member

fengmk2 commented May 30, 2024
edited
Loading

允许的白名单后缀:

  • .js, .ts, .jsx, .tsx, .cjs, .mjs
  • .css, .less, .sass
  • .json, .json5
  • .yml, .yaml, .toml, .xml
  • .axml, .sjs
  • .wxml
  • .woff, .woff2, .eot, .ttf, .otf
  • .wasm
  • .md, .markdown
  • .sql
  • .puml

文件名白名单:

  • README
  • LICENSE, LICENSE.txt
  • AUTHORS
  • configure, Makefile
  • Dockerfile, .dockerignore
  • .gitignore
  • .eslintrc, .eslintignore
  • .npmrc
@fengmk2 fengmk2 added the enhancement New feature or request label May 30, 2024
@fengmk2 fengmk2 self-assigned this May 30, 2024
@fengmk2
Copy link
Member Author

fengmk2 commented May 30, 2024

https://github.com/jshttp/mime-db/blob/master/src/nginx-types.json

@ChangedenCZD
Copy link

配置文件后缀 yamltoml

@BlackHole1
Copy link
Contributor

XML

BTW,只检测后缀无法避免滥用情况,如: m3u8 中的视频分段使用的是 ts 文件,这会与白名单中的 .ts 吻合。
或许还需要增加: File Magic Numbers 的判断 以及 最大文件大小的判断

@fengmk2
Copy link
Member Author

fengmk2 commented May 30, 2024

XML

BTW,只检测后缀无法避免滥用情况,如: m3u8 中的视频分段使用的是 ts 文件,这会与白名单中的 .ts 吻合。
或许还需要增加: File Magic Numbers 的判断 以及 最大文件大小的判断

File Magic Numbers 我对 ts 加一下判断

@BlackHole1
Copy link
Contributor

@fengmk2 刚刚看了下 MPEG-ts 的 data format,其第一个字节是 0x47,对应了 ASCII 中的 G 字符,故,如果 ts 文件中的第一个字符是 G 的话,将会误判(虽然 TypeScript 文件的第一个字符几乎不可能是 G)

如果想要更加严格,可参考: videojs 中的实现: https://github.com/videojs/vhs-utils/blob/61b8db9f2d9b3085efe56050a6ad430ff03be55e/src/containers.js#L107-L123

MPEG-ts 最小为: 188 字节,并且其必须为 188 的整数倍。

@fengmk2 fengmk2 mentioned this issue Jun 1, 2024
Closed
@i18nsite
Copy link

i18nsite commented Jun 1, 2024
edited
Loading

我感觉小于256KB的文件就别判断了,我有些二进制的语言文件用的.js后缀,还是从流量异常上监控比较好,毕竟想盗用可以base64、base85、base ascii编码一下

.wasm也是二进制,而且格式也会变化
用 .woff2 / .wasm 后缀写个伪装的File Magic Numbers头

前端用service worker拦截请求,去掉这个File Magic Numbers头再给视频播放也不难,这个思路防不住的

不如根据 npm 包的流量和体积来判断,
用流量除以 https://www.npmjs.com/package/yaml?activeTab=dependents 数量(可以算个pagerank) , 发现异常的包
太大了就需要实名认证或者白名单,

@FloatSheep
Copy link

网页后缀 html

@fjc0k
Copy link

fjc0k commented Jun 7, 2024

@fengmk2 哥,我觉得这个功能最好关了好,安全第一,黑产灰产都是其次,涉政才是要命的。要做也建议就同步cdnjs,它有哪些包,咱就只支持哪些包。
v2ex看到这个帖子:https://www.v2ex.com/t/1047740
image
image

@fengmk2
Copy link
Member Author

fengmk2 commented Jun 7, 2024

@fjc0k 这个没有准确消息吧

@fengmk2 fengmk2 closed this as completed Jun 7, 2024
@fjc0k
Copy link

fjc0k commented Jun 8, 2024

@fengmk2 只是觉得很难把内容审查做好,让上面满意,毕竟这玩意儿没有具体标准。与其留下个炸弹可能波及镜像服务被关闭,还不如提前预防。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fengmk2 fengmk2

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fengmk2 @BlackHole1 @ChangedenCZD @fjc0k @FloatSheep @i18nsite