-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
files 需要增加文件后缀白名单 #693
Comments
配置文件后缀 |
XML
|
File Magic Numbers 我对 ts 加一下判断 |
@fengmk2 刚刚看了下 如果想要更加严格,可参考:
|
我感觉小于256KB的文件就别判断了,我有些二进制的语言文件用的.js后缀,还是从流量异常上监控比较好,毕竟想盗用可以base64、base85、base ascii编码一下 .wasm也是二进制,而且格式也会变化 前端用service worker拦截请求,去掉这个File Magic Numbers头再给视频播放也不难,这个思路防不住的 不如根据 npm 包的流量和体积来判断, |
网页后缀 |
@fengmk2 哥,我觉得这个功能最好关了好,安全第一,黑产灰产都是其次,涉政才是要命的。要做也建议就同步cdnjs,它有哪些包,咱就只支持哪些包。 |
@fjc0k 这个没有准确消息吧 |
@fengmk2 只是觉得很难把内容审查做好,让上面满意,毕竟这玩意儿没有具体标准。与其留下个炸弹可能波及镜像服务被关闭,还不如提前预防。 |
允许的白名单后缀:
.js
,.ts
,.jsx
,.tsx
,.cjs
,.mjs
.css
,.less
,.sass
.json
,.json5
.yml
,.yaml
,.toml
,.xml
.axml
,.sjs
.wxml
.woff
,.woff2
,.eot
,.ttf
,.otf
.wasm
.md
,.markdown
.sql
.puml
文件名白名单:
README
LICENSE
,LICENSE.txt
AUTHORS
configure
,Makefile
Dockerfile
,.dockerignore
.gitignore
.eslintrc
,.eslintignore
.npmrc
The text was updated successfully, but these errors were encountered: