zlei6/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-06-29 23:41:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix: stored XSS via HTML File upload and inline Rendering in file get (#13202)

Browse Source 
### What problem does this PR solve?

Fix stored XSS via HTML file upload and inline rendering in
/v1/file/get/<id>

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
This commit is contained in:
Yongteng Lei
2026-02-25 09:46:48 +08:00
committed by GitHub
parent 5a8fa7cf31
commit c292d617ca
4 changed files with 65 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
api/utils/web_utils.py
View File

@@ -92,6 +92,46 @@ CONTENT_TYPE_MAP = {
}
FORCE_ATTACHMENT_EXTENSIONS = {
"htm",
"html",
"shtml",
"xht",
"xhtml",
"xml",
"mhtml",
"svg",
}
FORCE_ATTACHMENT_CONTENT_TYPES = {
"text/html",
"image/svg+xml",
"application/xhtml+xml",
"text/xml",
"application/xml",
"multipart/related",
}
def should_force_attachment(ext: str | None, content_type: str | None = None) -> bool:
normalized_ext = (ext or "").lower().strip(".")
if normalized_ext in FORCE_ATTACHMENT_EXTENSIONS:
return True
normalized_type = (content_type or "").lower()
return normalized_type in FORCE_ATTACHMENT_CONTENT_TYPES
def apply_safe_file_response_headers(response, content_type: str | None, ext: str | None = None):
if content_type:
response.headers.set("Content-Type", content_type)
force_attachment = should_force_attachment(ext, content_type)
if force_attachment:
response.headers.set("X-Content-Type-Options", "nosniff")
response.headers.set("Content-Disposition", "attachment")
return response
def html2pdf(
source: str,
timeout: int = 2,
@@ -188,10 +228,9 @@ def get_float(req: dict, key: str, default: float | int = 10.0) -> float:
return parsed if parsed > 0 else default
except (TypeError, ValueError):
return default
async def send_email_html(to_email: str, subject: str, template_key: str, **context):
body = await render_template_string(EMAIL_TEMPLATES.get(template_key), **context)
msg = MIMEText(body, "plain", "utf-8")
msg["Subject"] = Header(subject, "utf-8")
@@ -236,10 +275,10 @@ def otp_keys(email: str):
def hash_code(code: str, salt: bytes) -> str:
import hashlib
import hmac
import hmac
return hmac.new(salt, (code or "").encode("utf-8"), hashlib.sha256).hexdigest()
def captcha_key(email: str) -> str:
return f"captcha:{email}"