Browse Source

Merge pull request #2401 from nocodb/fix/ssrf

fix: ssrf
pull/2436/head
աɨռɢӄաօռɢ 2 years ago committed by GitHub
parent
commit
69c5ef6eed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 24
      packages/nc-gui/components/import/QuickImport.vue
  2. 6
      packages/nc-gui/components/import/templateParsers/ExcelUrlTemplateAdapter.js
  3. 22
      packages/nocodb/src/lib/meta/api/utilApis.ts

24
packages/nc-gui/components/import/QuickImport.vue

@ -60,11 +60,18 @@
v-model="url"
hide-details="auto"
type="url"
:label="quickImportType == 'excel' ? $t('msg.info.excelURL') : $t('msg.info.csvURL') "
:label="quickImportType === 'excel' ? $t('msg.info.excelURL') : $t('msg.info.csvURL') "
class="caption"
outlined
dense
:rules="[v => !!v || $t('general.required') ]"
:rules="
[
v => !!v || $t('general.required'),
v => !(/(10)(\.([2]([0-5][0-5]|[01234][6-9])|[1][0-9][0-9]|[1-9][0-9]|[0-9])){3}|(172)\.(1[6-9]|2[0-9]|3[0-1])(\.(2[0-4][0-9]|25[0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}|(192)\.(168)(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){2}|(0.0.0.0)|localhost?/g).test(v) || errorMessages.ipBlockList,
v => quickImportType === 'excel' ?
(/.*\.(xls|xlsx|xlsm|ods|ots)/.test(v) || errorMessages.importExcel) :
(/.*\.(csv)/.test(v) || errorMessages.importCSV),
]"
/>
<v-btn v-t="['c:project:create:excel:load-url']" class="ml-3" color="primary" @click="loadUrl">
<!--Load-->
@ -213,7 +220,12 @@ export default {
parserConfig: {
maxRowsToParse: 500
},
filename: ''
filename: '',
errorMessages: {
importExcel: "Target file is not an accepted file type. The accepted file types are .xls, .xlsx, .xlsm, .ods, .ots!",
importCSV: "Target file is not an accepted file type. The accepted file type is .csv!",
ipBlockList: "IP Not allowed!"
}
}
},
computed: {
@ -288,7 +300,7 @@ export default {
templateGenerator = new ExcelTemplateAdapter(name, val, this.parserConfig)
break
case 'url':
templateGenerator = new ExcelUrlTemplateAdapter(val, this.$store, this.parserConfig, this.$api)
templateGenerator = new ExcelUrlTemplateAdapter(val, this.$store, this.parserConfig, this.$api, this.quickImportType)
break
}
await templateGenerator.init()
@ -322,11 +334,11 @@ export default {
if (this.quickImportType === 'excel') {
if (!/.*\.(xls|xlsx|xlsm|ods|ots)/.test(file.name)) {
return this.$toast.error('Dropped file is not an accepted file type. The accepted file types are .xls, .xlsx, .xlsm, .ods, .ots!').goAway(3000)
return this.$toast.error(this.errorMessages.importExcel).goAway(3000)
}
} else if (this.quickImportType === 'csv') {
if (!/.*\.(csv)/.test(file.name)) {
return this.$toast.error('Dropped file is not an accepted file type. The accepted file type is .csv!').goAway(3000)
return this.$toast.error(this.errorMessages.importCSV).goAway(3000)
}
}
this._file(file)

6
packages/nc-gui/components/import/templateParsers/ExcelUrlTemplateAdapter.js

@ -1,19 +1,19 @@
import ExcelTemplateAdapter from '~/components/import/templateParsers/ExcelTemplateAdapter'
export default class ExcelUrlTemplateAdapter extends ExcelTemplateAdapter {
constructor(url, $store, parserConfig, $api) {
constructor(url, $store, parserConfig, $api, quickImportType) {
const name = url.split('/').pop()
super(name, null, parserConfig)
this.url = url
this.$api = $api
this.$store = $store
this.quickImportType = quickImportType
}
async init() {
const data = await this.$api.utils.axiosRequestMake({
apiMeta: {
url: this.url,
responseType: 'arraybuffer'
url: this.url
}
})
this.excelData = data.data

22
packages/nocodb/src/lib/meta/api/utilApis.ts

@ -60,8 +60,9 @@ export async function releaseVersion(_req: Request, res: Response) {
res.json(result);
}
export async function axiosRequestMake(req: Request, res: Response) {
async function _axiosRequestMake(req: Request, res: Response) {
const { apiMeta } = req.body;
if (apiMeta?.body) {
try {
apiMeta.body = JSON.parse(apiMeta.body);
@ -106,6 +107,25 @@ export async function axiosRequestMake(req: Request, res: Response) {
return res.json(data?.data);
}
export async function axiosRequestMake(req: Request, res: Response) {
const {
apiMeta: { url }
} = req.body;
const isExcelImport = /.*\.(xls|xlsx|xlsm|ods|ots)/;
const isCSVImport = /.*\.(csv)/;
const ipBlockList = /(10)(\.([2]([0-5][0-5]|[01234][6-9])|[1][0-9][0-9]|[1-9][0-9]|[0-9])){3}|(172)\.(1[6-9]|2[0-9]|3[0-1])(\.(2[0-4][0-9]|25[0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}|(192)\.(168)(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){2}|(0.0.0.0)|localhost?/g;
if (
ipBlockList.test(url) ||
(!isCSVImport.test(url) && !isExcelImport.test(url))
) {
return res.json({});
}
if (isCSVImport || isExcelImport) {
req.body.apiMeta.responseType = 'arraybuffer';
}
return await _axiosRequestMake(req, res);
}
export default router => {
router.post(
'/api/v1/db/meta/connection/test',

Loading…
Cancel
Save