timxx/CloudSearch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(audit): 修复3个审计发现的bug

Browse Source 
- migrateCloudConfigs 缺 } 导致 notify_config/cloud_type_uid 嵌套在 promotion_account 内不迁移
- cloud_configs_v2 INSERT/SELECT 缺 cloud_type_uid/cookie_uid 导致数据丢失
- deploy.sh 密码嵌入改成 docker exec -e 传参(防特殊字符注入)
This commit is contained in:
admin
2026-05-19 14:23:26 +08:00
parent 288d30698a
commit 39724e6e73
4 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@@ -1 +1 @@
0.4.12 0.4.13

2
source_clean/VERSION
View File

@@ -1 +1 @@
0.4.12 0.4.13

4
source_clean/deploy.sh
View File

@@ -97,11 +97,11 @@ done
# -- 强制写入管理员密码 -- # -- 强制写入管理员密码 --
info "同步管理员密码..." info "同步管理员密码..."
sleep 3 sleep 3
docker exec CloudSearch_App node -e ' docker exec -e ADMIN_PASSWORD="$ADMIN_PASSWORD" CloudSearch_App node -e '
var bcrypt = require("bcryptjs"); var bcrypt = require("bcryptjs");
var Database = require("better-sqlite3"); var Database = require("better-sqlite3");
var db = new Database("/data/database.sqlite"); var db = new Database("/data/database.sqlite");
var hash = bcrypt.hashSync("'"${ADMIN_PASSWORD}"'", 10); var pw = process.env.ADMIN_PASSWORD || ""; var hash = bcrypt.hashSync(pw, 10);
var existing = db.prepare("SELECT id FROM admins WHERE username = ?").get("admin"); var existing = db.prepare("SELECT id FROM admins WHERE username = ?").get("admin");
if (existing) { if (existing) {
db.prepare("UPDATE admins SET password_hash = ? WHERE username = ?").run(hash, "admin"); db.prepare("UPDATE admins SET password_hash = ? WHERE username = ?").run(hash, "admin");

5
source_clean/src/database/database.ts
View File

@@ -230,8 +230,8 @@ function migrateCloudConfigs(db: Database.Database): void {
created_at TEXT NOT NULL DEFAULT (datetime('now', 'localtime')), created_at TEXT NOT NULL DEFAULT (datetime('now', 'localtime')),
updated_at TEXT NOT NULL DEFAULT (datetime('now', 'localtime')) updated_at TEXT NOT NULL DEFAULT (datetime('now', 'localtime'))
); );
INSERT INTO cloud_configs_v2 (id, cloud_type, cookie, nickname, is_active, storage_used, storage_total, checkin_status, last_checkin_at, checkin_message, consecutive_failures, last_used_at, total_saves, created_at, updated_at) INSERT INTO cloud_configs_v2 (id, cloud_type, cookie, cloud_type_uid, cookie_uid, nickname, is_active, storage_used, storage_total, checkin_status, last_checkin_at, checkin_message, consecutive_failures, last_used_at, total_saves, created_at, updated_at)
SELECT id, cloud_type, cookie, nickname, is_active, storage_used, storage_total, COALESCE(checkin_status,'none'), last_checkin_at, checkin_message, COALESCE(consecutive_failures,0), last_used_at, COALESCE(total_saves,0), created_at, updated_at FROM cloud_configs; SELECT id, cloud_type, cookie, cloud_type_uid, cookie_uid, nickname, is_active, storage_used, storage_total, COALESCE(checkin_status,'none'), last_checkin_at, checkin_message, COALESCE(consecutive_failures,0), last_used_at, COALESCE(total_saves,0), created_at, updated_at FROM cloud_configs;
DROP TABLE cloud_configs; DROP TABLE cloud_configs;
ALTER TABLE cloud_configs_v2 RENAME TO cloud_configs; ALTER TABLE cloud_configs_v2 RENAME TO cloud_configs;
`); `);
@@ -257,6 +257,7 @@ function migrateCloudConfigs(db: Database.Database): void {
if (!hasPromotionAccount) { if (!hasPromotionAccount) {
db.exec("ALTER TABLE cloud_configs ADD COLUMN promotion_account TEXT DEFAULT NULL"); db.exec("ALTER TABLE cloud_configs ADD COLUMN promotion_account TEXT DEFAULT NULL");
console.log('[DB] cloud_configs migration: promotion_account column added'); console.log('[DB] cloud_configs migration: promotion_account column added');
}
// v0.3.5: notify_config for per-cloud push notification settings // v0.3.5: notify_config for per-cloud push notification settings
const hasNotifyConfig = db.prepare("SELECT sql FROM sqlite_master WHERE name='cloud_configs' AND sql LIKE '%notify_config%'").get(); const hasNotifyConfig = db.prepare("SELECT sql FROM sqlite_master WHERE name='cloud_configs' AND sql LIKE '%notify_config%'").get();