:art: 内核 API 校验 ID 格式 Fix https://github.com/siyuan-note/siyuan/issues/7228

kernel/api/attr.go

@@ -43,6 +43,10 @@ func getBlockAttrs(c *gin.Context) {
 	}
 
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	ret.Data = model.GetBlockAttrs(id)
 }
 
@@ -56,6 +60,10 @@ func setBlockAttrs(c *gin.Context) {
 	}
 
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	attrs := arg["attrs"].(map[string]interface{})
 	if 1 == len(attrs) && "" != attrs["scroll"] {
 		// 不记录用户指南滚动位置

kernel/api/block.go

@@ -471,6 +471,10 @@ func getBlockKramdown(c *gin.Context) {
 	}
 
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	kramdown := model.GetBlockKramdown(id)
 	ret.Data = map[string]string{
 		"id":       id,

kernel/api/block_op.go

@@ -40,6 +40,9 @@ func appendBlock(c *gin.Context) {
 	data := arg["data"].(string)
 	dataType := arg["dataType"].(string)
 	parentID := arg["parentID"].(string)
+	if util.InvalidIDPattern(parentID, ret) {
+		return
+	}
 	if "markdown" == dataType {
 		luteEngine := model.NewLute()
 		data = dataBlockDOM(data, luteEngine)
@@ -82,6 +85,9 @@ func prependBlock(c *gin.Context) {
 	data := arg["data"].(string)
 	dataType := arg["dataType"].(string)
 	parentID := arg["parentID"].(string)
+	if util.InvalidIDPattern(parentID, ret) {
+		return
+	}
 	if "markdown" == dataType {
 		luteEngine := model.NewLute()
 		data = dataBlockDOM(data, luteEngine)
@@ -126,12 +132,21 @@ func insertBlock(c *gin.Context) {
 	var parentID, previousID, nextID string
 	if nil != arg["parentID"] {
 		parentID = arg["parentID"].(string)
+		if util.InvalidIDPattern(parentID, ret) {
+			return
+		}
 	}
 	if nil != arg["previousID"] {
 		previousID = arg["previousID"].(string)
+		if util.InvalidIDPattern(previousID, ret) {
+			return
+		}
 	}
 	if nil != arg["nextID"] {
 		nextID = arg["nextID"].(string)
+		if util.InvalidIDPattern(nextID, ret) {
+			return
+		}
 	}
 
 	if "markdown" == dataType {
@@ -178,6 +193,9 @@ func updateBlock(c *gin.Context) {
 	data := arg["data"].(string)
 	dataType := arg["dataType"].(string)
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
 
 	luteEngine := model.NewLute()
 	if "markdown" == dataType {
@@ -264,6 +282,9 @@ func deleteBlock(c *gin.Context) {
 	}
 
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
 
 	transactions := []*model.Transaction{
 		{

kernel/api/export.go

@@ -165,6 +165,10 @@ func exportMdContent(c *gin.Context) {
 	}
 
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	hPath, content := model.ExportMarkdownContent(id)
 	ret.Data = map[string]interface{}{
 		"hPath":   hPath,

kernel/api/filetree.go

@@ -163,6 +163,10 @@ func getHPathByPath(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	p := arg["path"].(string)
 
 	hPath, err := model.GetHPathByPath(notebook, p)
@@ -207,6 +211,10 @@ func getHPathByID(c *gin.Context) {
 	}
 
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	hPath, err := model.GetHPathByID(id)
 	if nil != err {
 		ret.Code = -1
@@ -254,6 +262,9 @@ func moveDocs(c *gin.Context) {
 	}
 	toPath := arg["toPath"].(string)
 	toNotebook := arg["toNotebook"].(string)
+	if util.InvalidIDPattern(toNotebook, ret) {
+		return
+	}
 
 	err := model.MoveDocs(fromPaths, toNotebook, toPath)
 	if nil != err {
@@ -274,6 +285,10 @@ func removeDoc(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	p := arg["path"].(string)
 	model.RemoveDoc(notebook, p)
 }
@@ -305,6 +320,10 @@ func renameDoc(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	p := arg["path"].(string)
 	title := arg["title"].(string)
 
@@ -447,6 +466,10 @@ func createDocWithMd(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	hPath := arg["path"].(string)
 	markdown := arg["markdown"].(string)
 

kernel/api/notebook.go

@@ -67,6 +67,10 @@ func renameNotebook(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	name := arg["name"].(string)
 	err := model.RenameBox(notebook, name)
 	if nil != err {
@@ -94,6 +98,10 @@ func removeNotebook(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	err := model.RemoveBox(notebook)
 	if nil != err {
 		ret.Code = -1
@@ -155,6 +163,10 @@ func openNotebook(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	msgId := util.PushMsg(model.Conf.Language(45), 1000*60*15)
 	defer util.PushClearMsg(msgId)
 	existed, err := model.Mount(notebook)
@@ -183,6 +195,9 @@ func closeNotebook(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
 	model.Unmount(notebook)
 }
 
@@ -196,6 +211,10 @@ func getNotebookConf(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	box := model.Conf.Box(notebook)
 	ret.Data = map[string]interface{}{
 		"box":  box.ID,
@@ -214,6 +233,10 @@ func setNotebookConf(c *gin.Context) {
 	}
 
 	notebook := arg["notebook"].(string)
+	if util.InvalidIDPattern(notebook, ret) {
+		return
+	}
+
 	box := model.Conf.Box(notebook)
 
 	param, err := gulu.JSON.MarshalJSON(arg["conf"])

kernel/api/template.go

@@ -56,6 +56,10 @@ func renderTemplate(c *gin.Context) {
 
 	p := arg["path"].(string)
 	id := arg["id"].(string)
+	if util.InvalidIDPattern(id, ret) {
+		return
+	}
+
 	content, err := model.RenderTemplate(p, id)
 	if nil != err {
 		ret.Code = -1

kernel/util/net.go

@@ -17,6 +17,7 @@
 package util
 
 import (
+	"github.com/88250/lute/ast"
 	"github.com/imroc/req/v3"
 	"github.com/siyuan-note/httpclient"
 	"net/http"
@@ -65,6 +66,16 @@ func JsonArg(c *gin.Context, result *gulu.Result) (arg map[string]interface{}, o
 	return
 }
 
+func InvalidIDPattern(idArg string, result *gulu.Result) bool {
+	if ast.IsNodeIDPattern(idArg) {
+		return false
+	}
+
+	result.Code = -1
+	result.Msg = "invalid ID argument"
+	return true
+}
+
 func initHttpClient() {
 	http.DefaultClient = httpclient.GetCloudFileClient2Min()
 	http.DefaultTransport = httpclient.NewTransport(false)