js演练场漏洞修复

2026-06-12 00:17:29 +00:00 · 2025-11-30 02:07:56 +08:00
parent 46bd5819b3
commit f82267f8a7
9 changed files with 1198 additions and 19 deletions
--- a/web-service/src/main/java/cn/qaiu/lz/web/controller/PlaygroundApi.java
+++ b/web-service/src/main/java/cn/qaiu/lz/web/controller/PlaygroundApi.java
@@ -41,6 +41,7 @@ import java.util.stream.Collectors;
 public class PlaygroundApi {

    private static final int MAX_PARSER_COUNT = 100;
+    private static final int MAX_CODE_LENGTH = 128 * 1024; // 128KB 代码长度限制
    private final DbService dbService = AsyncServiceUtil.getAsyncServiceInstance(DbService.class);

    /**
@@ -68,6 +69,15 @@ public class PlaygroundApi {
                        .build()));
                return promise.future();
            }
+            
+            // 代码长度验证
+            if (jsCode.length() > MAX_CODE_LENGTH) {
+                promise.complete(JsonObject.mapFrom(PlaygroundTestResp.builder()
+                        .success(false)
+                        .error("代码长度超过限制（最大128KB），当前长度: " + jsCode.length() + " 字节")
+                        .build()));
+                return promise.future();
+            }

            if (StringUtils.isBlank(shareUrl)) {
                promise.complete(JsonObject.mapFrom(PlaygroundTestResp.builder()
@@ -257,6 +267,12 @@ public class PlaygroundApi {
                promise.complete(JsonResult.error("JavaScript代码不能为空").toJsonObject());
                return promise.future();
            }
+            
+            // 代码长度验证
+            if (jsCode.length() > MAX_CODE_LENGTH) {
+                promise.complete(JsonResult.error("代码长度超过限制（最大128KB），当前长度: " + jsCode.length() + " 字节").toJsonObject());
+                return promise.future();
+            }

            // 解析元数据
            try {