fix(bbcode): fix ReDos vulnerabilities in BBCodeService (#96)

* fix(bbcode): fix ReDos of imagemap parsing * fix(bbcode): use `regex` and add timeout to avoid too long time to parse * feat(bbcode): use `make_tag` to generate HTML tags * docs(bbcode): add docstrings for BBCodeService * fix(user): validate BBCode content before processing userpage update * fix(bbcode): catch timeout errors in BBCode parsing with MaliciousBBCodeError * fix(bbcode): resolve reviews * fix(bbcode): use `make_tag` in `_parse_size` Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix(bbcode): fix using `make_tag` in `_parse_size` --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-12-12 19:50:29 +08:00
parent 0f51d7a834
commit e0c3e06ffe
5 changed files with 634 additions and 230 deletions
--- a/app/models/userpage.py
+++ b/app/models/userpage.py
@@ -98,3 +98,12 @@ class ForbiddenTagError(UserpageError):
        message = f"Forbidden tag '{tag}' is not allowed."
        super().__init__(message, "forbidden_tag")
        self.tag = tag
+
+
+class MaliciousBBCodeError(UserpageError):
+    """恶意BBCode错误"""
+
+    def __init__(self, detail: str):
+        message = f"Malicious BBCode detected: {detail}"
+        super().__init__(message, "malicious_bbcode")
+        self.detail = detail
--- a/app/router/private/user.py
+++ b/app/router/private/user.py
@@ -105,6 +105,11 @@ async def update_userpage(
        raise HTTPException(403, "Your account is restricted and cannot perform this action.")

    try:
+        errors = bbcode_service.validate_bbcode(request.body)
+        if errors:
+            msg = "Invalid BBCode content: " + "; ".join(errors)
+            raise UserpageError(msg)
+
        # 处理BBCode内容
        processed_page = bbcode_service.process_userpage_content(request.body)

--- a/app/service/bbcode_service.py
+++ b/app/service/bbcode_service.py