vlad/salvagedb_web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Добавлена защита от прямого доступа к генерации отчетов

Browse Source 
- Добавлена проверка сессии для VIN

- Добавлено ограничение по времени (5 минут)

- Добавлено логирование попыток прямого доступа
This commit is contained in:
Vlad 2025-05-10 23:57:19 +03:00
parent 2918d9933f
commit 98b0e7ac26
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
app.py
View File

@ -358,6 +358,11 @@ def search():
res = cur.fetchall() res = cur.fetchall()
cur.execute("""select rownum, t.vin, t.title, t.odo, t.odos, t.dem1, t.dem2, t.year||'/'||t.month from salvagedb t where vin = :p1 and svin = substr(:p1,1,10) """, {'p1': vin}) cur.execute("""select rownum, t.vin, t.title, t.odo, t.odos, t.dem1, t.dem2, t.year||'/'||t.month from salvagedb t where vin = :p1 and svin = substr(:p1,1,10) """, {'p1': vin})
his = cur.fetchall() his = cur.fetchall()
# Сохраняем VIN в сессии
session['last_searched_vin'] = vin
session['last_search_time'] = datetime.datetime.now().timestamp()
return render_template('search.html', site=site, vin=vin, det=res, his=his) return render_template('search.html', site=site, vin=vin, det=res, his=his)
except: except:
logger.error(traceback.format_exc()) logger.error(traceback.format_exc())
@ -897,6 +902,16 @@ def serve_static(filename):
@app.route("/salvagereport/<string:vin>") @app.route("/salvagereport/<string:vin>")
def generate_pdf_report(vin): def generate_pdf_report(vin):
try: try:
# Проверяем наличие VIN в сессии и время последнего поиска
if 'last_searched_vin' not in session or session['last_searched_vin'] != vin:
logger.warning(f'Direct access attempt to report generation for VIN: {vin}')
return 'Access denied', 403
# Проверяем время последнего поиска (не более 5 минут)
if datetime.datetime.now().timestamp() - session['last_search_time'] > 300:
logger.warning(f'Report generation attempt expired for VIN: {vin}')
return 'Access denied', 403
conn = pool.acquire() conn = pool.acquire()
cur = conn.cursor() cur = conn.cursor()
user_ip = get_ip(request) user_ip = get_ip(request)