vlad/salvagedb_web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: обновление .gitignore и добавление проверки капчи

Browse Source 
- Добавлен node_modules в .gitignore для исключения из отслеживания
- В app.py добавлена переменная capcha_score для настройки порога проверки капчи
- Обновлены условия проверки капчи в функциях decode и search
- Добавлен маршрут для обслуживания статических файлов с проверкой расширений и защиты от обхода директорий
This commit is contained in:
Vlad 2025-05-02 23:48:15 +03:00
parent 23b9551fcb
commit a26947df3f
3 changed files with 31 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,4 +1,4 @@
__pycache__/ __pycache__/
*.pyc *.pyc
logs logs
node_modules/ node_modules/

34
app.py
View File

@ -16,13 +16,14 @@ from flask_swagger_ui import get_swaggerui_blueprint
capcha_score: float = 0.1
capcha_site = '6LcJpHMgAAAAAMQLNY_g8J2Kv_qmCGureRN_lbGl' capcha_site = '6LcJpHMgAAAAAMQLNY_g8J2Kv_qmCGureRN_lbGl'
capcha_site_sec = '6LcJpHMgAAAAAIUf4Jg_7NvawQKZoLoVypDU6-d8' capcha_site_sec = '6LcJpHMgAAAAAIUf4Jg_7NvawQKZoLoVypDU6-d8'
capcha_site_url='https://www.google.com/recaptcha/api/siteverify' capcha_site_url='https://www.google.com/recaptcha/api/siteverify'
site = 'salvagedb.com' site = 'salvagedb.com'
app_path = os.path.dirname(os.path.realpath(__file__)) app_path = os.path.dirname(os.path.realpath(__file__))
app = Flask(__name__) app = Flask(__name__)
app_debug : bool = os.environ.get('APP_DEBUG',False) app_debug : bool = os.environ.get('APP_DEBUG',False)
@ -32,7 +33,7 @@ app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_prefix=1)
os.environ['NLS_LANG'] = 'American_America.AL32UTF8' os.environ['NLS_LANG'] = 'American_America.AL32UTF8'
#Cache
app.cache = ExpiringDict(60*60*24) app.cache = ExpiringDict(60*60*24)
# Swagger UI # Swagger UI
@ -195,7 +196,7 @@ def decode():
vin = request.form.get('q').strip() vin = request.form.get('q').strip()
g_respone = request.form['g-recaptcha-response'] g_respone = request.form['g-recaptcha-response']
capcha_check = requests.post(url=f'{capcha_site_url}?secret={capcha_site_sec}&response={g_respone}').json() capcha_check = requests.post(url=f'{capcha_site_url}?secret={capcha_site_sec}&response={g_respone}').json()
if capcha_check['success'] == False or capcha_check['score'] <0.5: if capcha_check['success'] == False or capcha_check['score'] <capcha_score:
app.logger.info(f'Google reuest: {capcha_site_url}?secret={capcha_site_sec}&response={g_respone}') app.logger.info(f'Google reuest: {capcha_site_url}?secret={capcha_site_sec}&response={g_respone}')
app.logger.info(f'Bad google answer: {capcha_check}') app.logger.info(f'Bad google answer: {capcha_check}')
abort(401) abort(401)
@ -279,7 +280,7 @@ def search():
g_respone = request.form.get('g-recaptcha-response') g_respone = request.form.get('g-recaptcha-response')
capcha_check = requests.post(url=f'{capcha_site_url}?secret={capcha_site_sec}&response={g_respone}').json() capcha_check = requests.post(url=f'{capcha_site_url}?secret={capcha_site_sec}&response={g_respone}').json()
if capcha_check['success'] == False or capcha_check['score'] <0.5: if capcha_check['success'] == False or capcha_check['score'] <capcha_score:
app.logger.info(f'Google reuest: {capcha_site_url}?secret={capcha_site_sec}&response={g_respone}') app.logger.info(f'Google reuest: {capcha_site_url}?secret={capcha_site_sec}&response={g_respone}')
app.logger.info(f'Bad google answer: {capcha_check}') app.logger.info(f'Bad google answer: {capcha_check}')
if app_debug==True: if app_debug==True:
@ -782,6 +783,31 @@ def get_addr(req) -> str:
def swagger_yaml(): def swagger_yaml():
return send_from_directory('api', 'swagger.yaml') return send_from_directory('api', 'swagger.yaml')
@app.route('/static/<path:filename>')
def serve_static(filename):
try:
# Check file extension
allowed_extensions = {'.css', '.js', '.png', '.jpg', '.jpeg', '.gif', '.ico', '.svg'}
file_ext = os.path.splitext(filename)[1].lower()
if file_ext not in allowed_extensions:
app.logger.warning(f'Attempt to access forbidden file type: {filename}')
return 'Access denied', 403
# Check path for directory traversal attempts
safe_path = os.path.normpath(os.path.join('static', filename))
if not safe_path.startswith('static'):
app.logger.warning(f'Attempt to access file outside static directory: {filename}')
return 'Access denied', 403
# Log file access
app.logger.info(f'Access to static file: {filename}')
return send_from_directory('static', filename)
except Exception as e:
app.logger.error(f'Error accessing file {filename}: {str(e)}')
return 'File not found', 404
if __name__ == '__main__': if __name__ == '__main__':
# Start a pool of connections # Start a pool of connections
pool = start_pool() pool = start_pool()

5
h origin main
View File

@ -1,5 +0,0 @@
1799493 (HEAD -> main) feat: адаптация шаблонов для мобильных устройств
c2d60d9 (origin/main, origin/HEAD) Развиваем API v2: +search Поправил favicon
11f6d56 Перевод search на post
97e85ec remove readme.md
12f0b91 Init