MurasameNoa/chatgpt-plugin
1
0
Fork 0
mirror of https://github.com/ikechan8370/chatgpt-plugin.git synced 2025-12-16 21:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: vulnerability problems

Browse source
This commit is contained in:
ikechan8370 2023-02-19 01:19:08 +08:00
parent b5afe1f4fb
commit 6da40e3843
7 changed files with 42 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

25
apps/chat.js
View file

@ -6,7 +6,7 @@ import { v4 as uuid } from 'uuid'
import delay from 'delay' import delay from 'delay'
import { ChatGPTAPI } from 'chatgpt' import { ChatGPTAPI } from 'chatgpt'
import { ChatGPTClient, BingAIClient } from '@waylaidwanderer/chatgpt-api' import { ChatGPTClient, BingAIClient } from '@waylaidwanderer/chatgpt-api'
import { getMessageById, makeForwardMsg, tryTimes, upsertMessage } from '../utils/common.js' import {escapeHtml, getMessageById, makeForwardMsg, tryTimes, upsertMessage} from '../utils/common.js'
import { ChatGPTPuppeteer } from '../utils/browser.js' import { ChatGPTPuppeteer } from '../utils/browser.js'
import { KeyvFile } from 'keyv-file' import { KeyvFile } from 'keyv-file'
import { OfficialChatGPTClient } from '../utils/message.js' import { OfficialChatGPTClient } from '../utils/message.js'
@ -275,12 +275,12 @@ export class chatgpt extends plugin {
} }
} }
if (prompt.indexOf('<script>') != -1) // if (prompt.indexOf('<script>') != -1)
{ // {
await this.reply('坏人,我要报告给主人', e.isGroup) // await this.reply('坏人,我要报告给主人', e.isGroup)
Bot.pickUser(cfg.masterQQ[0]).sendMsg(`主人,我在${this.e.group_id ? '群' + this.e.group_id : '私聊' }${e.sender.nickname}使用代码攻击了,请警惕`) // Bot.pickUser(cfg.masterQQ[0]).sendMsg(`主人,我在${this.e.group_id ? '群' + this.e.group_id : '私聊' }被${e.sender.nickname}使用代码攻击了,请警惕`)
return false // return false
} // }
const use = await redis.get('CHATGPT:USE') const use = await redis.get('CHATGPT:USE')
if (use !== 'bing') { if (use !== 'bing') {
@ -448,7 +448,6 @@ export class chatgpt extends plugin {
// logger.info(response) // logger.info(response)
// markdown转为html // markdown转为html
// todo部分数学公式可能还有问题 // todo部分数学公式可能还有问题
let converted = response // converter.makeHtml(response)
/** 最后回复消息 */ /** 最后回复消息 */
if (Config.showQRCode) { if (Config.showQRCode) {
@ -459,7 +458,7 @@ export class chatgpt extends plugin {
}, },
body: JSON.stringify({ body: JSON.stringify({
content: { content: {
content: converted, content: response,
prompt, prompt,
senderName: e.sender.nickname senderName: e.sender.nickname
// quote: quotemessage // quote: quotemessage
@ -469,9 +468,9 @@ export class chatgpt extends plugin {
} }
) )
let cache = await cacheres.json() let cache = await cacheres.json()
await e.runtime.render('chatgpt-plugin', use !== 'bing' ? 'content/ChatGPT/index' : 'content/Bing/index', { content: converted, prompt, senderName: e.sender.nickname, cache: cache.file }) await e.runtime.render('chatgpt-plugin', use !== 'bing' ? 'content/ChatGPT/index' : 'content/Bing/index', { content: escapeHtml(response), prompt: escapeHtml(prompt), senderName: e.sender.nickname, cache: cache.file })
} else { } else {
await e.runtime.render('chatgpt-plugin', use !== 'bing' ? 'content/ChatGPT/index' : 'content/Bing/index', { content: converted, prompt, senderName: e.sender.nickname }) await e.runtime.render('chatgpt-plugin', use !== 'bing' ? 'content/ChatGPT/index' : 'content/Bing/index', { content: escapeHtml(response), prompt: escapeHtml(prompt), senderName: e.sender.nickname })
} }
} else { } else {
let quotemessage = [] let quotemessage = []
@ -502,9 +501,9 @@ export class chatgpt extends plugin {
} }
) )
let cache = await cacheres.json() let cache = await cacheres.json()
await e.runtime.render('chatgpt-plugin', use !== 'bing' ? 'content/ChatGPT/index' : 'content/Bing/index', { content: converted, prompt, senderName: e.sender.nickname, cache: cache.file }) await e.runtime.render('chatgpt-plugin', use !== 'bing' ? 'content/ChatGPT/index' : 'content/Bing/index', { content: escapeHtml(response), prompt: escapeHtml(prompt), senderName: e.sender.nickname, cache: cache.file })
} else { } else {
await e.runtime.render('chatgpt-plugin', use !== 'bing' ? 'content/ChatGPT/index' : 'content/Bing/index', { content: converted, prompt, senderName: e.sender.nickname }) await e.runtime.render('chatgpt-plugin', use !== 'bing' ? 'content/ChatGPT/index' : 'content/Bing/index', { content: escapeHtml(response), prompt: escapeHtml(prompt), senderName: e.sender.nickname })
} }
} else { } else {
await this.reply(`${response}`, e.isGroup) await this.reply(`${response}`, e.isGroup)

3
config/index.js
View file

@ -31,7 +31,8 @@ export const Config = {
// 以下为API3方式的配置 * // 以下为API3方式的配置 *
// *********************************************************************************************************************************** // ***********************************************************************************************************************************
// from https://github.com/acheong08/ChatGPT // from https://github.com/acheong08/ChatGPT
api: 'https://chatgpt.duti.tech/api/conversation', api: 'https://chatgpt.roki.best/backend-api/conversation',
// api: 'https://chatgpt.duti.tech/api/conversation',
apiBaseUrl: 'https://chatgpt.duti.tech', apiBaseUrl: 'https://chatgpt.duti.tech',
// *********************************************************************************************************************************** // ***********************************************************************************************************************************
// 以下为API2方式的配置 * // 以下为API2方式的配置 *

7
resources/content/Bing/index.html
View file

@ -102,6 +102,7 @@
<script src="{{pluResPath}}content/Bing/static/js/marked.min.js"></script> <script src="{{pluResPath}}content/Bing/static/js/marked.min.js"></script>
<script src="{{pluResPath}}content/Bing/static/js/tex-mml-chtml.js"></script> <script src="{{pluResPath}}content/Bing/static/js/tex-mml-chtml.js"></script>
<script src="{{pluResPath}}content/Bing/static/js/main.js"></script> <script src="{{pluResPath}}content/Bing/static/js/main.js"></script>
<script src="{{pluResPath}}content/Bing/static/js/purify.min.js"></script>
<script> <script>
marked.setOptions({ marked.setOptions({
@ -117,9 +118,11 @@
return hljs.highlightAuto(code,[lang]).value; return hljs.highlightAuto(code,[lang]).value;
} }
}); });
const markdown = $(".markdown").text();
const html = marked.parse(markdown);
const sanitizedHtml = DOMPurify.sanitize(html);
let text = marked.parse($(".markdown").text()); $(".markdown").html(sanitizedHtml);
$(".markdown").html(text);
jQuery('#qrcode').qrcode({width: 128,height: 128,text: "http://content.alcedogroup.com/{{cache}}"}); jQuery('#qrcode').qrcode({width: 128,height: 128,text: "http://content.alcedogroup.com/{{cache}}"});
</script> </script>
</body> </body>

3
resources/content/Bing/static/js/purify.min.js vendored Normal file
View file

File diff suppressed because one or more lines are too long

9
resources/content/ChatGPT/index.html
View file

@ -21,7 +21,7 @@
<a href="#" class="site-logo"> <a href="#" class="site-logo">
<img src="{{pluResPath}}content/ChatGPT/static/picture/openai.png" alt="LOGO"> <img src="{{pluResPath}}content/ChatGPT/static/picture/openai.png" alt="LOGO">
</a> </a>
</div> </div>
</div> </div>
</div> </div>
@ -88,6 +88,7 @@
<script src="{{pluResPath}}content/ChatGPT/static/js/marked.min.js"></script> <script src="{{pluResPath}}content/ChatGPT/static/js/marked.min.js"></script>
<script src="{{pluResPath}}content/Bing/static/js/tex-mml-chtml.js"></script> <script src="{{pluResPath}}content/Bing/static/js/tex-mml-chtml.js"></script>
<script src="{{pluResPath}}content/ChatGPT/static/js/main.js"></script> <script src="{{pluResPath}}content/ChatGPT/static/js/main.js"></script>
<script src="{{pluResPath}}content/ChatGPT/static/js/purify.min.js"></script>
<script> <script>
marked.setOptions({ marked.setOptions({
@ -103,9 +104,11 @@
return hljs.highlightAuto(code,[lang]).value; return hljs.highlightAuto(code,[lang]).value;
} }
}); });
const markdown = $(".markdown").text();
const html = marked.parse(markdown);
const sanitizedHtml = DOMPurify.sanitize(html);
let text = marked.parse($(".markdown").text()); $(".markdown").html(sanitizedHtml);
$(".markdown").html(text);
jQuery('#qrcode').qrcode({width: 128,height: 128,text: "http://content.alcedogroup.com/{{cache}}"}); jQuery('#qrcode').qrcode({width: 128,height: 128,text: "http://content.alcedogroup.com/{{cache}}"});
</script> </script>
</body> </body>

3
resources/content/ChatGPT/static/js/purify.min.js vendored Normal file
View file

File diff suppressed because one or more lines are too long

11
utils/common.js
View file

@ -6,6 +6,17 @@
// .processSync(markdown ?? '') // .processSync(markdown ?? '')
// .toString() // .toString()
// } // }
export function escapeHtml (str) {
const htmlEntities = {
'&': '&amp;',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#39;',
'/': '&#x2F;'
}
return str.replace(/[&<>"'/]/g, (match) => htmlEntities[match])
}
export async function upsertMessage (message) { export async function upsertMessage (message) {
await redis.set(`CHATGPT:MESSAGE:${message.id}`, JSON.stringify(message)) await redis.set(`CHATGPT:MESSAGE:${message.id}`, JSON.stringify(message))