From a109a86acee08ca5afb7e8ef9dfe4a77b47756cb Mon Sep 17 00:00:00 2001
From: alan <67932758+alan16742@users.noreply.github.com>
Date: Thu, 10 Oct 2024 14:50:33 +0800
Subject: [PATCH 1/2] fix: Block malicious upload attempts

---
 back-end-cf/index.js | 14 ++++++++------
 front-end/index.html |  2 +-
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/back-end-cf/index.js b/back-end-cf/index.js
index 63a3961b..fcb6805e 100644
--- a/back-end-cf/index.js
+++ b/back-end-cf/index.js
@@ -52,7 +52,7 @@ async function handleRequest(request) {
   const file = requestUrl.searchParams.get('file') || (requestUrl.pathname.split('/').filter(Boolean).length === 0 ? '' : decodeURIComponent(requestUrl.pathname));
   if (file) {
     const fileName = file.split('/').pop();
-    if (fileName.toLowerCase() === PASSWD_FILENAME.toLowerCase())
+    if (fileName.toLowerCase() === PASSWD_FILENAME.toLowerCase() || fileName.toLowerCase() === '.upload')
       return Response.redirect(
         'https://www.baidu.com/s?wd=%E6%80%8E%E6%A0%B7%E7%9B%97%E5%8F%96%E5%AF%86%E7%A0%81',
         301
@@ -62,14 +62,16 @@ async function handleRequest(request) {
     return Response.redirect(url, 302);
   } else if (requestUrl.searchParams.get('upload')) {
     requestPath = requestUrl.searchParams.get('upload');
-    const uploadAllow = await fetchFiles(requestPath, '.upload');
+    const upload = await fetchFiles(requestPath, '.upload');
+    const uploadSecret = upload ? (await getContent(upload) || 'webupload') : '';
     const fileList = await request.json();
-    const pwAttack = fileList['files'].some(
+    const uploadAttack = fileList['files'].some(
       (file) =>
         file.remotePath.split('/').pop().toLowerCase() ===
-        PASSWD_FILENAME.toLowerCase()
-    );
-    if (uploadAllow && !pwAttack) {
+        PASSWD_FILENAME.toLowerCase() ||
+        file.remotePath.split('/').pop().toLowerCase() === '.upload'
+    ) || fileList['secret'] !== uploadSecret;
+    if (!uploadAttack) {
       const uploadLinks = await uploadFiles(fileList);
       return new Response(uploadLinks, {
         headers: returnHeaders,
diff --git a/front-end/index.html b/front-end/index.html
index 0de40819..e8ad2be9 100644
--- a/front-end/index.html
+++ b/front-end/index.html
@@ -1716,7 +1716,7 @@
           sendRequest(
             window.api.method,
             window.api.url + '?upload=' + odPath,
-            JSON.stringify({ files: currentPage }),
+            JSON.stringify({ secret: 'webupload', files: currentPage }),
             window.api.headers,
             (response) => {
               const uploadLinks = JSON.parse(response).files;

From 2801ec783d8c4b00b4ebbe46774b500335cfc708 Mon Sep 17 00:00:00 2001
From: alan <67932758+alan16742@users.noreply.github.com>
Date: Fri, 11 Oct 2024 10:44:50 +0800
Subject: [PATCH 2/2] fix: password authentication

---
 back-end-cf/index.js | 9 ++++-----
 front-end/index.html | 3 ++-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/back-end-cf/index.js b/back-end-cf/index.js
index fcb6805e..1374851d 100644
--- a/back-end-cf/index.js
+++ b/back-end-cf/index.js
@@ -52,7 +52,7 @@ async function handleRequest(request) {
   const file = requestUrl.searchParams.get('file') || (requestUrl.pathname.split('/').filter(Boolean).length === 0 ? '' : decodeURIComponent(requestUrl.pathname));
   if (file) {
     const fileName = file.split('/').pop();
-    if (fileName.toLowerCase() === PASSWD_FILENAME.toLowerCase() || fileName.toLowerCase() === '.upload')
+    if (fileName.toLowerCase() === PASSWD_FILENAME.toLowerCase())
       return Response.redirect(
         'https://www.baidu.com/s?wd=%E6%80%8E%E6%A0%B7%E7%9B%97%E5%8F%96%E5%AF%86%E7%A0%81',
         301
@@ -63,15 +63,14 @@ async function handleRequest(request) {
   } else if (requestUrl.searchParams.get('upload')) {
     requestPath = requestUrl.searchParams.get('upload');
     const upload = await fetchFiles(requestPath, '.upload');
-    const uploadSecret = upload ? (await getContent(upload) || 'webupload') : '';
+    const uploadSecret = await fetchFiles(requestPath, PASSWD_FILENAME, null, true) || '';
     const fileList = await request.json();
     const uploadAttack = fileList['files'].some(
       (file) =>
         file.remotePath.split('/').pop().toLowerCase() ===
-        PASSWD_FILENAME.toLowerCase() ||
-        file.remotePath.split('/').pop().toLowerCase() === '.upload'
+        PASSWD_FILENAME.toLowerCase()
     ) || fileList['secret'] !== uploadSecret;
-    if (!uploadAttack) {
+    if (upload && !uploadAttack) {
       const uploadLinks = await uploadFiles(fileList);
       return new Response(uploadLinks, {
         headers: returnHeaders,
diff --git a/front-end/index.html b/front-end/index.html
index e8ad2be9..d1ad4468 100644
--- a/front-end/index.html
+++ b/front-end/index.html
@@ -1077,6 +1077,7 @@
                 input.placeholder = '密码错误';
               } else {
                 window.fileCache.set(newFiles.parent, newFiles);
+                window.fileCache.set(`${newFiles.parent}/.upload`, passwd);
                 fetchFileList(newFiles.parent);
               }
             }
@@ -1716,7 +1717,7 @@
           sendRequest(
             window.api.method,
             window.api.url + '?upload=' + odPath,
-            JSON.stringify({ secret: 'webupload', files: currentPage }),
+            JSON.stringify({ secret: window.fileCache.get(`${odPath}/.upload`) || '', files: currentPage }),
             window.api.headers,
             (response) => {
               const uploadLinks = JSON.parse(response).files;