PyPI - lesscode-flask - Versions diffs - 0.2.9__tar.gz → 0.2.11__tar.gz - Mend

lesscode-flask 0.2.9tar.gz → 0.2.11tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

{lesscode_flask-0.2.9 → lesscode_flask-0.2.11}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: lesscode-flask
-Version: 0.2.9
+Version: 0.2.11
 Summary: lesscode-flask 是基于flask的web开发脚手架项目，该项目初衷为简化开发过程，让研发人员更加关注业务。
 Home-page: https://lesscode-flask
 Author: Chao.yy

{lesscode_flask-0.2.9 → lesscode_flask-0.2.11}/lesscode_flask/__init__.py RENAMED Viewed

@@ -1,4 +1,4 @@
-__version__ = '0.2.9'
+__version__ = '0.2.11'
 import functools
 import logging

{lesscode_flask-0.2.9 → lesscode_flask-0.2.11}/lesscode_flask/app.py RENAMED Viewed

@@ -20,6 +20,7 @@ from lesscode_flask.setup import setup_blueprint, setup_logging, setup_query_run
     setup_redis, setup_login_manager, setup_resource_register, setup_data_download, setup_scheduler, \
     setup_common_resource, setup_task
 from lesscode_flask.signals import app_runed
+from lesscode_flask.utils.decorator.sql_injection import contains_sql_injection
 from lesscode_flask.utils.helpers import inject_args, generate_uuid, app_config
 from lesscode_flask.utils.json.NotSortJSONProvider import NotSortJSONProvider
 from lesscode_flask.utils.limit import RedisRateLimiter
@@ -68,7 +69,6 @@ class Lesscoder(Flask):
     def preprocess_request(self) -> ft.ResponseReturnValue | None:
         v = super(Lesscoder, self).preprocess_request()
         if  hasattr(self, 'countLimiter') and self.countLimiter:
             allowed, remaining = self.countLimiter.is_allowed(*get_count_limit_info())
             if not allowed:
@@ -143,7 +143,10 @@ class Lesscoder(Flask):
         # 此处增加参数注入代码
         params_dict = inject_args(req, func, view_args)
         params_dict.update(view_args)
-        print("params_dict", params_dict)
+        SQL_INJECTION_ENABLE = self.config.get("SQL_INJECTION_ENABLE", False)
+        if SQL_INJECTION_ENABLE:
+            if contains_sql_injection(params_dict):
+                ResponseResult.fail("参数包含非法字符，请调整后重试！", status_code="403", http_code="403")
         # 调用处理函数执行请求处理
         result = self.ensure_sync(func)(**params_dict)
         # 获取不包装路径

{lesscode_flask-0.2.9 → lesscode_flask-0.2.11}/lesscode_flask/setting/__init__.py RENAMED Viewed

@@ -94,7 +94,9 @@ class BaseConfig:
     RATE_LIMIT_ENABLE: bool = False
     # 触发限流的处理函数
     RATE_LIMIT_HANDLER = RateLimitHandler
-    # 限流频率 单位是每秒
+    # 限流频率窗口 单位是每秒
+    RATE_LIMIT_TIME_WINDOW = 1
+    # 限流频率
     RATE_LIMIT_RATE = 1
     # 限流频率允许的突发值 请求速率超过（rate + brust）的请求会被直接拒绝。
     RATE_LIMIT_BURST = 0
@@ -116,6 +118,9 @@ class BaseConfig:
                                      "/ike2b/pool/company/area_distribution/park_company_count_by_special_tag"]
     # 飞书 webhook URL 常量定义  用于向指定的飞书机器人发送消息的 webhook 地址
     LIMIT_FS_WEBHOOK_URL = "https://open.feishu.cn/open-apis/bot/v2/hook/545140ef-8234-4167-9f0c-8ee72abae430"
+    # sql 注入验证器开关
+    SQL_INJECTION_ENABLE = False
     #
     #
     # # 外网地址

lesscode_flask-0.2.11/lesscode_flask/utils/decorator/sql_injection.py ADDED Viewed

@@ -0,0 +1,73 @@
+import functools
+import logging
+import re
+def param_verification(func):
+    """
+    装饰器函数，用于检测函数参数中是否包含 SQL 注入风险。
+    :param func: 被装饰的原始函数
+    :return: 包装后的函数，会在执行前进行 SQL 注入检测
+    """
+    @functools.wraps(func)
+    def wrapper(*args, **kwargs):
+        # 检查关键字参数中是否包含 SQL 注入风险
+        if contains_sql_injection(kwargs):
+            raise Exception("SQL 注入 detected")
+        return func(*args, **kwargs)
+    return wrapper
+def is_sql_injection(value):
+    """
+    检测字符串是否包含常见的 SQL 注入特征。
+    :param value: 待检测的字符串
+    :return: 如果包含 SQL 注入特征则返回 True，否则返回 False
+    """
+    if not isinstance(value, str):
+        return False  # 只检查字符串类型的数据
+    # 常见 SQL 注入特征
+    sql_patterns = [
+        r"(?i)(\bAND\b|\bOR\b)[\s(]*\d+[\s)]*=[\s(]*\d+[\s)]*",  # 逻辑表达式
+        r"(?i)\b(select|union|insert|update|delete|drop|alter|create|truncate|exec|execute|sleep)\b",  # 关键 SQL 语句
+        r"(?i)( or | and )\d+=\d+",  # 布尔盲注
+        r"(?i)(char|concat|case when)\s*\(",  # SQL 函数
+        r"(--|#|;)",  # 注释符号或语句结束符
+        r"(?i)'[\s\d]*or[\s\d]*'",  # 典型 SQL 盲注
+    ]
+    for pattern in sql_patterns:
+        if re.search(pattern, value):
+            return True  # 发现 SQL 注入特征
+    return False
+def contains_sql_injection(data):
+    """
+    递归检测数据结构中是否包含 SQL 注入风险。
+    支持的数据类型包括：字符串、列表、元组和字典。
+    对于其他类型（如 int、float、None）将直接返回 False。
+    :param data: 待检测的数据，可以是任意嵌套结构
+    :return: 如果发现 SQL 注入风险则返回 True，否则返回 False
+    """
+    if isinstance(data, str):  # 单个字符串
+        return is_sql_injection(data)
+    if isinstance(data, list):  # 列表中的每个元素
+        return any(contains_sql_injection(item) for item in data)
+    if isinstance(data, tuple):  # 元组中的每个元素
+        return any(contains_sql_injection(item) for item in data)
+    if isinstance(data, dict):  # 递归检查字典中的值
+        return any(contains_sql_injection(value) for value in data.values())
+    return False  # 其他类型（int, float, None）不检测

{lesscode_flask-0.2.9 → lesscode_flask-0.2.11}/lesscode_flask/utils/limit/limit_util.py RENAMED Viewed

@@ -33,8 +33,9 @@ def get_rate_limit_info() -> str:
     """
     rate = app_config.get("RATE_LIMIT_RATE", 1)  # 限流频率 单位是每秒
     burst = app_config.get("RATE_LIMIT_BURST", 0)  # 限流频率允许的突发值 请求速率超过（rate + brust）的请求会被直接拒绝。
+    time_window = app_config.get("RATE_LIMIT_TIME_WINDOW", 1)  # 限流频率允许的突发值 请求速率超过（rate + brust）的请求会被直接拒绝。
     limit_key = limit_key_encode()
-    return limit_key, rate, burst
+    return limit_key, rate, burst,time_window
 def get_count_limit_info() -> str:
     """

{lesscode_flask-0.2.9 → lesscode_flask-0.2.11}/lesscode_flask/utils/limit/req/redis_rate_limiter.py RENAMED Viewed

@@ -13,12 +13,13 @@ class RedisRateLimiter:
     def __init__(self, redis_key):
         self.redis_key = redis_key
-    def is_limited(self, key: str, rate: float, burst: float) -> tuple:
+    def is_limited(self, key: str, rate: float, burst: float,time_window:int=1) -> tuple:
         """
         检查是否触发限流
         :param key: 限流键
         :param rate: 每秒请求速率
         :param burst: 突发请求数
+        :param time_window: 窗口期
         :return: (allowed,delay, excess) 是否触发限流 延迟时间和超出数量
         """
         if not key: # 没有key表示不验证
@@ -44,7 +45,7 @@ class RedisRateLimiter:
                 # 计算当前与最近一次访问的时间差
                 elapsed = now - last
                 # 根据时间差计算当前的excess值
-                excess = max(excess - (rate * abs(elapsed) / 1000) + 1, 0)
+                excess = max(excess - (rate * abs(elapsed) / 1000*time_window) + 1, 0)
             else:
                 excess = 0
             # 返回延迟时间和超出数量

{lesscode_flask-0.2.9 → lesscode_flask-0.2.11}/lesscode_flask.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: lesscode-flask
-Version: 0.2.9
+Version: 0.2.11
 Summary: lesscode-flask 是基于flask的web开发脚手架项目，该项目初衷为简化开发过程，让研发人员更加关注业务。
 Home-page: https://lesscode-flask
 Author: Chao.yy

{lesscode_flask-0.2.9 → lesscode_flask-0.2.11}/lesscode_flask.egg-info/SOURCES.txt RENAMED Viewed

@@ -32,6 +32,7 @@ lesscode_flask/utils/fs_util.py
 lesscode_flask/utils/helpers.py
 lesscode_flask/utils/decorator/__init__.py
 lesscode_flask/utils/decorator/cache.py
+lesscode_flask/utils/decorator/sql_injection.py
 lesscode_flask/utils/decorator/swagger.py
 lesscode_flask/utils/file/file_exporter.py
 lesscode_flask/utils/file/file_utils.py