fix: 修复漏洞

Author: SilianZ

core/cluster.py

@@ -102,7 +102,7 @@ async def fetchFileList(self) -> None:
                     io.BytesIO(await response.read())
                 )
                 decompressed_data = io.BytesIO(decompressor.read())
-                for _ in range(self.read_long(decompressed_data)):
+                for _ in range(self.readLong(decompressed_data)):
                     self.filelist.files.append(
                         FileInfo(
                             self.readString(decompressed_data),
@@ -130,8 +130,7 @@ async def getConfiguration(self) -> None:
                 self.configuration = AgentConfiguration(
                     **(await response.json())["sync"]
                 )
-                # self.semaphore = asyncio.Semaphore(self.configuration.concurrency)
-                self.semaphore = asyncio.Semaphore(64)
+                self.semaphore = asyncio.Semaphore(self.configuration.concurrency)
         logger.tdebug("configuration.debug.get", sync=self.configuration)
 
     async def getMissingFiles(self) -> FileList:
@@ -223,7 +222,6 @@ async def downloadFile(
                             pbar.update(len(content))
                             return
                 except Exception as e:
-                    logger.debug(_)
                     logger.terror(
                         "cluster.error.download_file.retry",
                         file=file.hash,
@@ -237,8 +235,9 @@ async def downloadFile(
     async def setupExpress(self, https: bool) -> None:
         logger.tinfo("cluster.info.router.creating")
         app = web.Application
-        Router(https, app)
-        
+        router = Router(https, app)
+        router.init()
+
 
     async def init(self) -> None:
         await asyncio.gather(*(storage.init() for storage in self.storages))
@@ -258,4 +257,4 @@ def readLong(self, stream: io.BytesIO):
         return (n >> 1) ^ -(n & 1)
 
     def readString(self, stream: io.BytesIO):
-        return stream.read(self.read_long(stream)).decode()
+        return stream.read(self.readLong(stream)).decode()

core/router.py

@@ -25,25 +25,25 @@ async def wrapper(request):
             return wrapper
         return decorator
 
-    @route("/auth")
-    async def _():
-        pass
+    def init(self) -> None:
+        @self.route("/auth")
+        async def _():
+            pass
 
-    @route("/download/{hash}")
-    async def _(self, request: web.Request, storages: List[Storage]) -> web.Response | web.StreamResponse:
-        def check_sign(hash: str, secret: str, query: dict) -> bool:
-            if not (s := query.get('s')) or not (e := query.get('e')): return False
-            sign = base64.urlsafe_b64encode(hashlib.sha1(f"{secret}{hash}{e}".encode('utf-8')).digest()).decode('utf-8').rstrip('=')
-            return sign == s and time.time() < int(e, 36)
-        
-        hash = request.match_info.get('hash').lower()
-        valid = check_sign(hash, self.secret, request.query)
-        if not valid:
-            return web.Response(text="invalid sign", status=403)
-        response = web.StreamResponse(status=200)
-        response.headers['x-bmclapi-hash'] = hash
-        storage = random.randint(0, len(storages) - 1)
-        data = storages[storage].express(hash, request, response)
-        return response
+        @self.route("/download/{hash}")
+        async def _(self, request: web.Request, storages: List[Storage]) -> web.Response | web.StreamResponse:
+            def check_sign(hash: str, secret: str, query: dict) -> bool:
+                if not (s := query.get('s')) or not (e := query.get('e')): return False
+                sign = base64.urlsafe_b64encode(hashlib.sha1(f"{secret}{hash}{e}".encode('utf-8')).digest()).decode('utf-8').rstrip('=')
+                return sign == s and time.time() < int(e, 36)
+            
+            hash = request.match_info.get('hash').lower()
+            valid = check_sign(hash, self.secret, request.query)
+            if not valid:
+                return web.Response(text="invalid sign", status=403)
+            response = web.StreamResponse(status=200)
+            response.headers['x-bmclapi-hash'] = hash
+            data = await random.choice(storages).express(hash, request, response)
+            return response
 
 

core/storages/local.py

@@ -39,7 +39,7 @@ async def writeFile(
             try:
                 async with aiofiles.open(file_path, "wb") as f:
                     await f.write(content.getbuffer())
-
+                await asyncio.sleep(0.1)
                 if os.path.getsize(file_path) == file.size:
                     return True
                 else: