New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LeanCloud 统计避免恶意篡改 #763

Closed

2 tasks done

AnzhiZhang opened this issue Jun 9, 2022 · 3 comments

Labels

🍻 good first issue ✨ enhancement

AnzhiZhang commented Jun 9, 2022

请确认

是当前最新的 Release 版本
在用户指南中没有找到解决办法

问题描述

使用 LeanCloud 统计访问量，发现可以访问 API 实现恶意篡改访问量。

示例

import requests
print(requests.put(
    'https://n7i9euyn.api.lncldglobal.com/1.1/classes/Counter/xxx',
    json={"time": 200},
    headers={
        'x-lc-id': 'xxx',
        'x-lc-key': 'xxx'
    }
).json())

URL 的参数在请求返回中：

ID 和 Key 在请求头中：

我已成功在我的博客和您的博客测试以上代码篡改访问量成功。

尝试的解决方案

官方文档的安全域名设置，没有效果

Member

zkqiang commented Jun 9, 2022

安全域名只对 JavaScript SDK 有效

后续计划通过类似于 hexo-leancloud-counter-security 来解决这个问题

Member

zkqiang commented Jun 9, 2022 •

edited

另外可以参考 https://leaferx.online/2018/02/11/lc-security/ 前半部分

去设置 beforeUpdate 参数校验，我的博客已经加上去了

zkqiang added the ✨ enhancement label

zkqiang changed the title ~~Help Wanted：LeanCloud 访问量统计如何避免恶意篡改~~ LeanCloud 统计避免恶意篡改

Author

AnzhiZhang commented Jun 9, 2022

补充一点：需要修改 LeanCloud 数据库权限，仅保留 find 和 update 即可

zkqiang added the 🍻 good first issue label

AnzhiZhang closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment