1

main.py

@@ -41,6 +41,10 @@ orderby_list = {
     6: "price",  # 当前价格
     7: "mcScore"  # 评分
 }
+dirty_stuff = [
+    "\"", "\\", "/", "*", "'", "=", "-", "#", ";", "<", ">", "+", "&", "$",
+    "(", ")", "%", "@"
+]
 
 
 def create_app():
@@ -88,6 +92,13 @@ async def getPlatform(request: Request, platformAlias: str):
     )
 
 
+def check_dirty(strings: str) -> bool:
+    for key in dirty_stuff:
+        if key in str(strings):
+            return True
+    return False
+
+
 @app.get("/getgamelist")
 async def getgamelist(request: Request,
                       category: str = '',
@@ -100,6 +111,12 @@ async def getgamelist(request: Request,
                       limit: int = 10,
                       orderbyid: int = 1):
     db = request.app.state.mongo
+    if check_dirty(category) or check_dirty(gameids) or check_dirty(
+            name) or check_dirty(platform):
+        return JSONResponse(
+            status_code=starlette.status.HTTP_500_INTERNAL_SERVER_ERROR,
+            content="args check failed!",
+        )
 
     try:
         find_args = {}
@@ -169,6 +186,11 @@ async def getgamelist(request: Request,
 
 @app.get("/getgameinfo")
 async def getgameinfo(request: Request, oldGameId: int = 0, name: str = ""):
+    if check_dirty(name) or check_dirty(oldGameId):
+        return JSONResponse(
+            status_code=starlette.status.HTTP_500_INTERNAL_SERVER_ERROR,
+            content="args check failed!",
+        )
     db = request.app.state.mongo
     if oldGameId:
         gameinfo = db["gameinfo"].find({"oldGameId": oldGameId}, {"_id": 0})
@@ -189,6 +211,11 @@ async def getgameinfo(request: Request, oldGameId: int = 0, name: str = ""):
 
 @app.get("/getgameprice")
 async def getgameprice(request: Request, oldGameId: int, nums: int = 0):
+    if check_dirty(oldGameId):
+        return JSONResponse(
+            status_code=starlette.status.HTTP_500_INTERNAL_SERVER_ERROR,
+            content="args check failed!",
+        )
     db = request.app.state.mongo
     if nums == 0:
         gameprice = db["gameprice"].find_one({"oldGameId": oldGameId},
@@ -201,7 +228,7 @@ async def getgameprice(request: Request, oldGameId: int, nums: int = 0):
             gameprice['prices'] = price[:nums]
         else:
             logger.error(f"get price with {oldGameId} failed\n {gameprice}")
-            gameprice = {}
+            gameprice = {"prices": []}
 
     logger.info(f"get gameprice with {oldGameId} !")
     return JSONResponse(
@@ -212,6 +239,11 @@ async def getgameprice(request: Request, oldGameId: int, nums: int = 0):
 
 @app.get("/getgameinfoext")
 async def getgameinfoext(request: Request, oldGameId: int):
+    if check_dirty(oldGameId):
+        return JSONResponse(
+            status_code=starlette.status.HTTP_500_INTERNAL_SERVER_ERROR,
+            content="args check failed!",
+        )
     db = request.app.state.mongo
     gameinfoext = db["gameinfoext"].find_one({"oldGameId": oldGameId},
                                              {"_id": 0})
@@ -239,6 +271,11 @@ async def getgameinfoext(request: Request, oldGameId: int):
 
 @app.get("/gethistoryprice")
 async def gethistoryprice(request: Request, oldGameId: int):
+    if check_dirty(oldGameId):
+        return JSONResponse(
+            status_code=starlette.status.HTTP_500_INTERNAL_SERVER_ERROR,
+            content="args check failed!",
+        )
     db = request.app.state.mongo
     history_price = db["history_price"].find_one({"oldGameId": oldGameId},
                                                  {"_id": 0})