From 1f687a244455c47bd3eb8539fbcf38fffaccb0b0 Mon Sep 17 00:00:00 2001 From: moonD4rk Date: Mon, 4 Mar 2024 11:25:39 +0800 Subject: [PATCH 1/2] style: Improve message rendering and markdown handling in push module --- push/msg.go | 42 +++++++++++++++++++++++++++++++++++++++++- push/msg_test.go | 38 +++++++++++++++++++++++++++++++++++++- 2 files changed, 78 insertions(+), 2 deletions(-) diff --git a/push/msg.go b/push/msg.go index 70be8e0..78dac64 100644 --- a/push/msg.go +++ b/push/msg.go @@ -1,9 +1,10 @@ package push import ( - "github.com/zema1/watchvuln/grab" "strings" "text/template" + + "github.com/zema1/watchvuln/grab" ) const vulnInfoMsg = ` @@ -60,8 +61,21 @@ var ( initialMsgTpl = template.Must(template.New("markdown").Funcs(funcMap).Parse(initialMsg)) ) +const ( + maxDescriptionLength = 500 + maxReferenceIndexLength = 8 +) + func RenderVulnInfo(v *grab.VulnInfo) string { var builder strings.Builder + runeDescription := []rune(v.Description) + if len(runeDescription) > maxDescriptionLength { + v.Description = string(runeDescription[:maxDescriptionLength]) + "..." + } + if len(v.References) > maxReferenceIndexLength { + v.References = v.References[:maxReferenceIndexLength] + } + v.Description = escapeMarkdown(v.Description) if err := vulnInfoMsgTpl.Execute(&builder, v); err != nil { return err.Error() } @@ -119,3 +133,29 @@ func NewRawVulnInfoMessage(m *grab.VulnInfo) *RawMessage { Type: RawMessageTypeVulnInfo, } } + +// escapeMarkdown escapes the special characters in the markdown text. +// Pushing unclosed markdown tags on some IM platforms may result in formatting errors. +// Telegram push will directly report an send request error. +func escapeMarkdown(text string) string { + replacer := strings.NewReplacer( + "_", "\\_", + "*", "\\*", + "[", "\\[", + "]", "\\]", + "(", "\\(", + ")", "\\)", + "~", "\\~", + "`", "\\`", + ">", "\\>", + "#", "\\#", + "+", "\\+", + "-", "\\-", + "=", "\\=", + "|", "\\|", + "{", "\\{", + "}", "\\}", + "!", "\\!", + ) + return replacer.Replace(text) +} diff --git a/push/msg_test.go b/push/msg_test.go index a0bb3d6..0728b8e 100644 --- a/push/msg_test.go +++ b/push/msg_test.go @@ -2,8 +2,9 @@ package push import ( "fmt" - "github.com/zema1/watchvuln/grab" "testing" + + "github.com/zema1/watchvuln/grab" ) func TestRenderVulnInfo(t *testing.T) { @@ -40,3 +41,38 @@ func TestRenderVulnInfo(t *testing.T) { v.Solutions = "" fmt.Println(RenderVulnInfo(v)) } + +func TestRenderVulnInfo2(t *testing.T) { + v := &grab.VulnInfo{ + Title: "Pipreqs 代码执行漏洞", + CVE: "CVE-2023-31543", + Severity: "高危", + Tags: []string{"POC公开", "技术细节公开"}, + Disclosure: "2023-06-30", + From: "https://ti.qianxin.com/vulnerability", + Reason: []string{"created"}, + Description: "I Doc View在线文档预览系统是一套用于在Web环境中展示和预览各种文档类型的系统,如文本文档、电子表格、演示文稿、PDF文件等。2023年11月,官方发布13.10.1_20231115版本,修复相关漏洞。攻击者可利用该漏洞使服务器下载恶意文件,执行任意代码。", + GithubSearch: []string{"https://github.com/pipreqs/pipreqs/issues/1"}, + References: []string{"https://ti.qianxin.com/blog/articles/pipreqs-code-execution-vulnerability/"}, + Solutions: "1. 升级到最新版本\n2. 更新", + } + fmt.Println(RenderVulnInfo(v)) + fmt.Println("============================") + v.GithubSearch = nil + fmt.Println(RenderVulnInfo(v)) + fmt.Println("============================") + v.CVE = "" + fmt.Println(RenderVulnInfo(v)) + + fmt.Println("============================") + v.References = nil + fmt.Println(RenderVulnInfo(v)) + + fmt.Println("============================") + v.CVE = "CVE-2023-31543" + fmt.Println(RenderVulnInfo(v)) + + fmt.Println("============================") + v.Solutions = "" + fmt.Println(RenderVulnInfo(v)) +} From 511256253d7bc6e94dd8059ef3ffd8e18669b152 Mon Sep 17 00:00:00 2001 From: moonD4rk Date: Mon, 4 Mar 2024 11:41:20 +0800 Subject: [PATCH 2/2] test: Refactor test files for improved reliability and readability - Add test for markdown character escaping in vulnerability descriptions - Update push/msg_test.go to import assert package for tests --- push/msg_test.go | 55 +++++++++++++++++++++--------------------------- 1 file changed, 24 insertions(+), 31 deletions(-) diff --git a/push/msg_test.go b/push/msg_test.go index 0728b8e..f3a9055 100644 --- a/push/msg_test.go +++ b/push/msg_test.go @@ -4,6 +4,8 @@ import ( "fmt" "testing" + "github.com/stretchr/testify/assert" + "github.com/zema1/watchvuln/grab" ) @@ -42,37 +44,28 @@ func TestRenderVulnInfo(t *testing.T) { fmt.Println(RenderVulnInfo(v)) } -func TestRenderVulnInfo2(t *testing.T) { - v := &grab.VulnInfo{ - Title: "Pipreqs 代码执行漏洞", - CVE: "CVE-2023-31543", - Severity: "高危", - Tags: []string{"POC公开", "技术细节公开"}, - Disclosure: "2023-06-30", - From: "https://ti.qianxin.com/vulnerability", - Reason: []string{"created"}, - Description: "I Doc View在线文档预览系统是一套用于在Web环境中展示和预览各种文档类型的系统,如文本文档、电子表格、演示文稿、PDF文件等。2023年11月,官方发布13.10.1_20231115版本,修复相关漏洞。攻击者可利用该漏洞使服务器下载恶意文件,执行任意代码。", - GithubSearch: []string{"https://github.com/pipreqs/pipreqs/issues/1"}, - References: []string{"https://ti.qianxin.com/blog/articles/pipreqs-code-execution-vulnerability/"}, - Solutions: "1. 升级到最新版本\n2. 更新", +func TestEscapeMarkdown(t *testing.T) { + testCases := []struct { + name string + inputDescription string + expected string + }{ + { + name: "escape underscores", + inputDescription: "I Doc View。2023年11月,官方发布13.10.1_20231115版本,修复相关漏洞。", + expected: "I Doc View。2023年11月,官方发布13.10.1\\_20231115版本,修复相关漏洞。", + }, + { + name: "escape asterisks", + inputDescription: "This is not a *bold text", + expected: "This is not a \\*bold text", + }, } - fmt.Println(RenderVulnInfo(v)) - fmt.Println("============================") - v.GithubSearch = nil - fmt.Println(RenderVulnInfo(v)) - fmt.Println("============================") - v.CVE = "" - fmt.Println(RenderVulnInfo(v)) - - fmt.Println("============================") - v.References = nil - fmt.Println(RenderVulnInfo(v)) - fmt.Println("============================") - v.CVE = "CVE-2023-31543" - fmt.Println(RenderVulnInfo(v)) - - fmt.Println("============================") - v.Solutions = "" - fmt.Println(RenderVulnInfo(v)) + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + result := escapeMarkdown(tc.inputDescription) + assert.Equal(t, tc.expected, result) + }) + } }