perf: 邮件模版安全优化

packages/libs/lib-k8s/src/lib/k8s.client.ts

@@ -168,6 +168,7 @@ export class K8sClient {
     const oldIngress = await client.readNamespacedIngress(ingressName, namespace);
     const newIngress = merge(oldIngress.body, opts.body);
     const res = await client.replaceNamespacedIngress(ingressName, namespace, newIngress);
+
     this.logger.info("ingress patched", opts.body);
     return res;
   }

packages/ui/certd-server/src/plugins/plugin-other/plugins/plugin-deploy-to-mail.ts

@@ -1,6 +1,7 @@
 import {AbstractTaskPlugin, FileItem, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput} from '@certd/pipeline';
 import {CertInfo, CertReader} from "@certd/plugin-cert";
 import dayjs from "dayjs";
+import { get } from 'lodash-es';
 
 @IsTaskPlugin({
   name: 'DeployCertToMailPlugin',
@@ -176,11 +177,18 @@ export class DeployCertToMailPlugin extends AbstractTaskPlugin {
     })
   }
 
-  compile(templateString:string) {
-    return new Function('data', `    with(data || {}) {
-        return \`${templateString}\`;
-      }
-    `);
-  }
+  compile(templateString: string) {
+  // 1. 转义所有HTML特殊字符
+  
+  // 2. 使用更安全的方式替换变量
+  return function(data) {
+    return templateString.replace(/\${(.*?)}/g, (match, key) => {
+      // 3. 安全地获取属性，避免原型链访问
+      const value = get(data, key, '');
+      // 4. 对值也进行转义
+      return String(value);
+    });
+  };
+}
 }
 new DeployCertToMailPlugin();