mirror of
https://github.com/whyour/qinglong.git
synced 2026-07-01 04:40:38 +08:00
修复文件越权访问
This commit is contained in:
+14
-2
@@ -11,9 +11,21 @@ export default class ConfigService {
|
||||
|
||||
public async getFile(filePath: string, res: Response) {
|
||||
let content = '';
|
||||
if (config.blackFileList.includes(filePath) || !filePath) {
|
||||
res.send({ code: 403, message: '文件无法访问' });
|
||||
const avaliablePath = [config.rootPath, config.configPath].map((x) =>
|
||||
path.resolve(x, filePath),
|
||||
);
|
||||
|
||||
if (
|
||||
config.blackFileList.includes(filePath) ||
|
||||
avaliablePath.every(
|
||||
(x) =>
|
||||
!x.startsWith(config.scriptPath) && !x.startsWith(config.configPath),
|
||||
) ||
|
||||
!filePath
|
||||
) {
|
||||
return res.send({ code: 403, message: '文件无法访问' });
|
||||
}
|
||||
|
||||
if (filePath.startsWith('sample/')) {
|
||||
const res = await got.get(
|
||||
`https://gitlab.com/whyour/qinglong/-/raw/master/${filePath}`,
|
||||
|
||||
@@ -65,11 +65,13 @@ export default class ScriptService {
|
||||
}
|
||||
|
||||
public async getFile(filePath: string, fileName: string) {
|
||||
let _filePath = join(config.scriptPath, filePath, fileName);
|
||||
if (filePath.startsWith(config.dataPath)) {
|
||||
_filePath = join(filePath, fileName);
|
||||
const finalPath = path.resolve(config.scriptPath, filePath, fileName);
|
||||
|
||||
if (!finalPath.startsWith(config.scriptPath)) {
|
||||
return '';
|
||||
}
|
||||
const content = await getFileContentByName(_filePath);
|
||||
|
||||
const content = await getFileContentByName(finalPath);
|
||||
return content;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user