修复文件越权访问

This commit is contained in:
whyour
2024-09-04 23:25:48 +08:00
parent 8c0f46420e
commit a0613d0f39
8 changed files with 50 additions and 36 deletions
+6 -4
View File
@@ -65,11 +65,13 @@ export default class ScriptService {
}
public async getFile(filePath: string, fileName: string) {
let _filePath = join(config.scriptPath, filePath, fileName);
if (filePath.startsWith(config.dataPath)) {
_filePath = join(filePath, fileName);
const finalPath = path.resolve(config.scriptPath, filePath, fileName);
if (!finalPath.startsWith(config.scriptPath)) {
return '';
}
const content = await getFileContentByName(_filePath);
const content = await getFileContentByName(finalPath);
return content;
}
}