修复路径穿越

2026-06-13 14:37:28 +08:00 · 2026-06-01 13:49:32 +08:00 · 2026-06-01 13:49:32 +08:00 · c0b7527148
commit c0b7527148
parent ca347c5854
2 changed files with 10 additions and 1 deletions
--- a/back/api/config.ts
+++ b/back/api/config.ts
@ -78,6 +78,12 @@ export default (app: Router) => {
        if (name.startsWith('data/scripts/')) {
          path = join(config.rootPath, name);
        }
+        if (
+          !path.startsWith(config.configPath) &&
+          !path.startsWith(config.scriptPath)
+        ) {
+          return res.send({ code: 403, message: '文件路径无效' });
+        }
        await writeFileWithLock(path, content);
        res.send({ code: 200, message: '保存成功' });
      } catch (e) {
--- a/back/config/util.ts
+++ b/back/config/util.ts
@ -262,7 +262,10 @@ export async function readDir(
  baseDir: string = '',
  blacklist: string[] = [],
 ): Promise<IFile[]> {
-  const absoluteDir = path.join(baseDir, dir);
+  const absoluteDir = path.resolve(baseDir, dir);
+  if (!absoluteDir.startsWith(path.resolve(baseDir))) {
+    return [];
+  }
  const relativePath = path.relative(baseDir, absoluteDir);

  try {