From c0b752714842cf382e3b6f0a9eb90681b473cba1 Mon Sep 17 00:00:00 2001
From: whyour <imwhyour@gmail.com>
Date: Mon, 1 Jun 2026 13:49:32 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E8=B7=AF=E5=BE=84=E7=A9=BF?=
 =?UTF-8?q?=E8=B6=8A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 back/api/config.ts  | 6 ++++++
 back/config/util.ts | 5 ++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/back/api/config.ts b/back/api/config.ts
index 55c740fd..3fe3f463 100644
--- a/back/api/config.ts
+++ b/back/api/config.ts
@@ -78,6 +78,12 @@ export default (app: Router) => {
         if (name.startsWith('data/scripts/')) {
           path = join(config.rootPath, name);
         }
+        if (
+          !path.startsWith(config.configPath) &&
+          !path.startsWith(config.scriptPath)
+        ) {
+          return res.send({ code: 403, message: '文件路径无效' });
+        }
         await writeFileWithLock(path, content);
         res.send({ code: 200, message: '保存成功' });
       } catch (e) {
diff --git a/back/config/util.ts b/back/config/util.ts
index c4842d92..ff1aa544 100644
--- a/back/config/util.ts
+++ b/back/config/util.ts
@@ -262,7 +262,10 @@ export async function readDir(
   baseDir: string = '',
   blacklist: string[] = [],
 ): Promise<IFile[]> {
-  const absoluteDir = path.join(baseDir, dir);
+  const absoluteDir = path.resolve(baseDir, dir);
+  if (!absoluteDir.startsWith(path.resolve(baseDir))) {
+    return [];
+  }
   const relativePath = path.relative(baseDir, absoluteDir);
 
   try {