修复路径穿越

2026-07-01 04:40:38 +08:00 · 2026-06-01 13:49:32 +08:00
parent ca347c5854
commit c0b7527148
2 changed files with 10 additions and 1 deletions
@@ -78,6 +78,12 @@ export default (app: Router) => {
        if (name.startsWith('data/scripts/')) {
          path = join(config.rootPath, name);
        }
+        if (
+          !path.startsWith(config.configPath) &&
+          !path.startsWith(config.scriptPath)
+        ) {
+          return res.send({ code: 403, message: '文件路径无效' });
+        }
        await writeFileWithLock(path, content);
        res.send({ code: 200, message: '保存成功' });
      } catch (e) {