mirror of
https://github.com/whyour/qinglong.git
synced 2026-07-01 04:40:38 +08:00
修复路径穿越
This commit is contained in:
+4
-1
@@ -262,7 +262,10 @@ export async function readDir(
|
||||
baseDir: string = '',
|
||||
blacklist: string[] = [],
|
||||
): Promise<IFile[]> {
|
||||
const absoluteDir = path.join(baseDir, dir);
|
||||
const absoluteDir = path.resolve(baseDir, dir);
|
||||
if (!absoluteDir.startsWith(path.resolve(baseDir))) {
|
||||
return [];
|
||||
}
|
||||
const relativePath = path.relative(baseDir, absoluteDir);
|
||||
|
||||
try {
|
||||
|
||||
Reference in New Issue
Block a user