open-source/qinglong
1
0
Fork 0
mirror of https://github.com/whyour/qinglong.git synced 2026-06-13 14:37:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

修复路径穿越

Browse Source
This commit is contained in:
whyour 2026-06-01 13:49:32 +08:00
parent ca347c5854
commit c0b7527148
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
back/api/config.ts
View File

@ -78,6 +78,12 @@ export default (app: Router) => {
if (name.startsWith('data/scripts/')) { if (name.startsWith('data/scripts/')) {
path = join(config.rootPath, name); path = join(config.rootPath, name);
} }
if (
!path.startsWith(config.configPath) &&
!path.startsWith(config.scriptPath)
) {
return res.send({ code: 403, message: '文件路径无效' });
}
await writeFileWithLock(path, content); await writeFileWithLock(path, content);
res.send({ code: 200, message: '保存成功' }); res.send({ code: 200, message: '保存成功' });
} catch (e) { } catch (e) {

5
back/config/util.ts
View File

@ -262,7 +262,10 @@ export async function readDir(
baseDir: string = '', baseDir: string = '',
blacklist: string[] = [], blacklist: string[] = [],
): Promise<IFile[]> { ): Promise<IFile[]> {
const absoluteDir = path.join(baseDir, dir); const absoluteDir = path.resolve(baseDir, dir);
if (!absoluteDir.startsWith(path.resolve(baseDir))) {
return [];
}
const relativePath = path.relative(baseDir, absoluteDir); const relativePath = path.relative(baseDir, absoluteDir);
try { try {