fix(security): directory traversal (OpenListTeam#744)

hshpy · j2rong4cn · web-flow · commit bba4fb22031f · 2025-07-22T14:45:01.000+08:00
* fix(security): Directory traversal

* chore: .

* 优化

---------

Co-authored-by: j2rong4cn &lt;j2rong@qq.com&gt;
diff --git a/internal/errs/errors.go b/internal/errs/errors.go
@@ -10,7 +10,7 @@ import (
 var (
 	NotImplement = errors.New("not implement")
 	NotSupport   = errors.New("not support")
-	RelativePath = errors.New("access using relative path is not allowed")
+	RelativePath = errors.New("using relative path is not allowed")
 
 	MoveBetweenTwoStorages = errors.New("can't move files between two storages, try to copy")
 	UploadNotSupported     = errors.New("upload not supported")
diff --git a/pkg/utils/path.go b/pkg/utils/path.go
@@ -75,20 +75,20 @@ func EncodePath(path string, all ...bool) string {
 }
 
 func JoinBasePath(basePath, reqPath string) (string, error) {
-	/** relative path:
-	 * 1. ..
-	 * 2. ../
-	 * 3. /..
-	 * 4. /../
-	 * 5. /a/b/..
-	 */
-	if reqPath == ".." ||
-		strings.HasSuffix(reqPath, "/..") ||
-		strings.HasPrefix(reqPath, "../") ||
-		strings.Contains(reqPath, "/../") {
+	reqPath, err := CheckRelativePath(reqPath)
+	if err != nil {
+		return "", err
+	}
+	return stdpath.Join(FixAndCleanPath(basePath), reqPath), nil
+}
+
+func CheckRelativePath(path string) (string, error) {
+	isRelativePath := strings.Contains(path, "..")
+	path = FixAndCleanPath(path)
+	if isRelativePath && !strings.Contains(path, "..") {
 		return "", errs.RelativePath
 	}
-	return stdpath.Join(FixAndCleanPath(basePath), FixAndCleanPath(reqPath)), nil
+	return path, nil
 }
 
 func GetFullPath(mountPath, path string) string {
diff --git a/server/handles/fsbatch.go b/server/handles/fsbatch.go
@@ -11,6 +11,7 @@ import (
 	"github.com/OpenListTeam/OpenList/v4/internal/model"
 	"github.com/OpenListTeam/OpenList/v4/internal/op"
 	"github.com/OpenListTeam/OpenList/v4/pkg/generic"
+	"github.com/OpenListTeam/OpenList/v4/pkg/utils"
 	"github.com/OpenListTeam/OpenList/v4/server/common"
 	"github.com/gin-gonic/gin"
 	"github.com/pkg/errors"
@@ -173,6 +174,11 @@ func FsBatchRename(c *gin.Context) {
 		if renameObject.SrcName == "" || renameObject.NewName == "" {
 			continue
 		}
+		renameObject.NewName, err = utils.CheckRelativePath(renameObject.NewName)
+		if err != nil {
+			common.ErrorResp(c, err, 403)
+			return
+		}
 		filePath := fmt.Sprintf("%s/%s", reqPath, renameObject.SrcName)
 		if err := fs.Rename(c.Request.Context(), filePath, renameObject.NewName); err != nil {
 			common.ErrorResp(c, err, 500)
@@ -228,10 +234,13 @@ func FsRegexRename(c *gin.Context) {
 	}
 
 	for _, file := range files {
-
 		if srcRegexp.MatchString(file.GetName()) {
+			newFileName, err := utils.CheckRelativePath(srcRegexp.ReplaceAllString(file.GetName(), req.NewNameRegex))
+			if err != nil {
+				common.ErrorResp(c, err, 403)
+				return
+			}
 			filePath := fmt.Sprintf("%s/%s", reqPath, file.GetName())
-			newFileName := srcRegexp.ReplaceAllString(file.GetName(), req.NewNameRegex)
 			if err := fs.Rename(c.Request.Context(), filePath, newFileName); err != nil {
 				common.ErrorResp(c, err, 500)
 				return
diff --git a/server/handles/fsmanage.go b/server/handles/fsmanage.go
@@ -204,6 +204,9 @@ func FsRename(c *gin.Context) {
 		return
 	}
 	reqPath, err := user.JoinPath(req.Path)
+	if err == nil {
+		req.Name, err = utils.CheckRelativePath(req.Name)
+	}
 	if err != nil {
 		common.ErrorResp(c, err, 403)
 		return
