From 005cafb90d7503f9375af93d0662ab3c87fe761f Mon Sep 17 00:00:00 2001
From: HibiKier <775757368@qq.com>
Date: Sun, 11 May 2025 05:53:50 +0800
Subject: [PATCH] =?UTF-8?q?:zap:=20=E4=BF=AE=E5=A4=8D=E8=B7=AF=E5=BE=84?=
 =?UTF-8?q?=E6=A3=80=E6=B5=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../web_ui/api/tabs/system/__init__.py        | 43 +++++++++++++------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/zhenxun/builtin_plugins/web_ui/api/tabs/system/__init__.py b/zhenxun/builtin_plugins/web_ui/api/tabs/system/__init__.py
index aa92306a..923b3086 100644
--- a/zhenxun/builtin_plugins/web_ui/api/tabs/system/__init__.py
+++ b/zhenxun/builtin_plugins/web_ui/api/tabs/system/__init__.py
@@ -1,5 +1,6 @@
 import os
 from pathlib import Path
+import re
 import shutil
 
 import aiofiles
@@ -25,20 +26,36 @@ IMAGE_TYPE = ["jpg", "jpeg", "png", "gif", "bmp", "webp", "svg"]
     description="获取文件列表",
 )
 async def _(path: str | None = None) -> Result[list[DirFile]]:
-    base_path = Path(path) if path else Path()
-    data_list = []
-    for file in os.listdir(base_path):
-        file_path = base_path / file
-        is_image = any(file.endswith(f".{t}") for t in IMAGE_TYPE)
-        data_list.append(
-            DirFile(
-                is_file=not file_path.is_dir(),
-                is_image=is_image,
-                name=file,
-                parent=path,
+    try:
+        # 清理和验证路径
+        if path:
+            # 移除任何可能的路径遍历尝试
+            path = re.sub(r"[\\/]\.\.[\\/]", "", path)
+            # 规范化路径
+            base_path = Path(path).resolve()
+            # 验证路径是否在项目根目录内
+            if not base_path.is_relative_to(Path().resolve()):
+                return Result.fail("访问路径超出允许范围")
+        else:
+            base_path = Path().resolve()
+
+        data_list = []
+        for file in os.listdir(base_path):
+            file_path = base_path / file
+            is_image = any(file.endswith(f".{t}") for t in IMAGE_TYPE)
+            data_list.append(
+                DirFile(
+                    is_file=not file_path.is_dir(),
+                    is_image=is_image,
+                    name=file,
+                    parent=str(base_path.relative_to(Path().resolve()))
+                    if path
+                    else None,
+                )
             )
-        )
-    return Result.ok(data_list)
+        return Result.ok(data_list)
+    except Exception as e:
+        return Result.fail(f"获取文件列表失败: {e!s}")
 
 
 @router.get(