From 4d6d47bf8df93a73cd358ca8f78aa1c2c6d23484 Mon Sep 17 00:00:00 2001 From: HibiKier <775757368@qq.com> Date: Mon, 12 May 2025 09:46:05 +0800 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20=E4=BC=98=E5=8C=96=E8=B7=AF?= =?UTF-8?q?=E5=BE=84=E9=AA=8C=E8=AF=81=E5=8A=9F=E8=83=BD=EF=BC=8C=E5=A2=9E?= =?UTF-8?q?=E5=8A=A0=E5=AF=B9=E9=9D=9E=E6=B3=95=E5=AD=97=E7=AC=A6=E5=92=8C?= =?UTF-8?q?=E8=B7=AF=E5=BE=84=E9=95=BF=E5=BA=A6=E7=9A=84=E6=A3=80=E6=9F=A5?= =?UTF-8?q?=EF=BC=8C=E7=A1=AE=E4=BF=9D=E7=94=A8=E6=88=B7=E8=BE=93=E5=85=A5?= =?UTF-8?q?=E7=9A=84=E8=B7=AF=E5=BE=84=E6=9B=B4=E5=8A=A0=E5=AE=89=E5=85=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- zhenxun/builtin_plugins/web_ui/utils.py | 26 +++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/zhenxun/builtin_plugins/web_ui/utils.py b/zhenxun/builtin_plugins/web_ui/utils.py index 8e076dc0..9ff803e9 100644 --- a/zhenxun/builtin_plugins/web_ui/utils.py +++ b/zhenxun/builtin_plugins/web_ui/utils.py @@ -42,14 +42,28 @@ def validate_path(path_str: str | None) -> tuple[Path | None, str | None]: if not path_str: return Path().resolve(), None - # 移除任何可能的路径遍历尝试 + # 1. 移除任何可能的路径遍历尝试 path_str = re.sub(r"[\\/]\.\.[\\/]", "", path_str) - # 规范化路径 + + # 2. 规范化路径并转换为绝对路径 path = Path(path_str).resolve() - # 验证路径是否在项目根目录内 - if not path.is_relative_to(Path().resolve()): - return None, "访问路径超出允许范围" - return path, None + + # 3. 获取项目根目录 + root_dir = Path().resolve() + + # 4. 验证路径是否在项目根目录内 + try: + if not path.is_relative_to(root_dir): + return None, "访问路径超出允许范围" + except ValueError: + return None, "无效的路径格式" + + # 5. 验证路径是否包含任何危险字符 + if any(c in str(path) for c in ["..", "~", "*", "?", ">", "<", "|", '"']): + return None, "路径包含非法字符" + + # 6. 验证路径长度是否合理 + return (None, "路径长度超出限制") if len(str(path)) > 4096 else (path, None) except Exception as e: return None, f"路径验证失败: {e!s}"