TDvorak/Excalidraw
1
0
Fork 0
mirror of https://github.com/Dvorinka/excalidraw-full.git synced 2026-06-03 22:02:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

security fix

Browse Source
This commit is contained in:
Yuzhong Zhang
2025-07-08 21:30:32 +08:00
parent 707b7283f6
commit ff8e64cccb
2 changed files with 40 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
stores/filesystem/store.go
+17 -1
View File
@@ -9,6 +9,7 @@ import (
"log"
"os"
"path/filepath"
"strings"
"time"
"github.com/oklog/ulid/v2"
@@ -127,7 +128,22 @@ func (s *fsStore) Get(ctx context.Context, userID, id string) (*core.Canvas, err
filePath := filepath.Join(userPath, id)
log := logrus.WithFields(logrus.Fields{"user_id": userID, "canvas_id": id, "path": filePath})
data, err := os.ReadFile(filePath)
// 关键修复:验证路径合法性
absUserPath, err := filepath.Abs(userPath)
if err != nil {
return nil, err // or handle error appropriately
}
absFilePath, err := filepath.Abs(filePath)
if err != nil {
return nil, err // or handle error appropriately
}
if !strings.HasPrefix(absFilePath, absUserPath) {
return nil, fmt.Errorf("invalid path: access denied")
}
// 修复结束
data, err := os.ReadFile(absFilePath) // 使用清理过的路径
if err != nil {
if os.IsNotExist(err) {
log.Warn("Canvas file not found")