feat(security): add validation for file path to prevent path traversal attacks

- Implemented a check to reject file paths containing "..", enhancing security against path traversal vulnerabilities in the file serving functionality.
2026-06-04 13:30:32 +08:00 · 2026-03-23 13:12:56 +08:00
parent b2c009e61c
commit 39816f2756
1 changed files with 4 additions and 0 deletions
--- a/internal/router/router.go
+++ b/internal/router/router.go
@@ -676,6 +676,10 @@ func serveFiles(r *gin.Engine) {
 			c.JSON(http.StatusBadRequest, gin.H{"error": "missing required parameter: file_path"})
 			return
 		}
+		if strings.Contains(filePath, "..") {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid file path"})
+			return
+		}

 		provider := types.ParseProviderScheme(filePath)