From 39816f2756d02f52bb1ca4ef8faec96a5cb337ec Mon Sep 17 00:00:00 2001
From: wizardchen <wizardchen@tencent.com>
Date: Mon, 23 Mar 2026 13:12:56 +0800
Subject: [PATCH] feat(security): add validation for file path to prevent path
 traversal attacks

- Implemented a check to reject file paths containing "..", enhancing security against path traversal vulnerabilities in the file serving functionality.
---
 internal/router/router.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/router/router.go b/internal/router/router.go
index a6b26768..780f259f 100644
--- a/internal/router/router.go
+++ b/internal/router/router.go
@@ -676,6 +676,10 @@ func serveFiles(r *gin.Engine) {
 			c.JSON(http.StatusBadRequest, gin.H{"error": "missing required parameter: file_path"})
 			return
 		}
+		if strings.Contains(filePath, "..") {
+			c.JSON(http.StatusBadRequest, gin.H{"error": "invalid file path"})
+			return
+		}
 
 		provider := types.ParseProviderScheme(filePath)