mirror of
https://github.com/siyuan-note/siyuan.git
synced 2026-02-12 18:24:21 +01:00
This commit is contained in:
Vanessa
parent
b37d0c1c5b
commit
b5c652b821
2 changed files with 8 additions and 36 deletions
|
|
@ -260,20 +260,12 @@ export class Plugin {
|
|||
}
|
||||
|
||||
public loadData(storageName: string): Promise<any> {
|
||||
const safePath = normalizeStoragePath(storageName);
|
||||
if (safePath === null) {
|
||||
return Promise.reject({
|
||||
code: 403,
|
||||
msg: `For plugin [${this.name}], storage path [${storageName}] is invalid: empty or path traversal not allowed.`,
|
||||
data: null
|
||||
} as IWebSocketData);
|
||||
}
|
||||
if (typeof this.data[storageName] === "undefined") {
|
||||
this.data[storageName] = "";
|
||||
}
|
||||
return new Promise((resolve) => {
|
||||
fetchPost("/api/file/getFile", {
|
||||
path: `/data/storage/petal/${this.name}/${safePath}`
|
||||
path: `/data/storage/petal/${this.name}/${normalizeStoragePath(storageName)}`
|
||||
}, (response) => {
|
||||
this.data[storageName] = response;
|
||||
resolve(this.data[storageName]);
|
||||
|
|
@ -291,19 +283,11 @@ export class Plugin {
|
|||
data: null
|
||||
});
|
||||
}
|
||||
const safePath = normalizeStoragePath(storageName);
|
||||
if (safePath === null) {
|
||||
return Promise.reject({
|
||||
code: 403,
|
||||
msg: `For plugin [${this.name}], storage path [${storageName}] is invalid: empty or path traversal not allowed.`,
|
||||
data: null
|
||||
} as IWebSocketData);
|
||||
}
|
||||
return new Promise((resolve, reject) => {
|
||||
const pathString = `/data/storage/petal/${this.name}/${safePath}`;
|
||||
const pathString = `/data/storage/petal/${this.name}/${normalizeStoragePath(storageName)}`;
|
||||
let file: File;
|
||||
try {
|
||||
const fileName = safePath.split("/").pop();
|
||||
const fileName = pathString.split("/").pop();
|
||||
if (typeof data === "object") {
|
||||
file = new File([new Blob([JSON.stringify(data)], {
|
||||
type: "application/json"
|
||||
|
|
@ -338,20 +322,11 @@ export class Plugin {
|
|||
data: null
|
||||
} as IWebSocketData);
|
||||
}
|
||||
const safePath = normalizeStoragePath(storageName);
|
||||
if (safePath === null) {
|
||||
return Promise.reject({
|
||||
code: 403,
|
||||
msg: `For plugin [${this.name}], storage path [${storageName}] is invalid: empty or path traversal not allowed.`,
|
||||
data: null
|
||||
} as IWebSocketData);
|
||||
}
|
||||
|
||||
return new Promise((resolve) => {
|
||||
if (!this.data) {
|
||||
this.data = {};
|
||||
}
|
||||
fetchPost("/api/file/removeFile", {path: `/data/storage/petal/${this.name}/${safePath}`}, (response) => {
|
||||
fetchPost("/api/file/removeFile", {path: `/data/storage/petal/${this.name}/${normalizeStoragePath(storageName)}`}, (response) => {
|
||||
delete this.data[storageName];
|
||||
resolve(response);
|
||||
});
|
||||
|
|
|
|||
|
|
@ -719,22 +719,19 @@ export const setNoteBook = (cb?: (notebook: INotebook[]) => void, flashcard = fa
|
|||
/**
|
||||
* 规范化并校验相对路径:允许子目录,但禁止通过 ".." 穿越到根外。
|
||||
* 用于插件存储,确保路径不逃出指定根目录。
|
||||
* @returns 规范化后的相对路径(使用 /),若路径非法则返回 null
|
||||
* @returns 规范化后的相对路径(使用 /),若路径非法则返回替换后的合法路径
|
||||
*/
|
||||
export const normalizeStoragePath = (storageName: string): string | null => {
|
||||
const normalized = storageName.replace(/\\/g, "/");
|
||||
const parts = normalized.split("/").filter(Boolean);
|
||||
const parts = storageName.replace(/\\/g, "/").split("/");
|
||||
const resolved: string[] = [];
|
||||
for (const part of parts) {
|
||||
if (part === "..") {
|
||||
if (resolved.length > 0) {
|
||||
resolved.pop();
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
} else if (part !== ".") {
|
||||
} else if (part && part !== ".") {
|
||||
resolved.push(part);
|
||||
}
|
||||
}
|
||||
return resolved.length > 0 ? resolved.join("/") : null;
|
||||
return resolved.length > 0 ? resolved.join("/") : storageName.replace(/[\/\\]+/g, "");
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue