From cc2239f9693bd3ba7e8f108084d7437e2cda2459 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Sun, 20 Apr 2025 10:53:16 +0800
Subject: [PATCH] :technologist: Improve kernel API `/api/file/putFile`
 parameter validation https://github.com/siyuan-note/siyuan/issues/14658

---
 kernel/api/file.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/kernel/api/file.go b/kernel/api/file.go
index 78d37064d..ad9c4bfd5 100644
--- a/kernel/api/file.go
+++ b/kernel/api/file.go
@@ -380,6 +380,12 @@ func putFile(c *gin.Context) {
 		return
 	}
 
+	if !isValidFileName(fileAbsPath) { // Improve kernel API `/api/file/putFile` parameter validation https://github.com/siyuan-note/siyuan/issues/14658
+		ret.Code = http.StatusBadRequest
+		ret.Msg = "invalid file path, please check https://github.com/siyuan-note/siyuan/issues/14658 for more details"
+		return
+	}
+
 	isDirStr := c.PostForm("isDir")
 	isDir, _ := strconv.ParseBool(isDirStr)
 
@@ -459,3 +465,8 @@ func millisecond2Time(t int64) time.Time {
 	msec := t % 1000
 	return time.Unix(sec, msec*int64(time.Millisecond))
 }
+
+func isValidFileName(p string) bool {
+	name := filepath.Base(p)
+	return name == util.FilterUploadFileName(name)
+}