Check if file or dir is .. (#711)

* Check if file or dir is .. * Diff and check name is .. * Go diff and check name is .. * Check if ignore new name or name --------- Co-authored-by: 杨赫然 <heran.yang@seafile.com>
2025-09-05 01:11:05 +00:00 · 2024-10-31 17:13:23 +08:00
parent 665d0083bd
commit d727249a08
4 changed files with 111 additions and 0 deletions
--- a/fileserver/sync_api.go
+++ b/fileserver/sync_api.go
@@ -1045,6 +1045,11 @@ func putUpdateBranchCB(rsp http.ResponseWriter, r *http.Request) *appError {
 		return &appError{err, "", http.StatusInternalServerError}
 	}

+	if includeInvalidPath(base, newCommit) {
+		msg := fmt.Sprintf("Dir or file name is ..")
+		return &appError{nil, msg, http.StatusBadRequest}
+	}
+
 	ret, err := checkQuota(repoID, 0)
 	if err != nil {
 		err := fmt.Errorf("Failed to check quota: %v", err)
@@ -1153,6 +1158,28 @@ func checkDirCB(ctx context.Context, baseDir string, dirs []*fsmgr.SeafDirent, d
 	return nil
 }

+func includeInvalidPath(baseCommit, newCommit *commitmgr.Commit) bool {
+	var results []*diff.DiffEntry
+	if err := diff.DiffCommits(baseCommit, newCommit, &results, true); err != nil {
+		log.Infof("Failed to diff commits: %v", err)
+		return false
+	}
+
+	for _, entry := range results {
+		if entry.NewName != "" {
+			if shouldIgnore(entry.NewName) {
+				return true
+			}
+		} else {
+			if shouldIgnore(entry.Name) {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 func getHeadCommit(rsp http.ResponseWriter, r *http.Request) *appError {
 	vars := mux.Vars(r)
 	repoID := vars["repoid"]