zen-gitsync 2.11.38 → 2.12.2

package/src/ui/server/routes/fs.js

@@ -5,6 +5,7 @@ import path from 'path';
 import open from 'open';
 import os from 'os';
 import { spawn, exec } from 'child_process';
+import { ensureWithinCwd } from '../utils/pathGuard.js';
 
 export function registerFsRoutes({
   app,
@@ -17,6 +18,12 @@ export function registerFsRoutes({
   setProjectRoomId,
   setIsGitRepo
 }) {
+  // ── 解析并校验 user 输入路径在当前项目 cwd 内（防 ../ 父目录逃逸、startsWith 假阳性、Windows 大小写）──
+  const safePathInProject = async (userPath) => {
+    const cwd = getCurrentProjectPath() || process.cwd()
+    return ensureWithinCwd(userPath, cwd)
+  }
+
   // 新增获取当前工作目录接口
   app.get('/api/current_directory', async (req, res) => {
     try {
@@ -497,12 +504,9 @@ export function registerFsRoutes({
     try {
       const filePath = req.query.path;
       if (!filePath) return res.status(400).json({ success: false, error: '缺少 path 参数' });
-      // 安全：只允许读取当前工作目录内的文件
-      const cwd = getCurrentProjectPath() || process.cwd();
-      const resolved = path.resolve(filePath);
-      if (!resolved.startsWith(path.resolve(cwd))) {
-        return res.status(403).json({ success: false, error: '禁止访问工作目录以外的文件' });
-      }
+      const safe = await safePathInProject(filePath);
+      if (!safe) return res.status(403).json({ success: false, error: '禁止访问工作目录以外的文件' });
+      const resolved = safe.safePath;
       const stat = await fs.stat(resolved);
       if (!stat.isFile()) return res.status(400).json({ success: false, error: '目标不是文件' });
       // 超过 2MB 不读取
@@ -521,11 +525,9 @@ export function registerFsRoutes({
     try {
       const filePath = req.query.path;
       if (!filePath) return res.status(400).end();
-      const cwd = getCurrentProjectPath() || process.cwd();
-      const resolved = path.resolve(filePath);
-      if (!resolved.startsWith(path.resolve(cwd))) {
-        return res.status(403).end();
-      }
+      const safe = await safePathInProject(filePath);
+      if (!safe) return res.status(403).end();
+      const resolved = safe.safePath;
       const stat = await fs.stat(resolved);
       if (!stat.isFile()) return res.status(400).end();
       if (stat.size > 20 * 1024 * 1024) return res.status(413).end();
@@ -552,12 +554,9 @@ export function registerFsRoutes({
       if (!filePath || content === undefined) {
         return res.status(400).json({ success: false, error: '缺少 path 或 content 参数' });
       }
-      const cwd = getCurrentProjectPath() || process.cwd();
-      const resolved = path.resolve(filePath);
-      if (!resolved.startsWith(path.resolve(cwd))) {
-        return res.status(403).json({ success: false, error: '禁止写入工作目录以外的文件' });
-      }
-      await fs.writeFile(resolved, content, 'utf-8');
+      const safe = await safePathInProject(filePath);
+      if (!safe) return res.status(403).json({ success: false, error: '禁止写入工作目录以外的文件' });
+      await fs.writeFile(safe.safePath, content, 'utf-8');
       res.json({ success: true });
     } catch (error) {
       res.status(500).json({ success: false, error: error.message });
@@ -569,11 +568,9 @@ export function registerFsRoutes({
     try {
       const { path: filePath } = req.body;
       if (!filePath) return res.status(400).json({ success: false, error: '缺少 path 参数' });
-      const cwd = getCurrentProjectPath() || process.cwd();
-      const resolved = path.resolve(filePath);
-      if (!resolved.startsWith(path.resolve(cwd))) {
-        return res.status(403).json({ success: false, error: '禁止在工作目录以外创建文件' });
-      }
+      const safe = await safePathInProject(filePath);
+      if (!safe) return res.status(403).json({ success: false, error: '禁止在工作目录以外创建文件' });
+      const resolved = safe.safePath;
       // 如果已存在则拒绝
       try {
         await fs.access(resolved);
@@ -592,11 +589,9 @@ export function registerFsRoutes({
     try {
       const { path: dirPath } = req.body;
       if (!dirPath) return res.status(400).json({ success: false, error: '缺少 path 参数' });
-      const cwd = getCurrentProjectPath() || process.cwd();
-      const resolved = path.resolve(dirPath);
-      if (!resolved.startsWith(path.resolve(cwd))) {
-        return res.status(403).json({ success: false, error: '禁止在工作目录以外创建目录' });
-      }
+      const safe = await safePathInProject(dirPath);
+      if (!safe) return res.status(403).json({ success: false, error: '禁止在工作目录以外创建目录' });
+      const resolved = safe.safePath;
       try {
         await fs.access(resolved);
         return res.status(409).json({ success: false, error: '目录已存在' });
@@ -613,11 +608,9 @@ export function registerFsRoutes({
     try {
       const filePath = req.query.path;
       if (!filePath) return res.status(400).json({ success: false, error: '缺少 path 参数' });
-      const cwd = getCurrentProjectPath() || process.cwd();
-      const resolved = path.resolve(filePath);
-      if (!resolved.startsWith(path.resolve(cwd))) {
-        return res.status(403).json({ success: false, error: '禁止删除工作目录以外的内容' });
-      }
+      const safe = await safePathInProject(filePath);
+      if (!safe) return res.status(403).json({ success: false, error: '禁止删除工作目录以外的内容' });
+      const resolved = safe.safePath;
       const stat = await fs.stat(resolved);
       if (stat.isDirectory()) {
         await fs.rm(resolved, { recursive: true, force: true });
@@ -635,17 +628,14 @@ export function registerFsRoutes({
     try {
       const { oldPath, newPath } = req.body;
       if (!oldPath || !newPath) return res.status(400).json({ success: false, error: '缺少参数' });
-      const cwd = getCurrentProjectPath() || process.cwd();
-      const resolvedOld = path.resolve(oldPath);
-      const resolvedNew = path.resolve(newPath);
-      if (!resolvedOld.startsWith(path.resolve(cwd)) || !resolvedNew.startsWith(path.resolve(cwd))) {
-        return res.status(403).json({ success: false, error: '禁止操作工作目录以外的内容' });
-      }
+      const safeOld = await safePathInProject(oldPath)
+      const safeNew = await safePathInProject(newPath)
+      if (!safeOld || !safeNew) return res.status(403).json({ success: false, error: '禁止操作工作目录以外的内容' });
       try {
-        await fs.access(resolvedNew);
+        await fs.access(safeNew.safePath);
         return res.status(409).json({ success: false, error: '目标名称已存在' });
       } catch { /* 不存在，继续 */ }
-      await fs.rename(resolvedOld, resolvedNew);
+      await fs.rename(safeOld.safePath, safeNew.safePath);
       res.json({ success: true });
     } catch (error) {
       res.status(500).json({ success: false, error: error.message });
@@ -661,11 +651,9 @@ export function registerFsRoutes({
       const targetPath = req.body?.path;
       if (!targetPath) return res.status(400).json({ success: false, error: '缺少 path 参数' });
 
-      const cwd = getCurrentProjectPath() || process.cwd();
-      const resolved = path.resolve(targetPath);
-      if (!resolved.startsWith(path.resolve(cwd))) {
-        return res.status(403).json({ success: false, error: '禁止访问工作目录以外的内容' });
-      }
+      const safe = await safePathInProject(targetPath);
+      if (!safe) return res.status(403).json({ success: false, error: '禁止访问工作目录以外的内容' });
+      const resolved = safe.safePath;
 
       try {
         await fs.access(resolved);

package/src/ui/server/utils/pathGuard.js

@@ -0,0 +1,141 @@
+/**
+ * 路径越界检查中间件 / 工具
+ *
+ * 用法：
+ *   // 1. 中间件模式：自动从 req.query.path 提取并校验
+ *   router.get('/api/foo', pathGuard('path'), handler)
+ *
+ *   // 2. 工具函数：在 handler 里手动校验
+ *   const safePath = ensureWithinCwd(userPath, cwd)
+ *
+ * 防护：
+ *   - 解析 `..`、相对路径
+ *   - 拒绝以 `..` 开头或解析后是绝对路径的相对路径
+ *   - Windows 大小写不敏感
+ *   - 真实路径 (realpath) 防符号链接
+ *
+ * @typedef {Object} PathGuardOptions
+ * @property {string} field - 从 req.query / req.body 取的字段名（默认 'path'）
+ * @property {boolean} [allowMissing] - 字段缺失时是否通过（默认 false）
+ * @property {boolean} [realpath] - 是否用 fs.realpath 进一步防符号链接（默认 false）
+ */
+
+import fs from 'fs/promises'
+import path from 'path'
+
+const isWindows = process.platform === 'win32'
+
+/**
+ * 把 user 输入路径解析成"在 cwd 内的绝对路径"，越界时返回 null
+ *
+ * @param {string} input - 用户提供的路径（相对 / 绝对 / 含 .. / 符号链接）
+ * @param {string} cwd - 允许的根目录（当前项目目录）
+ * @param {{ realpath?: boolean }} [opts]
+ * @returns {Promise<{ safePath: string, realPath: string | null } | null>}
+ *   - null 表示越界
+ *   - safePath: 用于后续 path.resolve 等操作的绝对路径
+ *   - realPath: realpath 结果（如果 opts.realpath=true 且文件存在）
+ */
+export async function ensureWithinCwd(input, cwd, opts = {}) {
+  if (typeof input !== 'string' || !input) return null
+  if (typeof cwd !== 'string' || !cwd) return null
+
+  let resolved
+  try {
+    resolved = path.resolve(cwd, input)
+  } catch {
+    return null
+  }
+
+  // path.relative 返回以 .. 开头的字符串代表越界（其它平台绝对路径返回绝对路径本身）
+  const rel = path.relative(cwd, resolved)
+  if (rel === '' || (!rel.startsWith('..') && !path.isAbsolute(rel))) {
+    // 在 cwd 内（相等或子路径）
+  } else {
+    return null
+  }
+
+  // Windows 大小写不敏感：把 cwd 和 resolved 都转小写再比一次，确保 \ 不会绕过
+  if (isWindows) {
+    const lowerCwd = cwd.toLowerCase()
+    const lowerResolved = resolved.toLowerCase()
+    if (!lowerResolved.startsWith(lowerCwd)) {
+      return null
+    }
+  }
+
+  let realPath = null
+  if (opts.realpath) {
+    try {
+      realPath = await fs.realpath(resolved)
+      // realpath 后再校验一次（符号链接可能指向 cwd 之外）
+      const relReal = path.relative(cwd, realPath)
+      const isOutside = relReal === '..' || relReal.startsWith('..' + path.sep) || path.isAbsolute(relReal)
+      if (isOutside) return null
+      if (isWindows && !realPath.toLowerCase().startsWith(cwd.toLowerCase())) return null
+    } catch {
+      // 文件不存在 / 无权限：保持 null，让调用者决定
+    }
+  }
+
+  return { safePath: resolved, realPath }
+}
+
+/**
+ * Express 中间件工厂
+ *
+ * @param {string} cwd - 当前项目根
+ * @param {string | string[]} [fields] - 要校验的字段名（默认 'path'，支持数组多字段）
+ * @param {{ realpath?: boolean }} [opts]
+ */
+export function pathGuard(cwd, fields = 'path', opts = {}) {
+  const fieldList = Array.isArray(fields) ? fields : [fields]
+  return async (req, res, next) => {
+    try {
+      for (const field of fieldList) {
+        const raw = req.query?.[field] ?? req.body?.[field]
+        if (raw === undefined || raw === null || raw === '') {
+          if (opts.allowMissing) continue
+          return res.status(400).json({ success: false, error: `缺少 ${field} 参数` })
+        }
+        const result = await ensureWithinCwd(String(raw), cwd, opts)
+        if (!result) {
+          return res.status(403).json({ success: false, error: `禁止访问工作目录以外的文件: ${raw}` })
+        }
+        // 把校验后的安全路径挂到 res.locals，handler 拿 res.locals.safePath 用
+        res.locals.safePath = result.safePath
+        res.locals.safeRealPath = result.realPath
+      }
+      next()
+    } catch (e) {
+      res.status(500).json({ success: false, error: e.message })
+    }
+  }
+}
+
+/**
+ * 同步版本：只做路径解析校验，不做 realpath。用于不需要 fs 的纯路径场景
+ * @returns {string|null} 安全路径或 null
+ */
+export function ensureWithinCwdSync(input, cwd) {
+  if (typeof input !== 'string' || !input) return null
+  if (typeof cwd !== 'string' || !cwd) return null
+
+  let resolved
+  try {
+    resolved = path.resolve(cwd, input)
+  } catch {
+    return null
+  }
+
+  const rel = path.relative(cwd, resolved)
+  if (rel.startsWith('..') || path.isAbsolute(rel)) return null
+
+  if (isWindows) {
+    const lowerCwd = cwd.toLowerCase()
+    const lowerResolved = resolved.toLowerCase()
+    if (!lowerResolved.startsWith(lowerCwd)) return null
+  }
+
+  return resolved
+}

package/src/ui/server/utils/pathGuard.test.js

@@ -0,0 +1,124 @@
+// 路径越界检查单元测试（用 node:test 内置）
+import { test } from 'node:test'
+import assert from 'node:assert/strict'
+import { ensureWithinCwd, ensureWithinCwdSync, pathGuard } from '../utils/pathGuard.js'
+
+const cwd = process.platform === 'win32' ? 'E:\\project' : '/tmp/project'
+
+test('合法路径在 cwd 内', async () => {
+  const r = await ensureWithinCwd('src/foo.ts', cwd)
+  assert.ok(r, '应返回结果')
+  assert.match(r.safePath, /[\\/]project[\\/]src[\\/]foo\.ts$/)
+})
+
+test('合法绝对路径在 cwd 内', async () => {
+  const absInCwd = process.platform === 'win32' ? 'E:\\project\\sub' : '/tmp/project/sub'
+  const r = await ensureWithinCwd(absInCwd, cwd)
+  assert.ok(r, '应通过')
+  assert.equal(r.safePath, absInCwd)
+})
+
+test('../ 父目录逃逸被拒绝', async () => {
+  const r = await ensureWithinCwd('../etc/passwd', cwd)
+  assert.equal(r, null, '../ 应该被拒')
+})
+
+test('cwd 的同级目录（startsWith 假阳性）被拒绝', async () => {
+  const evil = process.platform === 'win32' ? 'E:\\project-evil' : '/tmp/project-evil'
+  const r = await ensureWithinCwd(evil, cwd)
+  assert.equal(r, null, '同名前缀目录应该被拒')
+})
+
+test('绝对路径在 cwd 外被拒', async () => {
+  const outside = process.platform === 'win32' ? 'C:\\Windows\\System32' : '/etc/passwd'
+  const r = await ensureWithinCwd(outside, cwd)
+  assert.equal(r, null, '绝对外部路径应该被拒')
+})
+
+test('空字符串 / null / undefined 被拒', async () => {
+  assert.equal(await ensureWithinCwd('', cwd), null)
+  assert.equal(await ensureWithinCwd(null, cwd), null)
+  assert.equal(await ensureWithinCwd(undefined, cwd), null)
+  assert.equal(await ensureWithinCwd(123, cwd), null)
+})
+
+test('多重 ../ 也被拒', async () => {
+  const r = await ensureWithinCwd('../../../../etc/passwd', cwd)
+  assert.equal(r, null)
+})
+
+test('相对 cwd 自身（.）允许', async () => {
+  const r = await ensureWithinCwd('.', cwd)
+  assert.ok(r, '点 应解析为 cwd 本身')
+})
+
+test('Windows 反斜杠与正斜杠混用允许', async () => {
+  if (process.platform !== 'win32') return
+  const r = await ensureWithinCwd('src\\sub/foo.ts', cwd)
+  assert.ok(r)
+})
+
+test('Windows 大小写不敏感', async () => {
+  if (process.platform !== 'win32') return
+  const r = await ensureWithinCwd('SRC/FOO.TS', 'E:\\Project')
+  assert.ok(r, 'Windows 下大小写不敏感应允许')
+})
+
+test('sync 版本对 .. 同样拒绝', () => {
+  assert.equal(ensureWithinCwdSync('../foo', cwd), null)
+  const r = ensureWithinCwdSync('sub/file', cwd)
+  assert.ok(r)
+})
+
+test('中间件: 合法 path 通过 + 挂到 res.locals.safePath', async () => {
+  let nextCalled = false
+  const req = { query: { path: 'src/foo.ts' } }
+  const res = {
+    locals: {},
+    status() { return this },
+    json() { return this },
+  }
+  await pathGuard(cwd)(req, res, () => { nextCalled = true })
+  assert.equal(nextCalled, true)
+  assert.match(res.locals.safePath, /[\\/]src[\\/]foo\.ts$/)
+})
+
+test('中间件: 越界 path 返回 403', async () => {
+  let nextCalled = false
+  let statusCode = 0
+  let body = null
+  const req = { query: { path: '../etc/passwd' } }
+  const res = {
+    locals: {},
+    status(c) { statusCode = c; return this },
+    json(b) { body = b; return this },
+  }
+  await pathGuard(cwd)(req, res, () => { nextCalled = true })
+  assert.equal(nextCalled, false)
+  assert.equal(statusCode, 403)
+  assert.match(body.error, /禁止访问/)
+})
+
+test('中间件: 缺字段返回 400', async () => {
+  let statusCode = 0
+  const req = { query: {} }
+  const res = {
+    locals: {},
+    status(c) { statusCode = c; return this },
+    json() { return this },
+  }
+  await pathGuard(cwd)(req, res, () => {})
+  assert.equal(statusCode, 400)
+})
+
+test('中间件: 多字段校验（rename 用）', async () => {
+  let nextCalled = false
+  const req = { query: { oldPath: 'src/a.ts', newPath: '../b.ts' } }
+  const res = {
+    locals: {},
+    status() { return this },
+    json() { return this },
+  }
+  await pathGuard(cwd, ['oldPath', 'newPath'])(req, res, () => { nextCalled = true })
+  assert.equal(nextCalled, false, 'newPath 越界应拒')
+})