fix(fs): block path traversal in handlers

Author: okatu-loli

internal/errs/operate.go

@@ -4,4 +4,5 @@ import "errors"
 
 var (
 	PermissionDenied = errors.New("permission denied")
+	InvalidName      = errors.New("invalid file name")
 )

pkg/utils/path.go

@@ -101,3 +101,38 @@ func JoinBasePath(basePath, reqPath string) (string, error) {
 func GetFullPath(mountPath, path string) string {
 	return stdpath.Join(GetActualMountPath(mountPath), path)
 }
+
+// ValidateNameComponent validates a single path component.
+// It rejects empty names, dot segments, separators, ".." sequences, and NUL bytes.
+func ValidateNameComponent(name string) error {
+	if name == "" {
+		return errs.InvalidName
+	}
+	if name == "." || name == ".." {
+		return errs.InvalidName
+	}
+	if strings.Contains(name, "/") || strings.Contains(name, "\\") {
+		return errs.InvalidName
+	}
+	if strings.Contains(name, "..") {
+		return errs.InvalidName
+	}
+	if strings.ContainsRune(name, 0) {
+		return errs.InvalidName
+	}
+	return nil
+}
+
+// JoinUnderBase safely joins baseDir with a single name component and ensures the
+// result stays under baseDir after normalization.
+func JoinUnderBase(baseDir, name string) (string, error) {
+	if err := ValidateNameComponent(name); err != nil {
+		return "", err
+	}
+	base := FixAndCleanPath(baseDir)
+	joined := FixAndCleanPath(stdpath.Join(base, name))
+	if !IsSubPath(base, joined) {
+		return "", errs.InvalidName
+	}
+	return joined, nil
+}

pkg/utils/path_test.go

@@ -20,3 +20,49 @@ func TestFixAndCleanPath(t *testing.T) {
 		}
 	}
 }
+
+func TestValidateNameComponent(t *testing.T) {
+	validNames := []string{
+		"file.txt",
+		"abc",
+		"file_name-1",
+	}
+	for _, name := range validNames {
+		if err := ValidateNameComponent(name); err != nil {
+			t.Fatalf("expected valid name %q, got error: %v", name, err)
+		}
+	}
+
+	invalidNames := []string{
+		"",
+		".",
+		"..",
+		"a/b",
+		`a\b`,
+		"a..b",
+		string([]byte{'a', 0, 'b'}),
+	}
+	for _, name := range invalidNames {
+		if err := ValidateNameComponent(name); err == nil {
+			t.Fatalf("expected invalid name %q to be rejected", name)
+		}
+	}
+}
+
+func TestJoinUnderBase(t *testing.T) {
+	base := "/lanzou-y/shared/test1"
+	out, err := JoinUnderBase(base, "file.txt")
+	if err != nil {
+		t.Fatalf("expected join success, got error: %v", err)
+	}
+	if out != "/lanzou-y/shared/test1/file.txt" {
+		t.Fatalf("unexpected join result: %s", out)
+	}
+
+	if _, err := JoinUnderBase(base, "../admin/screts.txt"); err == nil {
+		t.Fatalf("expected traversal to be rejected")
+	}
+	if _, err := JoinUnderBase(base, "sub/child"); err == nil {
+		t.Fatalf("expected nested path to be rejected")
+	}
+}

server/handles/archive.go

@@ -254,11 +254,16 @@ func FsArchiveDecompress(c *gin.Context) {
 		return
 	}
 	user := c.MustGet("user").(*model.User)
+	srcDir, err := user.JoinPath(req.SrcDir)
+	if err != nil {
+		common.ErrorResp(c, err, 403)
+		return
+	}
 	srcPaths := make([]string, 0, len(req.Name))
 	for _, name := range req.Name {
-		srcPath, err := user.JoinPath(stdpath.Join(req.SrcDir, name))
+		srcPath, err := utils.JoinUnderBase(srcDir, name)
 		if err != nil {
-			common.ErrorResp(c, err, 403)
+			common.ErrorResp(c, err, 400)
 			return
 		}
 		if !common.CheckPathLimitWithRoles(user, srcPath) {

server/handles/fsbatch.go

@@ -10,6 +10,7 @@ import (
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/op"
 	"github.com/alist-org/alist/v3/pkg/generic"
+	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
 	"github.com/pkg/errors"
@@ -185,7 +186,15 @@ func FsBatchRename(c *gin.Context) {
 		if renameObject.SrcName == "" || renameObject.NewName == "" {
 			continue
 		}
-		filePath := fmt.Sprintf("%s/%s", reqPath, renameObject.SrcName)
+		if err := utils.ValidateNameComponent(renameObject.NewName); err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
+		filePath, err := utils.JoinUnderBase(reqPath, renameObject.SrcName)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
 		if err := fs.Rename(c, filePath, renameObject.NewName); err != nil {
 			common.ErrorResp(c, err, 500)
 			return
@@ -247,8 +256,16 @@ func FsRegexRename(c *gin.Context) {
 	for _, file := range files {
 
 		if srcRegexp.MatchString(file.GetName()) {
-			filePath := fmt.Sprintf("%s/%s", reqPath, file.GetName())
+			filePath, err := utils.JoinUnderBase(reqPath, file.GetName())
+			if err != nil {
+				common.ErrorResp(c, err, 500)
+				return
+			}
 			newFileName := srcRegexp.ReplaceAllString(file.GetName(), req.NewNameRegex)
+			if err := utils.ValidateNameComponent(newFileName); err != nil {
+				common.ErrorResp(c, err, 400)
+				return
+			}
 			if err := fs.Rename(c, filePath, newFileName); err != nil {
 				common.ErrorResp(c, err, 500)
 				return

server/handles/fsmanage.go

@@ -103,14 +103,29 @@ func FsMove(c *gin.Context) {
 	}
 	if !req.Overwrite {
 		for _, name := range req.Names {
-			if res, _ := fs.Get(c, stdpath.Join(dstDir, name), &fs.GetArgs{NoLog: true}); res != nil {
+			dstPath, err := utils.JoinUnderBase(dstDir, name)
+			if err != nil {
+				common.ErrorResp(c, err, 400)
+				return
+			}
+			if res, _ := fs.Get(c, dstPath, &fs.GetArgs{NoLog: true}); res != nil {
 				common.ErrorStrResp(c, fmt.Sprintf("file [%s] exists", name), 403)
 				return
 			}
 		}
 	}
 	for i, name := range req.Names {
-		err := fs.Move(c, stdpath.Join(srcDir, name), dstDir, len(req.Names) > i+1)
+		srcPath, err := utils.JoinUnderBase(srcDir, name)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
+		_, err = utils.JoinUnderBase(dstDir, name)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
+		err = fs.Move(c, srcPath, dstDir, len(req.Names) > i+1)
 		if err != nil {
 			common.ErrorResp(c, err, 500)
 			return
@@ -155,15 +170,30 @@ func FsCopy(c *gin.Context) {
 	}
 	if !req.Overwrite {
 		for _, name := range req.Names {
-			if res, _ := fs.Get(c, stdpath.Join(dstDir, name), &fs.GetArgs{NoLog: true}); res != nil {
+			dstPath, err := utils.JoinUnderBase(dstDir, name)
+			if err != nil {
+				common.ErrorResp(c, err, 400)
+				return
+			}
+			if res, _ := fs.Get(c, dstPath, &fs.GetArgs{NoLog: true}); res != nil {
 				common.ErrorStrResp(c, fmt.Sprintf("file [%s] exists", name), 403)
 				return
 			}
 		}
 	}
 	var addedTasks []task.TaskExtensionInfo
 	for i, name := range req.Names {
-		t, err := fs.Copy(c, stdpath.Join(srcDir, name), dstDir, len(req.Names) > i+1)
+		srcPath, err := utils.JoinUnderBase(srcDir, name)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
+		_, err = utils.JoinUnderBase(dstDir, name)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
+		t, err := fs.Copy(c, srcPath, dstDir, len(req.Names) > i+1)
 		if t != nil {
 			addedTasks = append(addedTasks, t)
 		}
@@ -204,8 +234,16 @@ func FsRename(c *gin.Context) {
 		common.ErrorResp(c, errs.PermissionDenied, 403)
 		return
 	}
+	if err := utils.ValidateNameComponent(req.Name); err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
 	if !req.Overwrite {
-		dstPath := stdpath.Join(stdpath.Dir(reqPath), req.Name)
+		dstPath, err := utils.JoinUnderBase(stdpath.Dir(reqPath), req.Name)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
 		if dstPath != reqPath {
 			if res, _ := fs.Get(c, dstPath, &fs.GetArgs{NoLog: true}); res != nil {
 				common.ErrorStrResp(c, fmt.Sprintf("file [%s] exists", req.Name), 403)
@@ -251,7 +289,12 @@ func FsRemove(c *gin.Context) {
 		return
 	}
 	for _, name := range req.Names {
-		err := fs.Remove(c, stdpath.Join(reqDir, name))
+		removePath, err := utils.JoinUnderBase(reqDir, name)
+		if err != nil {
+			common.ErrorResp(c, err, 400)
+			return
+		}
+		err = fs.Remove(c, removePath)
 		if err != nil {
 			common.ErrorResp(c, err, 500)
 			return