From 3f4558e23c0a9958f9a0e20aabc64aa8fd51840e Mon Sep 17 00:00:00 2001
From: link <a624669980@163.com>
Date: Sun, 4 Feb 2024 11:08:01 +0800
Subject: [PATCH] Merge pull request from GHSA-h5gf-cmm8-cg7c

---
 route/v1/user.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/route/v1/user.go b/route/v1/user.go
index bdc352e..21fe0cb 100644
--- a/route/v1/user.go
+++ b/route/v1/user.go
@@ -13,6 +13,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -667,6 +668,16 @@ func GetUserImage(c *gin.Context) {
 		return
 	}
 
+	matched, err := regexp.MatchString(`^/var/lib/casaos/\d`, filePath)
+	if err != nil {
+		c.JSON(http.StatusNotFound, model.Result{Success: common_err.INSUFFICIENT_PERMISSIONS, Message: common_err.GetMsg(common_err.INSUFFICIENT_PERMISSIONS)})
+		return
+	}
+	if !matched {
+		c.JSON(http.StatusNotFound, model.Result{Success: common_err.INSUFFICIENT_PERMISSIONS, Message: common_err.GetMsg(common_err.INSUFFICIENT_PERMISSIONS)})
+		return
+	}
+
 	fileTmp, _ := os.Open(filePath)
 	defer fileTmp.Close()