fix(offline_download): block SimpleHttp temp file path traversal via strict filename sanitization

* fix(offline_download): prevent path traversal

* fix(SimpleHttp): improve filename validation

* fix(offline_download): harden SimpleHttp filename and temp path checks

* simplify filename validation

---------

Co-authored-by: ILoveScratch2 <ilovescratch@foxmail.com>
Co-authored-by: j2rong4cn <j2rong@qq.com>

Author: 3 people

internal/offline_download/http/client.go

@@ -5,7 +5,6 @@ import (
 	"math/rand/v2"
 	"net/http"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 	"time"
@@ -73,11 +72,11 @@ func (s SimpleHttp) Run(task *tool.DownloadTask) error {
 	}
 	filename, err := parseFilenameFromContentDisposition(resp.Header.Get("Content-Disposition"))
 	if err != nil {
-		filename = path.Base(resp.Request.URL.Path)
+		filename, err = sanitizeFilename(resp.Request.URL.Path)
 	}
-	filename = strings.Trim(filename, "/")
-	if len(filename) == 0 {
-		filename = fmt.Sprintf("%s-%d-%x", strings.ReplaceAll(req.URL.Host, ".", "_"), time.Now().UnixMilli(), rand.Uint32())
+	if err != nil {
+		filename = strings.ReplaceAll(req.URL.Host, ":", "_")
+		filename = fmt.Sprintf("%s-%d-%x", filename, time.Now().UnixMilli(), rand.Uint32())
 	}
 	fileSize := resp.ContentLength
 	if streamPut {
@@ -91,8 +90,14 @@ func (s SimpleHttp) Run(task *tool.DownloadTask) error {
 	}
 	task.SetTotalBytes(fileSize)
 	// save to temp dir
-	_ = os.MkdirAll(task.TempDir, os.ModePerm)
+	if err := os.MkdirAll(task.TempDir, os.ModePerm); err != nil {
+		return err
+	}
 	filePath := filepath.Join(task.TempDir, filename)
+	cleanTempDir := filepath.Clean(task.TempDir) + string(filepath.Separator)
+	if !strings.HasPrefix(filepath.Clean(filePath)+string(filepath.Separator), cleanTempDir) {
+		return fmt.Errorf("filename illegal")
+	}
 	file, err := os.Create(filePath)
 	if err != nil {
 		return err

internal/offline_download/http/util.go

@@ -3,8 +3,22 @@ package http
 import (
 	"fmt"
 	"mime"
+	"path/filepath"
+	"strings"
 )
 
+func sanitizeFilename(raw string) (string, error) {
+	raw = strings.TrimSpace(raw)
+	sep := string(filepath.Separator)
+	raw = strings.ReplaceAll(raw, "/", sep)
+	raw = strings.ReplaceAll(raw, "\\", sep)
+	filename := filepath.Base(filepath.Clean(raw))
+	if filename == "." || filename == sep || !filepath.IsLocal(filename) {
+		return "", fmt.Errorf("invalid filename: %q", raw)
+	}
+	return filename, nil
+}
+
 func parseFilenameFromContentDisposition(contentDisposition string) (string, error) {
 	if contentDisposition == "" {
 		return "", fmt.Errorf("Content-Disposition is empty")
@@ -14,8 +28,15 @@ func parseFilenameFromContentDisposition(contentDisposition string) (string, err
 		return "", err
 	}
 	filename := params["filename"]
+	if filename == "" {
+		filename = params["filename*"]
+	}
 	if filename == "" {
 		return "", fmt.Errorf("filename not found in Content-Disposition: [%s]", contentDisposition)
 	}
+	filename, err = sanitizeFilename(filename)
+	if err != nil {
+		return "", fmt.Errorf("invalid filename in Content-Disposition: [%s]", contentDisposition)
+	}
 	return filename, nil
 }