fix:issues #8 #9

internal/controllers/admin/setting/adminSystemController.go

@@ -20,6 +20,7 @@ import (
 	"github.com/gphper/ginadmin/internal/controllers/admin"
 	"github.com/gphper/ginadmin/internal/redis"
 	"github.com/gphper/ginadmin/pkg/loggers"
+	"github.com/gphper/ginadmin/pkg/utils/filesystem"
 	gstrings "github.com/gphper/ginadmin/pkg/utils/strings"
 
 	"github.com/gin-gonic/gin"
@@ -80,7 +81,11 @@ func (con adminSystemController) GetDir(c *gin.Context) {
 	)
 
 	fileSlice = make([]FileNode, 0)
-	path = gstrings.JoinStr(configs.RootPath, c.Query("path"))
+	path, err = filesystem.FilterPath(configs.RootPath+"logs", c.Query("path"))
+	if err != nil {
+		con.Error(c, err.Error())
+		return
+	}
 
 	files, err = ioutil.ReadDir(path)
 	if err != nil {
@@ -132,7 +137,12 @@ func (con adminSystemController) View(c *gin.Context) {
 	}
 
 	var filecontents []string
-	filePath := gstrings.JoinStr(configs.RootPath, c.Query("path"))
+	filePath, err := filesystem.FilterPath(configs.RootPath+"logs", c.Query("path"))
+	if err != nil {
+		con.ErrorHtml(c, err)
+		return
+	}
+
 	fi, err := os.Open(filePath)
 	if err != nil {
 		con.ErrorHtml(c, err)

pkg/utils/filesystem/filesystem.go

@@ -6,6 +6,8 @@
 package filesystem
 
 import (
+	"errors"
+	"fmt"
 	"io/fs"
 	"log"
 	"os"
@@ -89,15 +91,23 @@ func OpenFile(filepath string) (file *os.File, err error) {
 }
 
 /**
-* 组装字符串
+* 过滤非法访问的路径
  */
-func JoinStr(items ...interface{}) string {
-	if len(items) == 0 {
-		return ""
+func FilterPath(root, path string) (string, error) {
+
+	newPath := fmt.Sprintf("%s%s", root, path)
+	absPath, err := filepath.Abs(newPath)
+	if err != nil {
+		return "", err
 	}
-	var builder strings.Builder
-	for _, v := range items {
-		builder.WriteString(v.(string))
+
+	absPath = filepath.FromSlash(absPath)
+	ifOver := filepath.HasPrefix(absPath, filepath.FromSlash(root))
+	fmt.Println(absPath)
+	fmt.Println(filepath.FromSlash(root))
+	if !ifOver {
+		return "", errors.New("access to the path is prohibited")
 	}
-	return builder.String()
+
+	return absPath, nil
 }

web/views/template/setting/systemlog.html

@@ -30,7 +30,7 @@
                                         <span class="icon mdi mdi-folder"></span>
                                         {{ .Name}}
                                         <a href="javascript:void(0);" id="logview">展开</a>
-                                        <input type="hidden" name="path" value="{{ $.log_path }}{{ $.line }}{{.Name}}">
+                                        <input type="hidden" name="path" value="{{ $.line }}{{.Name}}">
                                     </li>
                                 {{end}}
                             </ul>