From 1978b097e35f1e29111f896cb045cbc9e3eb9f57 Mon Sep 17 00:00:00 2001
From: DrSmoothl <1787882683@qq.com>
Date: Sat, 14 Mar 2026 22:22:06 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E5=A2=9E=E5=8A=A0=E5=AE=89=E5=85=A8?=
 =?UTF-8?q?=E8=B7=AF=E5=BE=84=E8=A7=A3=E6=9E=90=E5=8A=9F=E8=83=BD=EF=BC=8C?=
 =?UTF-8?q?=E9=98=B2=E6=AD=A2=E8=B7=AF=E5=BE=84=E7=A9=BF=E8=B6=8A=E8=AF=B7?=
 =?UTF-8?q?=E6=B1=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/webui/app.py | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/webui/app.py b/src/webui/app.py
index feab298b..30ed1199 100644
--- a/src/webui/app.py
+++ b/src/webui/app.py
@@ -3,7 +3,7 @@
 from importlib import import_module
 from pathlib import Path
 import mimetypes
-from fastapi import FastAPI
+from fastapi import FastAPI, HTTPException
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import FileResponse
 from src.common.logger import get_logger
@@ -11,6 +11,19 @@ from src.common.logger import get_logger
 logger = get_logger("webui.app")
 
 
+def _resolve_safe_static_file_path(static_path: Path, full_path: str) -> Path | None:
+    static_root = static_path.resolve()
+
+    try:
+        candidate_path = (static_root / full_path).resolve()
+        candidate_path.relative_to(static_root)
+    except (OSError, RuntimeError, ValueError):
+        logger.warning(f"🚫 检测到疑似路径穿越请求: {full_path}")
+        return None
+
+    return candidate_path
+
+
 def create_app(
     host: str = "0.0.0.0",
     port: int = 8001,
@@ -136,8 +149,11 @@ def _setup_static_files(app: FastAPI):
             response.headers["X-Robots-Tag"] = "noindex, nofollow, noarchive"
             return response
 
-        file_path = static_path / full_path
-        if file_path.is_file() and file_path.exists():
+        file_path = _resolve_safe_static_file_path(static_path, full_path)
+        if file_path is None:
+            raise HTTPException(status_code=404, detail="Not Found")
+
+        if file_path.exists() and file_path.is_file():
             media_type = mimetypes.guess_type(str(file_path))[0]
             response = FileResponse(file_path, media_type=media_type)
             if str(file_path).endswith(".html"):