fix(security): 增加多处安全检查防止路径遍历和恶意输入，完善资源关闭逻辑

2026-01-12 04:22:21 +08:00 · 2025-12-12 11:12:32 +08:00
parent 7e8317c970
commit cdcbf7d7cb
4 changed files with 92 additions and 11 deletions
--- a/src/aria2/rpc.py
+++ b/src/aria2/rpc.py
@@ -180,7 +180,13 @@ class Aria2RpcClient:
        if not task.dir or not task.name:
            return False
        try:
-            file_path = Path(task.dir) / task.name
+            file_path = (Path(task.dir) / task.name).resolve()
+            # 安全检查：验证路径在下载目录内，防止路径遍历攻击
+            from src.core.constants import DOWNLOAD_DIR
+            download_dir = DOWNLOAD_DIR.resolve()
+            if not str(file_path).startswith(str(download_dir) + "/"):
+                logger.error(f"路径遍历尝试被阻止: {file_path}")
+                return False
            if file_path.exists():
                if file_path.is_dir():
                    import shutil