fix(vfs): reject blank local paths (#1460)

This commit is contained in:
陈家名
2026-06-15 19:14:31 +08:00
committed by GitHub
parent 6217bd2c29
commit a3bee13ca9
3 changed files with 12 additions and 0 deletions

View File

@@ -26,6 +26,10 @@ func TestSafeOutputPath_RejectsPathTraversalAndDangerousInput(t *testing.T) {
{"unicode normal", "报告.xlsx", false},
{"dot-dot resolves to cwd", "subdir/..", false},
// ── GIVEN: empty or blank paths → THEN: rejected ──
{"empty path", "", true},
{"blank path", " ", true},
// ── GIVEN: path traversal via .. → THEN: rejected ──
{"dot-dot escape", "../../.ssh/authorized_keys", true},
{"dot-dot mid path", "subdir/../../etc/passwd", true},

View File

@@ -60,6 +60,10 @@ func safePath(raw, flagName string) (string, error) {
return "", err
}
if strings.TrimSpace(raw) == "" {
return "", fmt.Errorf("%s must not be empty", flagName)
}
if isAbsolutePath(raw) {
return "", fmt.Errorf("%s must be a relative path within the current directory, got %q (hint: cd to the target directory first, or use a relative path like ./filename)", flagName, raw)
}

View File

@@ -26,6 +26,10 @@ func TestSafeOutputPath_RejectsPathTraversalAndDangerousInput(t *testing.T) {
{"unicode normal", "报告.xlsx", false},
{"dot-dot resolves to cwd", "subdir/..", false},
// ── GIVEN: empty or blank paths → THEN: rejected ──
{"empty path", "", true},
{"blank path", " ", true},
// ── GIVEN: path traversal via .. → THEN: rejected ──
{"dot-dot escape", "../../.ssh/authorized_keys", true},
{"dot-dot mid path", "subdir/../../etc/passwd", true},