sdaduanbilei/agent-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 添加 glob/grep/gitDiff 函数的 safePath 路径验证

Browse Source
This commit is contained in:
scorpio 2026-03-10 09:32:39 +08:00
parent 5bc07f2ba5
commit ac21126d2b
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
internal/room/tools/executor.go
View File

@ -74,7 +74,14 @@ func (e *Executor) glob(args string) (string, error) {
var result []string var result []string
for _, f := range files { for _, f := range files {
rel, _ := filepath.Rel(e.workspaceDir, f) abs, err := filepath.Abs(f)
if err != nil {
continue
}
if !strings.HasPrefix(abs, e.workspaceDir) {
continue
}
rel, _ := filepath.Rel(e.workspaceDir, abs)
result = append(result, rel) result = append(result, rel)
} }
@ -96,9 +103,13 @@ func (e *Executor) grep(args string) (string, error) {
return "", err return "", err
} }
var err error
searchDir := e.workspaceDir searchDir := e.workspaceDir
if a.Path != "" { if a.Path != "" {
searchDir = filepath.Join(e.workspaceDir, a.Path) searchDir, err = e.safePath(a.Path)
if err != nil {
return "", err
}
} }
re, err := regexp.Compile(a.Pattern) re, err := regexp.Compile(a.Pattern)
@ -308,9 +319,18 @@ func (e *Executor) gitDiff(args string) (string, error) {
return "", err return "", err
} }
var cmd *exec.Cmd filename := ""
if a.Filename != "" { if a.Filename != "" {
cmd = exec.Command("git", "diff", a.Filename) fpath, err := e.safePath(a.Filename)
if err != nil {
return "", err
}
filename, _ = filepath.Rel(e.workspaceDir, fpath)
}
var cmd *exec.Cmd
if filename != "" {
cmd = exec.Command("git", "diff", filename)
} else { } else {
cmd = exec.Command("git", "diff") cmd = exec.Command("git", "diff")
} }