fix: 添加 glob/grep/gitDiff 函数的 safePath 路径验证

2026-03-10 09:32:39 +08:00 · 2026-03-10 09:32:39 +08:00 · ac21126d2b
commit ac21126d2b
parent 5bc07f2ba5
1 changed files with 24 additions and 4 deletions
--- a/internal/room/tools/executor.go
+++ b/internal/room/tools/executor.go
@ -74,7 +74,14 @@ func (e *Executor) glob(args string) (string, error) {

 	var result []string
 	for _, f := range files {
-		rel, _ := filepath.Rel(e.workspaceDir, f)
+		abs, err := filepath.Abs(f)
+		if err != nil {
+			continue
+		}
+		if !strings.HasPrefix(abs, e.workspaceDir) {
+			continue
+		}
+		rel, _ := filepath.Rel(e.workspaceDir, abs)
 		result = append(result, rel)
 	}

@ -96,9 +103,13 @@ func (e *Executor) grep(args string) (string, error) {
 		return "", err
 	}

+	var err error
 	searchDir := e.workspaceDir
 	if a.Path != "" {
-		searchDir = filepath.Join(e.workspaceDir, a.Path)
+		searchDir, err = e.safePath(a.Path)
+		if err != nil {
+			return "", err
+		}
 	}

 	re, err := regexp.Compile(a.Pattern)
@ -308,9 +319,18 @@ func (e *Executor) gitDiff(args string) (string, error) {
 		return "", err
 	}

-	var cmd *exec.Cmd
+	filename := ""
 	if a.Filename != "" {
-		cmd = exec.Command("git", "diff", a.Filename)
+		fpath, err := e.safePath(a.Filename)
+		if err != nil {
+			return "", err
+		}
+		filename, _ = filepath.Rel(e.workspaceDir, fpath)
+	}
+
+	var cmd *exec.Cmd
+	if filename != "" {
+		cmd = exec.Command("git", "diff", filename)
 	} else {
 		cmd = exec.Command("git", "diff")
 	}