fix: path traversal via URL-encoded ../, Feb 29 leap year crash, missing response_model, dead code, duplicate utcnow

2026-05-17 12:36:45 +08:00
parent 5f23b8ef5b
commit 9c5ef36fe8
5 changed files with 35 additions and 33 deletions
--- a/api/app/main.py
+++ b/api/app/main.py
@@ -151,9 +151,12 @@ if os.path.exists(WEBUI_PATH):
    @app.get("/{full_path:path}")
    async def spa_fallback(request: Request, full_path: str):
        """SPA 回退：先尝试提供真实文件，找不到则返回 index.html"""
-        file_path = os.path.join(WEBUI_PATH, full_path)
-        if os.path.isfile(file_path):
-            return FileResponse(file_path)
+        # 规范化路径并防止路径穿越攻击
+        safe_path = os.path.normpath(os.path.join(WEBUI_PATH, full_path))
+        if not safe_path.startswith(os.path.normpath(WEBUI_PATH)):
+            return FileResponse(os.path.join(WEBUI_PATH, "index.html"))
+        if os.path.isfile(safe_path):
+            return FileResponse(safe_path)
        return FileResponse(os.path.join(WEBUI_PATH, "index.html"))

    logger.info(f"SPA 静态文件服务已配置: {WEBUI_PATH}")