🐛 Fix file management of the site

2025-11-21 00:40:58 +08:00
parent 3aa5561a07
commit 75b8567a28
2 changed files with 42 additions and 23 deletions
--- a/DysonNetwork.Zone/Publication/PublicationSiteManager.cs
+++ b/DysonNetwork.Zone/Publication/PublicationSiteManager.cs
@@ -23,11 +23,18 @@ public class PublicationSiteManager(

    private string GetFullPath(Guid siteId, string relativePath)
    {
-        var fullPath = Path.Combine(_basePath, siteId.ToString(), relativePath);
-        var siteDirPath = Path.Combine(_basePath, siteId.ToString());
-        return !Path.GetRelativePath(siteDirPath, fullPath).StartsWith('.')
-            ? throw new ArgumentException("Invalid path")
-            : fullPath;
+        // Treat paths starting with separator as relative to site root
+        relativePath = relativePath.TrimStart('/', '\\');
+        string fullPath = Path.Combine(_basePath, siteId.ToString(), relativePath);
+        string normalizedPath = Path.GetFullPath(fullPath);
+        string siteDirFull = Path.Combine(_basePath, siteId.ToString());
+        string normalizedSiteDir = Path.GetFullPath(siteDirFull);
+        if (!normalizedPath.StartsWith(normalizedSiteDir + Path.DirectorySeparatorChar) &&
+            !normalizedPath.Equals(normalizedSiteDir))
+        {
+            throw new ArgumentException("Path escapes site directory");
+        }
+        return normalizedPath;
    }

    private async Task EnsureSiteDirectory(Guid siteId)
@@ -43,11 +50,11 @@ public class PublicationSiteManager(
    public async Task<List<FileEntry>> ListFiles(Guid siteId, string relativePath = "")
    {
        await EnsureSiteDirectory(siteId);
-        var dir = Path.Combine(_basePath, siteId.ToString(), relativePath);
-        if (!Directory.Exists(dir))
+        var targetDir = GetFullPath(siteId, relativePath);
+        if (!Directory.Exists(targetDir))
            throw new DirectoryNotFoundException("Directory not found");

-        var entries = (from file in Directory.GetFiles(dir)
+        var entries = (from file in Directory.GetFiles(targetDir)
            let fileInfo = new FileInfo(file)
            select new FileEntry
            {
@@ -55,7 +62,7 @@ public class PublicationSiteManager(
                RelativePath = Path.GetRelativePath(Path.Combine(_basePath, siteId.ToString()), file),
                Size = fileInfo.Length, Modified = fileInfo.LastWriteTimeUtc
            }).ToList();
-        entries.AddRange(from subDir in Directory.GetDirectories(dir)
+        entries.AddRange(from subDir in Directory.GetDirectories(targetDir)
            let dirInfo = new DirectoryInfo(subDir)
            select new FileEntry
            {
@@ -108,10 +115,9 @@ public class PublicationSiteManager(
        return size;
    }

-    public string GetFullPathForDownload(Guid siteId, string relativePath)
+    public string GetValidatedFullPath(Guid siteId, string relativePath)
    {
-        // Internal method to get path without throwing if not exists
-        return Path.Combine(_basePath, siteId.ToString(), relativePath);
+        return GetFullPath(siteId, relativePath);
    }

    public async Task UpdateFile(Guid siteId, string relativePath, string newContent)
--- a/DysonNetwork.Zone/Publication/SiteManagerController.cs
+++ b/DysonNetwork.Zone/Publication/SiteManagerController.cs
@@ -111,7 +111,16 @@ public class SiteManagerController(
        var check = await CheckAccess(siteId);
        if (check != null) return check;

-        var fullPath = fileManager.GetFullPathForDownload(siteId, relativePath);
+        string fullPath;
+        try
+        {
+            fullPath = fileManager.GetValidatedFullPath(siteId, relativePath);
+        }
+        catch (ArgumentException)
+        {
+            return BadRequest("Invalid path");
+        }
+
        if (!System.IO.File.Exists(fullPath))
            return NotFound();

@@ -137,23 +146,27 @@ public class SiteManagerController(
        const long maxFileSize = 1048576; // 1MB
        const long maxTotalSize = 26214400; // 25MB

-        var fullPath = fileManager.GetFullPathForDownload(siteId, relativePath);
-        long oldSize = 0;
-        if (System.IO.File.Exists(fullPath))
-            oldSize = new FileInfo(fullPath).Length;
-
        if (request.NewContent.Length > maxFileSize)
            return BadRequest("New content exceeds 1MB limit");

+        long oldSize = 0;
+        try
+        {
+            var fullPath = fileManager.GetValidatedFullPath(siteId, relativePath);
+            if (System.IO.File.Exists(fullPath))
+                oldSize = new FileInfo(fullPath).Length;
+
            var currentTotal = await fileManager.GetTotalSiteSize(siteId);
            if (currentTotal - oldSize + request.NewContent.Length > maxTotalSize)
                return BadRequest("Site total size would exceed 25MB limit");

-        try
-        {
            await fileManager.UpdateFile(siteId, relativePath, request.NewContent);
            return Ok();
        }
+        catch (ArgumentException)
+        {
+            return BadRequest("Invalid path");
+        }
        catch (Exception ex)
        {
            return BadRequest(ex.Message);