fix: 修复路径遍历问题

[jamebal]

link: #364

[gemini-code-assist]

Summary of Changes

Hello @jamebal, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

此拉取请求旨在解决文件管理系统中的一个关键路径遍历漏洞。通过引入一个集中的路径验证机制并将其集成到所有相关的文件处理操作中，它显著增强了文件访问和操作的安全性，防止攻击者访问或修改其指定目录之外的文件。

Highlights

• 路径遍历漏洞修复: 引入了新的实用方法 FileNameUtils.checkPath 和 FileNameUtils.decodeAndCheckPath，以增强路径验证并防止路径遍历攻击。
• 广泛的路径验证集成: 将新的路径验证机制集成到 FileController、MarkDownController、FileServiceImpl、FileVersionServiceImpl、WebOssService 和 MyWebdavServlet 中的多个文件操作中，确保所有用户提供的路径都经过严格检查。
• 文件访问安全强化: 通过在文件预览操作中添加显式的 checkFilePath 调用，确保文件访问仅限于用户自己的目录，从而防止未经授权的文件访问。

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

此拉取请求旨在通过引入和应用新的验证方法 decodeAndCheckPath 来修复路径遍历问题。这些更改总体上是正确的，用一个同时检查路径遍历序列的版本替换了不安全的解码。但是，审查发现修复在某些方面尚不完整或可以改进。具体来说，FileController 中的验证不充分，因为它没有处理绝对路径，并且一个端点完全缺少验证。此外，在 MarkDownController 中发现了一个冗余的验证调用。反馈提供了解决这些问题的建议，以完全保护应用程序免受路径遍历攻击。

[gemini-code-assist]

当前路径验证不完整。它检查了像 ../ 这样的目录遍历序列，但没有阻止使用绝对路径。攻击者可能会提供一个绝对路径来潜在地访问系统上的任意文件，尤其是在为OSS路径检查构造 prePth 时。您应该添加一个检查以确保路径不是绝对路径，因为此端点需要相对路径。

        if (java.nio.file.Paths.get(path).isAbsolute()) {
            throw new com.jmal.clouddisk.exception.CommonException(com.jmal.clouddisk.exception.ExceptionType.PARAMETERS_VALUE.getCode(), "不允许使用绝对路径");
        }
        FileNameUtils.checkPath(path);

[gemini-code-assist]

用户提供的 path 参数在传递给 Paths.get(username, path) 之前未经校验。如果提供绝对路径，这可能导致路径遍历漏洞，从而允许访问非预期的文件。您应该在此处添加验证，以确保路径是相对的并且不包含遍历序列，类似于 previewTextByPath 方法。例如：

if (java.nio.file.Paths.get(path).isAbsolute()) {
    throw new com.jmal.clouddisk.exception.CommonException(com.jmal.clouddisk.exception.ExceptionType.PARAMETERS_VALUE.getCode(), "不允许使用绝对路径");
}
FileNameUtils.checkPath(path);

[gemini-code-assist]

对 FileNameUtils.checkPath() 的这次调用是多余的。在上面一行 checkParamIsNull 中调用的 upload.getRelativePath() 方法已经调用了 decodeAndCheckPath()，该方法内部执行了相同的验证。您可以删除此行以避免重复检查并简化代码。