fix: 修复 UI Schema 导航路径遍历漏洞

2026-03-30 09:06:50 +08:00
parent bd7ac6285c
commit 5999d0edd1
1 changed files with 15 additions and 1 deletions
@@ -2,10 +2,20 @@ bool isValidInternalNavigationPath(String path) {
  if (path.isEmpty || !path.startsWith('/')) {
    return false;
  }
+  if (path.contains('%')) {
+    try {
+      if (Uri.decodeComponent(path) != path) {
+        return false;
+      }
+    } catch (_) {
+      return false;
+    }
+  }
  return !path.startsWith('//') &&
      !path.contains('://') &&
      !path.contains('?') &&
      !path.contains('#') &&
+      !path.contains('..') &&
      !path.contains(':');
 }

@@ -20,7 +30,7 @@ String buildUiSchemaNavigationTarget({
    for (final entry in params.entries) {
      final value = entry.value;
      if (value is String && value.isNotEmpty) {
-        queryParams[entry.key] = value;
+        queryParams[entry.key] = _sanitizeQueryValue(value);
      } else if (value is num || value is bool) {
        queryParams[entry.key] = value.toString();
      }
@@ -33,3 +43,7 @@ String buildUiSchemaNavigationTarget({
  );
  return targetUri.toString();
 }
+
+String _sanitizeQueryValue(String value) {
+  return value.replaceAll('\n', ' ').replaceAll('\r', '').trim();
+}