qzl/social-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 修复 UI Schema 导航路径遍历漏洞

Browse Source
This commit is contained in:
zl-q
2026-03-30 09:06:50 +08:00
parent bd7ac6285c
commit 5999d0edd1
1 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/lib/core/ui_schema/navigation/ui_schema_navigation.dart
+15 -1
View File
@@ -2,10 +2,20 @@ bool isValidInternalNavigationPath(String path) {
if (path.isEmpty || !path.startsWith('/')) { if (path.isEmpty || !path.startsWith('/')) {
return false; return false;
} }
if (path.contains('%')) {
try {
if (Uri.decodeComponent(path) != path) {
return false;
}
} catch (_) {
return false;
}
}
return !path.startsWith('//') && return !path.startsWith('//') &&
!path.contains('://') && !path.contains('://') &&
!path.contains('?') && !path.contains('?') &&
!path.contains('#') && !path.contains('#') &&
!path.contains('..') &&
!path.contains(':'); !path.contains(':');
} }
@@ -20,7 +30,7 @@ String buildUiSchemaNavigationTarget({
for (final entry in params.entries) { for (final entry in params.entries) {
final value = entry.value; final value = entry.value;
if (value is String && value.isNotEmpty) { if (value is String && value.isNotEmpty) {
queryParams[entry.key] = value; queryParams[entry.key] = _sanitizeQueryValue(value);
} else if (value is num || value is bool) { } else if (value is num || value is bool) {
queryParams[entry.key] = value.toString(); queryParams[entry.key] = value.toString();
} }
@@ -33,3 +43,7 @@ String buildUiSchemaNavigationTarget({
); );
return targetUri.toString(); return targetUri.toString();
} }
String _sanitizeQueryValue(String value) {
return value.replaceAll('\n', ' ').replaceAll('\r', '').trim();
}