chore: 合并 dev 到 preview

[YueerMoe]

将 dev 分支的变更合并到 preview（pre 环境）。

[gemini-code-assist]

Summary of Changes

Hello @YueerMoe, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

此拉取请求将 dev 分支的更改合并到 preview 环境。核心修改在于标准化了整个应用程序的元数据版本解析机制。它通过移除对应用程序构建版本的依赖，简化了应用程序获取和更新元数据的方式，转而优先使用用户配置的元数据版本，并默认使用最新的可用元数据。此更改旨在提高元数据管理的灵活性和一致性。

Highlights

• 元数据版本逻辑优化: 应用程序的元数据版本确定逻辑在前端和后端都进行了更新，以提供更灵活和一致的版本管理。
• 移除应用版本依赖: 系统不再依赖应用程序的包版本（如 app.package_info().version 或 appStore.currentAppVersion）来获取或更新元数据。
• 默认使用 'latest' 元数据: 元数据操作现在一致地默认使用 'latest' 版本，除非明确提供或配置了特定的元数据版本。

Changelog

• src-tauri/src/app_cmd.rs
  • update_metadata 函数不再使用应用包版本来确定元数据版本，而是传递 None。
  • app 参数被标记为未使用 (_app)。
• src/pages/SettingsPage.vue
  • testSourceConnection 和 resetMetadata 函数中，元数据版本现在优先使用 metadataVersion.value，并以 'latest' 作为默认值，不再依赖 appStore.currentAppVersion。
• src/stores/app.ts
  • 元数据基础 URL 和状态获取逻辑中，元数据版本现在优先使用 metadataVersion.value，并以 DEFAULT_METADATA_VERSION 作为默认值，移除了对 currentAppVersion.value 的依赖。
  • 更新了相关注释以反映新的版本确定策略。
  • 移除了文件末尾的空行。

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/release.yml

Activity

• 尚未有任何人工活动。

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This Pull Request merges the dev branch into preview, primarily aiming to decouple the metadata version from the application version, allowing for user-configurable versions. However, a critical Path Traversal vulnerability has been identified in the metadata update logic. The update_metadata command in src-tauri/src/app_cmd.rs is part of a flow that allows arbitrary file writes via a malicious metadata manifest, as file paths provided in a remote manifest are trusted without sanitization, potentially leading to overwriting sensitive files. Furthermore, the update_metadata command currently hardcodes the metadata version to latest, overriding any user-configured version set in the frontend. It is highly recommended to implement strict path validation in src-tauri/src/services/metadata.rs and to modify the update_metadata command to correctly utilize the user-provided version.

[gemini-code-assist]

This section of the update_metadata command is part of a flow that is vulnerable to a critical Path Traversal vulnerability. The base_url (which can be configured by the user) is passed to metadata::update_metadata, which fetches a manifest.json. The path field from this manifest is used to construct local file paths using metadata_dir.join(path) without proper sanitization. This allows an attacker to provide paths containing .. or absolute paths, leading to arbitrary file writes and potential Remote Code Execution (RCE).

Additionally, the current implementation hardcodes the metadata version to None (which resolves to latest), overriding any user-configured version set in the frontend. This means if a user sets a specific metadata version in the frontend, it will be ignored.

To remediate the Path Traversal, strict path validation must be implemented in src-tauri/src/services/metadata.rs to ensure the resulting path remains within the intended directory. For the versioning issue, the update_metadata command should be modified to accept a version parameter from the frontend and pass it to the services::metadata::update_metadata function. This will also require corresponding frontend changes in src/api/tauriCommands.ts and src/stores/app.ts.