Merged
Conversation
Member
|
已在 Koishi v4.18.9 + plugin-console v5.30.10 上复现。目测此漏洞危害极大、影响极大,需要尽快修复。 ping @shigma |
shigma
approved these changes
Nov 17, 2025
Member
|
Closed by mistake. Reopening |
|
@shigma 我对此修复有疑问。这里的逻辑是 const relativePath = name.slice(8 + key.length)
if (relativePath.split(/[/\\]/g).includes("..")) {
return ctx.status = 403
}
const filename = files[0] + relativePath控制台插件开发者可能引用绝对路径不包含“ |
Member
|
从结果来看,这个文件的代码确实可能并不是最优的,但这并不意味着这个 PR 有问题。此文件的另一处位置已经包含了类似的逻辑(判断 startsWith + includes),因此这个 PR 符合最小改动原则。此外,从安全性的角度,对路径拼接的结果进行判断总是比判断片段更安全。 关于 node_modules 的问题,确实可以另做讨论,欢迎新的 issue 和 PR。 |
ilharp
added a commit
to ilharp/littleil
that referenced
this pull request
Feb 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
原代码中如果路径名以@plugin-开头则不对路径做任何校验,不是js文件的话(如koishi.yml)能直接sendFile(filename)返回
koishi的后台账号密码完全明文写在koishi.yml中,因此一旦读取到能够直接进入后台进行更加高危的操作比如任意代码执行
服务端代码执行示例(无需额外安装任何插件):
修复方案对插件文件先目录规范化后去除所有./和../,再判断目录位置是否合法