From 46c93d48ad58aad617ca3b183228e6b3a5eeaa4f Mon Sep 17 00:00:00 2001
From: Potatowo <potatowo233@qq.com>
Date: Mon, 17 Nov 2025 01:30:00 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dconsole=E4=BB=BB=E6=84=8F?=
 =?UTF-8?q?=E6=96=87=E4=BB=B6=E8=AF=BB=E5=8F=96=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plugins/console/src/node/index.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/plugins/console/src/node/index.ts b/plugins/console/src/node/index.ts
index 3ae79402..c01c9a5f 100644
--- a/plugins/console/src/node/index.ts
+++ b/plugins/console/src/node/index.ts
@@ -147,7 +147,11 @@ class NodeConsole extends Console {
         const [key] = name.slice(8).split('/', 1)
         if (this.entries[key]) {
           const files = makeArray(this.getFiles(this.entries[key].files))
-          const filename = files[0] + name.slice(8 + key.length)
+          let filename = files[0] + name.slice(8 + key.length)
+          filename = resolve(this.root, filename)
+          if (!filename.startsWith(this.root) && !filename.includes('node_modules')) {
+            return ctx.status = 403
+          }
           ctx.type = extname(filename)
           if (this.config.devMode || ctx.type !== 'application/javascript') {
             return sendFile(filename)