chore: better path checks

Author: wwqgtxx

adapter/outbound/ssh.go

@@ -136,7 +136,11 @@ func NewSsh(option SshOption) (*Ssh, error) {
 		if strings.Contains(option.PrivateKey, "PRIVATE KEY") {
 			b = []byte(option.PrivateKey)
 		} else {
-			b, err = os.ReadFile(C.Path.Resolve(option.PrivateKey))
+			path := C.Path.Resolve(option.PrivateKey)
+			if !C.Path.IsSafePath(path) {
+				return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
+			}
+			b, err = os.ReadFile(path)
 			if err != nil {
 				return nil, err
 			}

adapter/provider/parser.go

@@ -17,7 +17,6 @@ import (
 
 var (
 	errVehicleType = errors.New("unsupport vehicle type")
-	errSubPath     = errors.New("path is not subpath of home directory")
 )
 
 type healthCheckSchema struct {
@@ -115,7 +114,7 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 		if schema.Path != "" {
 			path = C.Path.Resolve(schema.Path)
 			if !C.Path.IsSafePath(path) {
-				return nil, fmt.Errorf("%w: %s", errSubPath, path)
+				return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
 			}
 		}
 		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, schema.Header, resource.DefaultHttpTimeout, schema.SizeLimit)

component/ca/config.go

@@ -81,7 +81,11 @@ func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error)
 	var certificate []byte
 	var err error
 	if len(customCA) > 0 {
-		certificate, err = os.ReadFile(C.Path.Resolve(customCA))
+		path := C.Path.Resolve(customCA)
+		if !C.Path.IsSafePath(path) {
+			return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
+		}
+		certificate, err = os.ReadFile(path)
 		if err != nil {
 			return nil, fmt.Errorf("load ca error: %w", err)
 		}

component/ca/keypair.go

@@ -16,6 +16,7 @@ import (
 
 type Path interface {
 	Resolve(path string) string
+	IsSafePath(path string) bool
 }
 
 // LoadTLSKeyPair loads a TLS key pair from the provided certificate and private key data or file paths, supporting fallback resolution.
@@ -39,7 +40,13 @@ func LoadTLSKeyPair(certificate, privateKey string, path Path) (tls.Certificate,
 	}
 
 	certificate = path.Resolve(certificate)
+	if !path.IsSafePath(certificate) {
+		return tls.Certificate{}, fmt.Errorf("path is not subpath of home directory: %s", certificate)
+	}
 	privateKey = path.Resolve(privateKey)
+	if !path.IsSafePath(privateKey) {
+		return tls.Certificate{}, fmt.Errorf("path is not subpath of home directory: %s", privateKey)
+	}
 	cert, loadErr := tls.LoadX509KeyPair(certificate, privateKey)
 	if loadErr != nil {
 		return tls.Certificate{}, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())

config/config.go

@@ -754,6 +754,9 @@ func parseGeneral(cfg *RawConfig) (*General, error) {
 }
 
 func parseController(cfg *RawConfig) (*Controller, error) {
+	if path := cfg.ExternalUI; path != "" && !C.Path.IsSafePath(path) {
+		return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
+	}
 	return &Controller{
 		ExternalController:     cfg.ExternalController,
 		ExternalUI:             cfg.ExternalUI,

constant/path.go

@@ -84,7 +84,7 @@ func (p *path) IsSafePath(path string) bool {
 		return false
 	}
 
-	return !strings.Contains(rel, "..")
+	return filepath.IsLocal(rel)
 }
 
 func (p *path) GetPathByHash(prefix, name string) string {

hub/route/configs.go

@@ -373,10 +373,9 @@ func updateConfigs(w http.ResponseWriter, r *http.Request) {
 	} else {
 		if req.Path == "" {
 			req.Path = C.Path.Config()
-		}
-		if !filepath.IsAbs(req.Path) {
+		} else if !filepath.IsLocal(req.Path) {
 			render.Status(r, http.StatusBadRequest)
-			render.JSON(w, r, newError("path is not a absolute path"))
+			render.JSON(w, r, newError("path is not a valid absolute path"))
 			return
 		}
 

rules/provider/parse.go

@@ -1,7 +1,6 @@
 package provider
 
 import (
-	"errors"
 	"fmt"
 	"time"
 
@@ -12,10 +11,6 @@ import (
 	"github.com/metacubex/mihomo/rules/common"
 )
 
-var (
-	errSubPath = errors.New("path is not subpath of home directory")
-)
-
 type ruleProviderSchema struct {
 	Type      string   `provider:"type"`
 	Behavior  string   `provider:"behavior"`
@@ -53,7 +48,7 @@ func ParseRuleProvider(name string, mapping map[string]any, parse common.ParseRu
 		if schema.Path != "" {
 			path = C.Path.Resolve(schema.Path)
 			if !C.Path.IsSafePath(path) {
-				return nil, fmt.Errorf("%w: %s", errSubPath, path)
+				return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
 			}
 		}
 		vehicle = resource.NewHTTPVehicle(schema.URL, path, schema.Proxy, nil, resource.DefaultHttpTimeout, schema.SizeLimit)