Merge 56789a2c98 into 96096ea0ff

2026-05-28 17:32:40 -04:00 · 2026-05-28 17:32:40 -04:00 · 37fb7638cb
parent 96096ea0ff 56789a2c98
commit 37fb7638cb
3 changed files with 16 additions and 4 deletions
--- a/backend/app/models/project.py
+++ b/backend/app/models/project.py
@ -112,7 +112,10 @@ class ProjectManager:
    @classmethod
    def _get_project_dir(cls, project_id: str) -> str:
        """获取项目目录路径"""
-        return os.path.join(cls.PROJECTS_DIR, project_id)
+        safe_id = os.path.basename(project_id)
+        if not safe_id or safe_id != project_id:
+            raise ValueError(f"Invalid project_id: {project_id}")
+        return os.path.join(cls.PROJECTS_DIR, safe_id)
    
    @classmethod
    def _get_project_meta_path(cls, project_id: str) -> str:
--- a/backend/app/services/report_agent.py
+++ b/backend/app/services/report_agent.py
@ -1910,7 +1910,10 @@ class ReportManager:
    @classmethod
    def _get_report_folder(cls, report_id: str) -> str:
        """获取报告文件夹路径"""
-        return os.path.join(cls.REPORTS_DIR, report_id)
+        safe_id = os.path.basename(report_id)
+        if not safe_id or safe_id != report_id:
+            raise ValueError(f"Invalid report_id: {report_id}")
+        return os.path.join(cls.REPORTS_DIR, safe_id)
    
    @classmethod
    def _ensure_report_folder(cls, report_id: str) -> str:
--- a/backend/app/services/simulation_manager.py
+++ b/backend/app/services/simulation_manager.py
@ -138,7 +138,10 @@ class SimulationManager:
    
    def _get_simulation_dir(self, simulation_id: str) -> str:
        """获取模拟数据目录"""
-        sim_dir = os.path.join(self.SIMULATION_DATA_DIR, simulation_id)
+        safe_id = os.path.basename(simulation_id)
+        if not safe_id or safe_id != simulation_id:
+            raise ValueError(f"Invalid simulation_id: {simulation_id}")
+        sim_dir = os.path.join(self.SIMULATION_DATA_DIR, safe_id)
        os.makedirs(sim_dir, exist_ok=True)
        return sim_dir
    
@ -485,7 +488,10 @@ class SimulationManager:
            raise ValueError(f"模拟不存在: {simulation_id}")
        
        sim_dir = self._get_simulation_dir(simulation_id)
-        profile_path = os.path.join(sim_dir, f"{platform}_profiles.json")
+        safe_platform = os.path.basename(platform)
+        if not safe_platform or safe_platform != platform:
+            raise ValueError(f"Invalid platform: {platform}")
+        profile_path = os.path.join(sim_dir, f"{safe_platform}_profiles.json")
        
        if not os.path.exists(profile_path):
            return []