From 7ed7e0c4487b6b008d057370857855b0f1c2a995 Mon Sep 17 00:00:00 2001
From: dash <1549469775@qq.com>
Date: Sat, 13 Dec 2025 02:40:57 +0800
Subject: [PATCH] Update Content-Security-Policy in projectController.ts for
 enhanced security and improve ZIP file extraction safety checks in
 fileUtils.ts to prevent path traversal and absolute path vulnerabilities.

---
 backend/src/controllers/projectController.ts |  2 +-
 backend/src/utils/fileUtils.ts               | 11 +++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/backend/src/controllers/projectController.ts b/backend/src/controllers/projectController.ts
index 433ec19..744bb68 100644
--- a/backend/src/controllers/projectController.ts
+++ b/backend/src/controllers/projectController.ts
@@ -392,7 +392,7 @@ export class ProjectController {
       );
       
       // 设置CSP头
-      ctx.set('Content-Security-Policy', "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self'; style-src 'unsafe-inline' 'self';");
+      ctx.set('Content-Security-Policy', "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; worker-src 'self' blob: data:; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; connect-src 'self' blob: data:; object-src 'none'; base-uri 'self';");
       ctx.set('Content-Type', 'text/html; charset=utf-8');
       ctx.body = htmlContent;
     } catch (error: any) {
diff --git a/backend/src/utils/fileUtils.ts b/backend/src/utils/fileUtils.ts
index 6ee9e9d..f3aa67d 100644
--- a/backend/src/utils/fileUtils.ts
+++ b/backend/src/utils/fileUtils.ts
@@ -84,11 +84,18 @@ export async function extractZip(zipPath: string, extractTo: string): Promise<vo
 
       zipfile.on('entry', (entry: yauzl.Entry) => {
         // 检查文件名安全性
-        const sanitized = sanitizeFileName(entry.fileName);
-        if (sanitized !== entry.fileName) {
+        // 检查路径遍历攻击（..）和危险字符，但允许正常的目录结构
+        if (entry.fileName.includes('..') || 
+            /[<>:"|?*\x00-\x1f]/.test(entry.fileName)) {
           reject(new Error('ZIP文件包含不安全的文件名'));
           return;
         }
+        
+        // 检查绝对路径（Windows: C:\ 或 Unix: /）
+        if (/^([a-zA-Z]:|\\\\|\/)/.test(entry.fileName)) {
+          reject(new Error('ZIP文件包含绝对路径'));
+          return;
+        }
 
         // 检查解压后总大小（防止zip炸弹）
         totalSize += entry.uncompressedSize;