Merge pull request #30 from Huy-DNA/fix/prevent-rm-and-mv-ancestor-fo…

…lders Fix/prevent rm and mv ancestor folders
Huy-DNA · Nov 12, 2024 · 344d369 · 344d369
2 parents f4b138b + 6a5f555
commit 344d369
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 5 deletions.
diff --git a/lib/path/index.ts b/lib/path/index.ts
@@ -37,6 +37,10 @@ export class VirtualPath {
     return this.path === '';
   }
 
+  isAncestor (other: VirtualPath): boolean {
+    return other.path.startsWith(this.path + '/');
+  }
+
   isHome (username: string): boolean {
     return this.equals(VirtualPath.homeDir(username));
   }

diff --git a/lib/responseCodes.ts b/lib/responseCodes.ts
@@ -33,6 +33,7 @@ export enum FileCpErrorCode {
   INVALID_PARAM = 1000,
   INVALID_BODY = 1001,
   NOT_ENOUGH_PRIVILEGE = 2000,
+  CP_TO_DESCENDANT = 2001,
   SRC_NOT_FOUND = 3000,
   DEST_NOT_FOUND = 3001,
   INVALID_COPY_FOLDER_TO_FILE = 3002,
@@ -77,6 +78,7 @@ export enum FileMvErrorCode {
   INVALID_PARAM = 1000,
   INVALID_BODY = 1001,
   NOT_ENOUGH_PRIVILEGE = 2000,
+  MV_TO_DESCENDANT = 2001,
   SRC_NOT_FOUND = 3000,
   DEST_NOT_FOUND = 3001,
   INVALID_MV_FOLDER_TO_FILE = 3002,

diff --git a/server/api/files/cp.post.ts b/server/api/files/cp.post.ts
@@ -26,6 +26,9 @@ export default defineEventHandler(async (event) => {
   if (!dest.isValid()) {
     return { error: { code: FileCpErrorCode.INVALID_BODY, message: 'Expect the "dest" param to be valid path' } };
   }
+  if (src.isAncestor(dest)) {
+    return { error: { code: FileCpErrorCode.CP_TO_DESCENDANT, message: 'Cannot copy a folder to it descendant' } };
+  }
 
   try {
     await db.serializable(dbPool, async (dbClient) => {

diff --git a/server/api/files/mv.post.ts b/server/api/files/mv.post.ts
@@ -25,6 +25,9 @@ export default defineEventHandler(async (event) => {
   if (!dest.isValid()) {
     return { error: { code: FileMvErrorCode.INVALID_BODY, message: 'Expect the "dest" param to be valid path' } };
   }
+  if (src.isAncestor(dest)) {
+    return { error: { code: FileMvErrorCode.MV_TO_DESCENDANT, message: 'Cannot move a folder to it descendant' } };
+  }
 
   try {
     await db.serializable(dbPool, async (dbClient) => {

diff --git a/services/files.ts b/services/files.ts
@@ -1,6 +1,7 @@
 import path from 'path-browserify';
 import { Err, Ok, type Diagnostic, type Result } from './types';
 import { FilePostErrorCode } from '~/lib';
+import type { VirtualPath } from '~/lib/path';
 
 export enum UserKind {
   OWNER = 'owner',
@@ -118,9 +119,13 @@ export const fileService = {
   },
   async removeFile (filename: string): Promise<Result<null, Diagnostic>> {
     const { cwd } = useCwdStore();
+    const resolvedPath = cwd.value.resolve(filename);
+    if (resolvedPath.isAncestor(cwd.value as VirtualPath)) {
+      return new Err({ code: 1, message: 'Cannot remove ancestor folder' });
+    }
     const res = await $fetch('/api/files', {
       method: 'delete',
-      query: { name: cwd.value.resolve(filename).toString() },
+      query: { name: resolvedPath.toString() },
       credentials: 'include',
     });
     if (res.error) {
@@ -185,11 +190,19 @@ export const fileService = {
   },
   async moveFile (src: string, dest: string, umask: string): Promise<Result<null, Diagnostic>> {
     const { cwd } = useCwdStore();
+    const resolvedSrc = cwd.value.resolve(src);
+    const resolvedDest = cwd.value.resolve(dest);
+    if (resolvedSrc.isAncestor(cwd.value as VirtualPath)) {
+      return new Err({ code: 1, message: 'Cannot move ancestor folder' });
+    }
+    if (resolvedSrc.isAncestor(resolvedDest)) {
+      return new Err({ code: 1, message: 'Cannot move a folder to its descendant' });
+    }
     const res = await $fetch('/api/files/mv', {
       method: 'post',
       body: {
-        src: cwd.value.resolve(src).toString(),
-        dest: cwd.value.resolve(dest).toString(),
+        src: resolvedSrc.toString(),
+        dest: resolvedDest.toString(),
         permission_bits: umask,
       },
       credentials: 'include',
@@ -202,11 +215,16 @@ export const fileService = {
   },
   async copyFile (src: string, dest: string, umask: string): Promise<Result<null, Diagnostic>> {
     const { cwd } = useCwdStore();
+    const resolvedSrc = cwd.value.resolve(src);
+    const resolvedDest = cwd.value.resolve(dest);
+    if (resolvedSrc.isAncestor(resolvedDest)) {
+      return new Err({ code: 1, message: 'Cannot copy a folder to its descendant' });
+    }
     const res = await $fetch('/api/files/cp', {
       method: 'post',
       body: {
-        src: cwd.value.resolve(src).toString(),
-        dest: cwd.value.resolve(dest).toString(),
+        src: resolvedSrc.toString(),
+        dest: resolvedDest.toString(),
         permission_bits: umask,
       },
       credentials: 'include',