From 47698d65a0822bf6968a56bbc0b6695f27a1055c Mon Sep 17 00:00:00 2001
From: zijiren233 <pyh1670605849@gmail.com>
Date: Mon, 13 May 2024 10:03:04 +0800
Subject: [PATCH] Fix: secret list dynamic folder

---
 internal/cache/alist.go  |  7 ++++++-
 server/handlers/movie.go | 21 +++++++++++++--------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/internal/cache/alist.go b/internal/cache/alist.go
index 44fcf77..9f17d1e 100644
--- a/internal/cache/alist.go
+++ b/internal/cache/alist.go
@@ -184,10 +184,15 @@ func NewAlistMovieCacheInitFunc(movie *model.Movie, subPath string) func(ctx con
 			return nil, err
 		}
 		if movie.IsFolder {
-			truePath, err = url.JoinPath(truePath, subPath)
+			newPath, err := url.JoinPath(truePath, subPath)
 			if err != nil {
 				return nil, err
 			}
+			// check new path is in parent path
+			if !strings.HasPrefix(newPath, truePath) {
+				return nil, errors.New("sub path is not in parent path")
+			}
+			truePath = newPath
 		}
 		aucd, err := userCache.LoadOrStore(ctx, serverID)
 		if err != nil {
diff --git a/server/handlers/movie.go b/server/handlers/movie.go
index 70cd7bc..370823d 100644
--- a/server/handlers/movie.go
+++ b/server/handlers/movie.go
@@ -285,14 +285,14 @@ func getParentMoviePath(room *op.Room, id string) ([]*model.MoviePath, error) {
 }
 
 func listVendorDynamicMovie(ctx context.Context, reqUser *op.User, room *op.Room, movie *dbModel.Movie, subPath string, page, max int) (*model.MoviesResp, error) {
-	// if reqUser.ID != movie.CreatorID {
-	// 	return nil, fmt.Errorf("list vendor dynamic folder error: %w", dbModel.ErrNoPermission)
-	// }
-	creatorE, err := op.LoadOrInitUserByID(movie.CreatorID)
-	if err != nil {
-		return nil, err
+	if reqUser.ID != movie.CreatorID {
+		return nil, fmt.Errorf("list vendor dynamic folder error: %w", dbModel.ErrNoPermission)
 	}
-	user := creatorE.Value()
+	// creatorE, err := op.LoadOrInitUserByID(movie.CreatorID)
+	// if err != nil {
+	// 	return nil, err
+	// }
+	user := reqUser
 
 	paths, err := getParentMoviePath(room, movie.ID)
 	if err != nil {
@@ -309,10 +309,15 @@ func listVendorDynamicMovie(ctx context.Context, reqUser *op.User, room *op.Room
 		if err != nil {
 			return nil, fmt.Errorf("load alist server id error: %w", err)
 		}
-		truePath, err = url.JoinPath(truePath, subPath)
+		newPath, err := url.JoinPath(truePath, subPath)
 		if err != nil {
 			return nil, fmt.Errorf("join path error: %w", err)
 		}
+		// check new path is in parent path
+		if !strings.HasPrefix(newPath, truePath) {
+			return nil, fmt.Errorf("sub path is not in parent path")
+		}
+		truePath = newPath
 		aucd, err := user.AlistCache().LoadOrStore(ctx, serverID)
 		if err != nil {
 			if errors.Is(err, db.ErrNotFound("vendor")) {