feat(security): add cache default extension for files without suffix

2026-06-08 01:01:26 +08:00 · 2025-02-11 17:09:43 +08:00
parent eecbbfea3a
commit ac169b7d22
2 changed files with 8 additions and 1 deletions
--- a/app/api/endpoints/system.py
+++ b/app/api/endpoints/system.py
@@ -50,7 +50,6 @@ def fetch_image(
    """
    处理图片缓存逻辑，支持HTTP缓存和磁盘缓存
    """
-
    if not url:
        raise HTTPException(status_code=404, detail="URL not provided")

@@ -68,6 +67,10 @@ def fetch_image(
        sanitized_path = SecurityUtils.sanitize_url_path(url)
        cache_path = settings.CACHE_PATH / "images" / sanitized_path

+        # 没有文件类型，则添加后缀，在恶意文件类型和实际需求下的折衷选择
+        if not cache_path.suffix:
+            cache_path = cache_path.with_suffix(".jpg")
+
        # 确保缓存路径和文件类型合法
        if not SecurityUtils.is_safe_path(settings.CACHE_PATH, cache_path, settings.SECURITY_IMAGE_SUFFIXES):
            raise HTTPException(status_code=400, detail="Invalid cache path or file type")