fix(tag/include_code): prevent path traversal (#5251)

stevenjoezhang · uiolee · yoshinorin · web-flow · commit b5b63caee272 · 2024-04-16T23:58:46.000+08:00
Co-authored-by: uiolee &lt;22849383+uiolee@users.noreply.github.com&gt;
Co-authored-by: yoshinorin &lt;yoshinorin.net@outlook.com&gt;
diff --git a/lib/plugins/tag/include_code.ts b/lib/plugins/tag/include_code.ts
@@ -1,5 +1,5 @@
-import { exists, readFile } from 'hexo-fs';
-import { basename, extname, join, posix } from 'path';
+import { basename, extname, join } from 'path';
+import { url_for } from 'hexo-util';
 import type Hexo from '../../hexo';
 
 const rCaptionTitleFile = /(.*)?(?:\s+|^)(\/*\S+)/;
@@ -47,32 +47,31 @@ export = (ctx: Hexo) => function includeCodeTag(args: string[]) {
   // If the language is not defined, use file extension instead
   lang = lang || extname(path).substring(1);
 
-  const src = join(ctx.source_dir, codeDir, path);
+  const source = join(codeDir, path).replace(/\\/g, '/');
 
-  // If the title is not defined, use file name instead
-  const title = match[1] || basename(path);
-  const caption = `<span>${title}</span><a href="${posix.join(ctx.config.root, codeDir, path)}">view raw</a>`;
-
-  return exists(src).then(exist => {
-    if (exist) return readFile(src);
-  }).then(code => {
-    if (!code) return;
+  // Prevent path traversal: https://github.com/hexojs/hexo/issues/5250
+  const Page = ctx.model('Page');
+  const doc = Page.findOne({ source });
+  if (!doc) return;
 
-    const lines = code.split('\n');
-    code = lines.slice(from, to).join('\n').trim();
+  let code = doc.content;
+  const lines = code.split('\n');
+  code = lines.slice(from, to).join('\n').trim();
 
-    if (ctx.extend.highlight.query(ctx.config.syntax_highlighter)) {
-      const options = {
-        lang,
-        caption,
-        lines_length: lines.length
-      };
-      return ctx.extend.highlight.exec(ctx.config.syntax_highlighter, {
-        context: ctx,
-        args: [code, options]
-      });
-    }
+  // If the title is not defined, use file name instead
+  const title = match[1] || basename(path);
+  const caption = `<span>${title}</span><a href="${url_for.call(ctx, doc.path)}">view raw</a>`;
 
-    return `<pre><code>${code}</code></pre>`;
-  });
+  if (ctx.extend.highlight.query(ctx.config.syntax_highlighter)) {
+    const options = {
+      lang,
+      caption,
+      lines_length: lines.length
+    };
+    return ctx.extend.highlight.exec(ctx.config.syntax_highlighter, {
+      context: ctx,
+      args: [code, options]
+    });
+  }
+  return `<pre><code>${code}</code></pre>`;
 };
diff --git a/test/scripts/tags/include_code.ts b/test/scripts/tags/include_code.ts
@@ -16,14 +16,18 @@ describe('include_code', () => {
   const defaultCfg = JSON.parse(JSON.stringify(hexo.config));
 
   const fixture = [
-    'if (tired && night){',
+    'if (tired && night) {',
     '  sleep();',
     '}'
   ].join('\n');
 
   const code = args => includeCode(args.split(' '));
 
-  before(() => writeFile(path, fixture));
+  before(async () => {
+    await writeFile(path, fixture);
+    await hexo.init();
+    await hexo.load();
+  });
 
   beforeEach(() => {
     hexo.config = JSON.parse(JSON.stringify(defaultCfg));
@@ -95,7 +99,7 @@ describe('include_code', () => {
 
     it('to', async () => {
       const fixture = [
-        'if (tired && night){',
+        'if (tired && night) {',
         '  sleep();'
       ].join('\n');
       const expected = highlight(fixture, {
@@ -173,7 +177,7 @@ describe('include_code', () => {
 
     it('to', async () => {
       const fixture = [
-        'if (tired && night){',
+        'if (tired && night) {',
         '  sleep();'
       ].join('\n');
       const expected = prismHighlight(fixture, {
