forked from akai/readest
4025c4d7b5
`download_file` and `upload_file` passed a webview-supplied `file_path` straight to `File::create`/`File::open` with no validation, so any JS in the privileged Tauri origin could write or read arbitrary local paths (e.g. ~/.ssh/id_rsa, shell rc files, autostart entries). (GHSA-55vr-pvq5-6fmg) Validate the path before any file open/create: reject relative paths and `..` traversal, then require it to be inside the app's filesystem scope (`fs_scope().is_allowed`), the same mechanism `dir_scanner::read_dir` uses. Legitimate destinations stay covered — the static capability globs ($APPDATA /Readest, $APPCACHE, $TEMP) plus persisted dialog grants for custom roots and external library folders. AppHandle is injected by Tauri, so the JS invoke surface is unchanged. Adds a unit test for the traversal/relative-path rejection. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>