Merge branch 'dev' into feat/pyinstaller

linsyking · Feb 12, 2024 · 787f6b8 · 787f6b8
2 parents f165496 + 0867c4c
commit 787f6b8
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 12 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -44,11 +44,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -61,7 +61,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@v3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -74,6 +74,6 @@ jobs:
       #     ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@v3
         with:
           category: '/language:${{matrix.language}}'
diff --git a/canvas_app.py b/canvas_app.py
@@ -36,18 +36,21 @@
 
 # INFO: Safety check for file
 def check_file(filename):
+    flag = True
     base_path = "/public/res/"
     base_path_win = "\\public\\res\\"
     fullPath = path.normpath(path.join(base_path, filename))
     if (
         not "." in filename
         or not filename.rsplit(".", 1)[1].lower() in ALLOWED_EXTENSION
     ):
-        return "Illegal"
+        flag = False
+        return (flag, filename)
     if not fullPath.startswith(base_path) and not fullPath.startswith(base_path_win):
-        return "Illegal"
+        flag = False
+        return (flag, filename)
     else:
-        return filename
+        return (flag, filename)
 
 
 """
@@ -433,9 +436,9 @@ async def update_position(position: Position):
 )
 async def upload_file(file: UploadFile):
     if not path.exists("./public/res"):
-        makedirs("./public/res", exist_ok=True)
-    tmp = check_file(file.filename)
-    if tmp == "Illegal":
+        mkdir("./public/res")
+    flag, file.filename = check_file(file.filename)
+    if flag == False:
         return JSONResponse(status_code=404, content={"message": "Illegal file name"})
     with open(f"./public/res/{file.filename}", "wb") as out_file:
         out_file.write(file.file.read())
@@ -449,8 +452,8 @@ async def upload_file(file: UploadFile):
     description="Delete file in public/res.",
 )
 async def delete_file(name: str):
-    tmp = check_file(name)
-    if tmp == "Illegal":
+    flag, name = check_file(name)
+    if flag == False:
         return JSONResponse(status_code=404, content={"message": "Illegal file name"})
     if path.exists(f"./public/res/{name}"):
         remove(f"./public/res/{name}")
@@ -480,6 +483,9 @@ async def get_file_list():
     description="Get file in public/res.",
 )
 async def get_file(name: str):
+    flag, name = check_file(name)
+    if flag == False:
+        return JSONResponse(status_code=404, content={"message": "Illegal file name"})
     if path.exists(f"./public/res/{name}"):
         return FileResponse(f"./public/res/{name}")
     else: