harden(persistence): FileVault path traversal guard + error unification

按 code quality review 反馈(P0 + 4×P1): - 加 resolveSafePath() 拒绝 / 和 .. 并验证 hasPrefix(rootURL) - loadImage/remove 统一抛 FileVaultError(readFailed/removeFailed) - 删除测试 struct 上多余的 @MainActor - 每个 @Test 加 defer cleanup,不泄漏 temp 目录 - 测试图片改用生成 16x16 红色,不依赖 SF Symbol Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 15:06:49 +08:00
parent d704a9eb78
commit 0739ccea2b
2 changed files with 46 additions and 9 deletions
--- a/体己/Persistence/FileVault.swift
+++ b/体己/Persistence/FileVault.swift
@@ -40,6 +40,23 @@ final class FileVault {
        let bytes: Int
    }

+    // MARK: - Path Safety
+
+    private func resolveSafePath(_ relativePath: String) throws -> URL {
+        guard !relativePath.contains("/"),
+              !relativePath.contains(".."),
+              !relativePath.isEmpty else {
+            throw FileVaultError.readFailed
+        }
+        let url = rootURL.appendingPathComponent(relativePath)
+        guard url.path.hasPrefix(rootURL.path) else {
+            throw FileVaultError.readFailed
+        }
+        return url
+    }
+
+    // MARK: - Public API
+
    func writeJPEG(_ image: UIImage, quality: CGFloat = 0.85) throws -> SavedAsset {
        guard let data = image.jpegData(compressionQuality: quality) else {
            throw FileVaultError.writeFailed
@@ -51,15 +68,24 @@ final class FileVault {
    }

    func loadImage(relativePath: String) throws -> UIImage {
-        let url = rootURL.appendingPathComponent(relativePath)
-        let data = try Data(contentsOf: url)
+        let url = try resolveSafePath(relativePath)
+        let data: Data
+        do {
+            data = try Data(contentsOf: url)
+        } catch {
+            throw FileVaultError.readFailed
+        }
        guard let image = UIImage(data: data) else { throw FileVaultError.decodeFailed }
        return image
    }

    func remove(relativePath: String) throws {
-        let url = rootURL.appendingPathComponent(relativePath)
-        try FileManager.default.removeItem(at: url)
+        let url = try resolveSafePath(relativePath)
+        do {
+            try FileManager.default.removeItem(at: url)
+        } catch {
+            throw FileVaultError.removeFailed
+        }
    }

    func wipe() throws {