From 98f1ce9fac548459e1225f00dfecb12e1aa6b59c Mon Sep 17 00:00:00 2001
From: dengzhongyuan <dengzhongyuan@uniontech.com>
Date: Mon, 2 Feb 2026 13:09:19 +0800
Subject: [PATCH] fix: add path traversal check in mkTempDir function

- Implemented a validation check in the mkTempDir function to reject infix values containing "..", enhancing security against path traversal vulnerabilities.

This change improves the robustness of the temporary directory creation process.
---
 basestruct/utils.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/basestruct/utils.cpp b/basestruct/utils.cpp
index 03cfffe..25964d3 100644
--- a/basestruct/utils.cpp
+++ b/basestruct/utils.cpp
@@ -817,6 +817,13 @@ bool Utils::kernelSupportFS(const QString &fsType)
 QString Utils::mkTempDir(const QString &infix)
 {
     qDebug() << "Utils::mkTempDir - Creating temp dir with infix:" << infix;
+
+    // 路径遍历检查：拒绝包含 ".." 的 infix
+    if (infix.contains("..")) {
+        qWarning() << "Utils::mkTempDir - Invalid infix contains path traversal:" << infix;
+        return QString();
+    }
+
     // Construct template like "/var/tmp/diskmanager-XXXXXX" or "/var/tmp/diskmanager-INFIX-XXXXXX"
     QString dirTemplate = "/var/tmp/";