From b06ec5bef810ec8d009f52428188440df0484ce4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=99=BD=E6=97=A5=E6=A2=A6=E4=B8=BB=E4=B9=89?=
 <37233261+Cherrling@users.noreply.github.com>
Date: Tue, 22 Jul 2025 21:37:54 +0800
Subject: [PATCH] fix: add path safety check in `file` type providers (#2177)

---
 adapter/provider/parser.go | 3 +++
 rules/provider/parse.go    | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/adapter/provider/parser.go b/adapter/provider/parser.go
index 6907fc69..57dc6e24 100644
--- a/adapter/provider/parser.go
+++ b/adapter/provider/parser.go
@@ -108,6 +108,9 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
 	switch schema.Type {
 	case "file":
 		path := C.Path.Resolve(schema.Path)
+		if !C.Path.IsSafePath(path) {
+			return nil, C.Path.ErrNotSafePath(path)
+		}
 		vehicle = resource.NewFileVehicle(path)
 	case "http":
 		path := C.Path.GetPathByHash("proxies", schema.URL)
diff --git a/rules/provider/parse.go b/rules/provider/parse.go
index 5fa98dc7..496a2a09 100644
--- a/rules/provider/parse.go
+++ b/rules/provider/parse.go
@@ -42,6 +42,9 @@ func ParseRuleProvider(name string, mapping map[string]any, parse common.ParseRu
 	switch schema.Type {
 	case "file":
 		path := C.Path.Resolve(schema.Path)
+		if !C.Path.IsSafePath(path) {
+			return nil, C.Path.ErrNotSafePath(path)
+		}
 		vehicle = resource.NewFileVehicle(path)
 	case "http":
 		path := C.Path.GetPathByHash("rules", schema.URL)