From 74939887c3b651de7e86caa083a27e9c8766dda3 Mon Sep 17 00:00:00 2001
From: ExplodingDragon <explodingfkl@gmail.com>
Date: Sat, 31 Jan 2026 23:50:40 +0800
Subject: [PATCH] fix: prevent path traversal in template load function

---
 pkg/filters/template.go | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/pkg/filters/template.go b/pkg/filters/template.go
index 0ca695d..361b668 100644
--- a/pkg/filters/template.go
+++ b/pkg/filters/template.go
@@ -3,6 +3,7 @@ package filters
 import (
 	"bytes"
 	"net/http"
+	"path"
 	"strings"
 
 	"gopkg.d7z.net/gitea-pages/pkg/core"
@@ -17,16 +18,23 @@ func FilterInstTemplate(_ core.Params) (core.FilterInstance, error) {
 		if err := config.Unmarshal(&param); err != nil {
 			return nil, err
 		}
-		param.Prefix = strings.Trim(param.Prefix, "/") + "/"
+		prefix := path.Clean("/" + param.Prefix)
+		if prefix == "/" {
+			prefix = ""
+		} else {
+			prefix = strings.Trim(prefix, "/") + "/"
+		}
+
 		return func(ctx core.FilterContext, writer http.ResponseWriter, request *http.Request, next core.NextCall) error {
-			data, err := ctx.ReadString(ctx, param.Prefix+ctx.Path)
+			data, err := ctx.ReadString(ctx, prefix+ctx.Path)
 			if err != nil {
 				return err
 			}
 			out := &bytes.Buffer{}
 			parse, err := utils.NewTemplate().Funcs(map[string]any{
-				"load": func(path string) (any, error) {
-					return ctx.ReadString(ctx, param.Prefix+path)
+				"load": func(p string) (any, error) {
+					fullPath := path.Clean("/" + p)
+					return ctx.ReadString(ctx, prefix+strings.TrimPrefix(fullPath, "/"))
 				},
 			}).Parse(data)
 			if err != nil {