Merge remote-tracking branch 'origin/dev' into dev

.github/CONTRIBUTING.md

@@ -14,10 +14,10 @@ Install pnpm: `npm install -g pnpm@10.8.0`
 
 Set the Electron mirror environment variable and install Electron:
 
-* macOS/Linux: `ELECTRON_MIRROR=https://npmmirror.com/mirrors/electron/ pnpm install electron@v34.5.0 -D`
+* macOS/Linux: `ELECTRON_MIRROR=https://npmmirror.com/mirrors/electron/ pnpm install electron@v34.5.2 -D`
 * Windows:
   * `SET ELECTRON_MIRROR=https://npmmirror.com/mirrors/electron/`
-  * `pnpm install electron@v34.5.0 -D`
+  * `pnpm install electron@v34.5.2 -D`
 
 NPM mirror:
 
@@ -27,7 +27,7 @@ NPM mirror:
 
 On the desktop, go to the app folder to run:
 
-* `pnpm install electron@v34.5.0-D`
+* `pnpm install electron@v34.5.2-D`
 * `pnpm run dev`
 * `pnpm run start`
 

.github/CONTRIBUTING_zh_CN.md

@@ -14,10 +14,10 @@
 
 设置 Electron 镜像环境变量并安装 Electron：
 
-* macOS/Linux：`ELECTRON_MIRROR=https://npmmirror.com/mirrors/electron/ pnpm install electron@v34.5.0 -D`
+* macOS/Linux：`ELECTRON_MIRROR=https://npmmirror.com/mirrors/electron/ pnpm install electron@v34.5.2 -D`
 * Windows：
   * `SET ELECTRON_MIRROR=https://npmmirror.com/mirrors/electron/`
-  * `pnpm install electron@v34.5.0 -D`
+  * `pnpm install electron@v34.5.2 -D`
 
 NPM 镜像：
 
@@ -27,7 +27,7 @@ NPM 镜像：
 
 桌面端进入 app 文件夹运行：
 
-* `pnpm install electron@v34.5.0-D`
+* `pnpm install electron@v34.5.2-D`
 * `pnpm run dev`
 * `pnpm run start`
 

app/package.json

@@ -58,8 +58,8 @@
     "clean-webpack-plugin": "^4.0.0",
     "css-loader": "^6.7.1",
     "dayjs": "^1.11.5",
-    "electron": "34.5.0",
+    "electron": "34.5.2",
-    "electron-builder": "26.0.11",
+    "electron-builder": "26.0.12",
     "encoding": "^0.1.13",
     "esbuild-loader": "^3.0.1",
     "eslint": "^9.15.0",

app/pnpm-lock.yaml

@@ -10,7 +10,7 @@ importers:
     dependencies:
       '@electron/remote':
         specifier: ^2.1.2
-        version: 2.1.2(electron@34.5.0)
+        version: 2.1.2(electron@34.5.2)
     devDependencies:
       '@eslint/eslintrc':
         specifier: ^3.3.1
@@ -40,11 +40,11 @@ importers:
         specifier: ^1.11.5
         version: 1.11.13
       electron:
-        specifier: 34.5.0
+        specifier: 34.5.2
-        version: 34.5.0
+        version: 34.5.2
       electron-builder:
-        specifier: 26.0.11
+        specifier: 26.0.12
-        version: 26.0.11(electron-builder-squirrel-windows@26.0.11)
+        version: 26.0.12(electron-builder-squirrel-windows@26.0.11)
       encoding:
         specifier: ^0.1.13
         version: 0.1.13
@@ -791,6 +791,13 @@ packages:
       dmg-builder: 26.0.11
       electron-builder-squirrel-windows: 26.0.11
 
+  app-builder-lib@26.0.12:
+    resolution: {integrity: sha512-+/CEPH1fVKf6HowBUs6LcAIoRcjeqgvAeoSE+cl7Y7LndyQ9ViGPYibNk7wmhMHzNgHIuIbw4nWADPO+4mjgWw==}
+    engines: {node: '>=14.0.0'}
+    peerDependencies:
+      dmg-builder: 26.0.12
+      electron-builder-squirrel-windows: 26.0.12
+
   argparse@2.0.1:
     resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
 
@@ -1115,8 +1122,8 @@ packages:
   dir-compare@4.2.0:
     resolution: {integrity: sha512-2xMCmOoMrdQIPHdsTawECdNPwlVFB9zGcz3kuhmBO6U3oU+UQjsue0i8ayLKpgBcm+hcXPMVSGUN9d+pvJ6+VQ==}
 
-  dmg-builder@26.0.11:
+  dmg-builder@26.0.12:
-    resolution: {integrity: sha512-C+SaRneQ11OxG99EeGp3TvPrlkW9ZaiukxB9Z7+OhhO1ge0nAtq9uD0ILt1JpvNAQ1de3gzX7TFRYJrSGsNe+Q==}
+    resolution: {integrity: sha512-59CAAjAhTaIMCN8y9kD573vDkxbs1uhDcrFLHSgutYdPcGOU35Rf95725snvzEOy4BFB7+eLJ8djCNPmGwG67w==}
 
   dmg-license@1.0.11:
     resolution: {integrity: sha512-ZdzmqwKmECOWJpqefloC5OJy1+WZBBse5+MR88z9g9Zn4VY+WYUkAyojmhzJckH5YbbZGcYIuGAkY5/Ys5OM2Q==}
@@ -1169,8 +1176,8 @@ packages:
   electron-builder-squirrel-windows@26.0.11:
     resolution: {integrity: sha512-LM3VDospLXCY6leWPhoJngDlP2GGOPzje/qZbCwX5g9ZeuYhcsVfm5NDDrjS3H6yC4PzHI9U2mnhJxc3bpIMGw==}
 
-  electron-builder@26.0.11:
+  electron-builder@26.0.12:
-    resolution: {integrity: sha512-u7Qgge5ue5oOPDbZEseor7RjxKSYAekVflHkbNIY6te1kbtShQFqESq3FZakMBsQf/3SkEycvWhHHRb8zjqBqg==}
+    resolution: {integrity: sha512-cD1kz5g2sgPTMFHjLxfMjUK5JABq3//J4jPswi93tOPFz6btzXYtK5NrDt717NRbukCUDOrrvmYVOWERlqoiXA==}
     engines: {node: '>=14.0.0'}
     hasBin: true
 
@@ -1184,8 +1191,8 @@ packages:
     resolution: {integrity: sha512-bO3y10YikuUwUuDUQRM4KfwNkKhnpVO7IPdbsrejwN9/AABJzzTQ4GeHwyzNSrVO+tEH3/Np255a3sVZpZDjvg==}
     engines: {node: '>=8.0.0'}
 
-  electron@34.5.0:
+  electron@34.5.2:
-    resolution: {integrity: sha512-GabFMG7r2P1NQf5DYp6mnCXo5CcatxXb8YQo54VTStql6weeEv7tsqvl3lAssGwDdd4iMc8QpTCFjErBSVRWeQ==}
+    resolution: {integrity: sha512-Xt5dJl+iBGo5atrfd4Jusc2tk6oD+dId3Kqj59tzxlqJgHRK2mRtLwAhT5OyxLx1RJGEv1yQHvUrzkzjNTp0ug==}
     engines: {node: '>= 12.20.55'}
     hasBin: true
 
@@ -2851,9 +2858,9 @@ snapshots:
       - bluebird
       - supports-color
 
-  '@electron/remote@2.1.2(electron@34.5.0)':
+  '@electron/remote@2.1.2(electron@34.5.2)':
     dependencies:
-      electron: 34.5.0
+      electron: 34.5.2
 
   '@electron/universal@2.0.1':
     dependencies:
@@ -3463,7 +3470,7 @@ snapshots:
 
   app-builder-bin@5.0.0-alpha.12: {}
 
-  app-builder-lib@26.0.11(dmg-builder@26.0.11)(electron-builder-squirrel-windows@26.0.11):
+  app-builder-lib@26.0.11(dmg-builder@26.0.12)(electron-builder-squirrel-windows@26.0.11):
     dependencies:
       '@develar/schema-utils': 2.6.5
       '@electron/asar': 3.2.18
@@ -3480,11 +3487,52 @@ snapshots:
       chromium-pickle-js: 0.2.0
       config-file-ts: 0.2.8-rc1
       debug: 4.4.0
-      dmg-builder: 26.0.11(electron-builder-squirrel-windows@26.0.11)
+      dmg-builder: 26.0.12(electron-builder-squirrel-windows@26.0.11)
       dotenv: 16.5.0
       dotenv-expand: 11.0.7
       ejs: 3.1.10
-      electron-builder-squirrel-windows: 26.0.11(dmg-builder@26.0.11)
+      electron-builder-squirrel-windows: 26.0.11(dmg-builder@26.0.12)
+      electron-publish: 26.0.11
+      fs-extra: 10.1.0
+      hosted-git-info: 4.1.0
+      is-ci: 3.0.1
+      isbinaryfile: 5.0.4
+      js-yaml: 4.1.0
+      json5: 2.2.3
+      lazy-val: 1.0.5
+      minimatch: 10.0.1
+      plist: 3.1.0
+      resedit: 1.7.2
+      semver: 7.7.1
+      tar: 6.2.1
+      temp-file: 3.4.0
+      tiny-async-pool: 1.3.0
+    transitivePeerDependencies:
+      - bluebird
+      - supports-color
+
+  app-builder-lib@26.0.12(dmg-builder@26.0.12)(electron-builder-squirrel-windows@26.0.11):
+    dependencies:
+      '@develar/schema-utils': 2.6.5
+      '@electron/asar': 3.2.18
+      '@electron/fuses': 1.8.0
+      '@electron/notarize': 2.5.0
+      '@electron/osx-sign': 1.3.1
+      '@electron/rebuild': 3.7.0
+      '@electron/universal': 2.0.1
+      '@malept/flatpak-bundler': 0.4.0
+      '@types/fs-extra': 9.0.13
+      async-exit-hook: 2.0.1
+      builder-util: 26.0.11
+      builder-util-runtime: 9.3.1
+      chromium-pickle-js: 0.2.0
+      config-file-ts: 0.2.8-rc1
+      debug: 4.4.0
+      dmg-builder: 26.0.12(electron-builder-squirrel-windows@26.0.11)
+      dotenv: 16.5.0
+      dotenv-expand: 11.0.7
+      ejs: 3.1.10
+      electron-builder-squirrel-windows: 26.0.11(dmg-builder@26.0.12)
       electron-publish: 26.0.11
       fs-extra: 10.1.0
       hosted-git-info: 4.1.0
@@ -3849,9 +3897,9 @@ snapshots:
       minimatch: 3.1.2
       p-limit: 3.1.0
 
-  dmg-builder@26.0.11(electron-builder-squirrel-windows@26.0.11):
+  dmg-builder@26.0.12(electron-builder-squirrel-windows@26.0.11):
     dependencies:
-      app-builder-lib: 26.0.11(dmg-builder@26.0.11)(electron-builder-squirrel-windows@26.0.11)
+      app-builder-lib: 26.0.12(dmg-builder@26.0.12)(electron-builder-squirrel-windows@26.0.11)
       builder-util: 26.0.11
       builder-util-runtime: 9.3.1
       fs-extra: 10.1.0
@@ -3923,9 +3971,9 @@ snapshots:
     dependencies:
       jake: 10.9.2
 
-  electron-builder-squirrel-windows@26.0.11(dmg-builder@26.0.11):
+  electron-builder-squirrel-windows@26.0.11(dmg-builder@26.0.12):
     dependencies:
-      app-builder-lib: 26.0.11(dmg-builder@26.0.11)(electron-builder-squirrel-windows@26.0.11)
+      app-builder-lib: 26.0.11(dmg-builder@26.0.12)(electron-builder-squirrel-windows@26.0.11)
       builder-util: 26.0.11
       electron-winstaller: 5.4.0
     transitivePeerDependencies:
@@ -3933,13 +3981,13 @@ snapshots:
       - dmg-builder
       - supports-color
 
-  electron-builder@26.0.11(electron-builder-squirrel-windows@26.0.11):
+  electron-builder@26.0.12(electron-builder-squirrel-windows@26.0.11):
     dependencies:
-      app-builder-lib: 26.0.11(dmg-builder@26.0.11)(electron-builder-squirrel-windows@26.0.11)
+      app-builder-lib: 26.0.12(dmg-builder@26.0.12)(electron-builder-squirrel-windows@26.0.11)
       builder-util: 26.0.11
       builder-util-runtime: 9.3.1
       chalk: 4.1.2
-      dmg-builder: 26.0.11(electron-builder-squirrel-windows@26.0.11)
+      dmg-builder: 26.0.12(electron-builder-squirrel-windows@26.0.11)
       fs-extra: 10.1.0
       is-ci: 3.0.1
       lazy-val: 1.0.5
@@ -3977,7 +4025,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  electron@34.5.0:
+  electron@34.5.2:
     dependencies:
       '@electron/get': 2.0.3
       '@types/node': 20.17.30

app/pnpm-workspace.yaml

@@ -0,0 +1,2 @@
+onlyBuiltDependencies:
+  - electron

kernel/api/file.go

@@ -380,6 +380,12 @@ func putFile(c *gin.Context) {
 		return
 	}
 
+	if !isValidFileName(fileAbsPath) { // Improve kernel API `/api/file/putFile` parameter validation https://github.com/siyuan-note/siyuan/issues/14658
+		ret.Code = http.StatusBadRequest
+		ret.Msg = "invalid file path, please check https://github.com/siyuan-note/siyuan/issues/14658 for more details"
+		return
+	}
+
 	isDirStr := c.PostForm("isDir")
 	isDir, _ := strconv.ParseBool(isDirStr)
 
@@ -459,3 +465,8 @@ func millisecond2Time(t int64) time.Time {
 	msec := t % 1000
 	return time.Unix(sec, msec*int64(time.Millisecond))
 }
+
+func isValidFileName(p string) bool {
+	name := filepath.Base(p)
+	return name == util.FilterUploadFileName(name)
+}