AstrBot/astrbot/dashboard/routes/util.py

"""Dashboard 路由工具集。

这里放一些 dashboard routes 可复用的小工具函数。

目前主要用于「配置文件上传（file 类型配置项）」功能：
- 清洗/规范化用户可控的文件名与相对路径
- 将配置 key 映射到配置项独立子目录
"""

import os


def get_schema_item(schema: dict | None, key_path: str) -> dict | None:
    """按 dot-path 获取 schema 的节点。

    同时支持：
    - 扁平 schema（直接 key 命中）
    - 嵌套 object schema（{type: "object", items: {...}}）
    """

    if not isinstance(schema, dict) or not key_path:
        return None
    if key_path in schema:
        return schema.get(key_path)

    current = schema
    parts = key_path.split(".")
    for idx, part in enumerate(parts):
        if part not in current:
            return None
        meta = current.get(part)
        if idx == len(parts) - 1:
            return meta
        if not isinstance(meta, dict) or meta.get("type") != "object":
            return None
        current = meta.get("items", {})
    return None


def sanitize_filename(name: str) -> str:
    """清洗上传文件名，避免路径穿越与非法名称。

    - 丢弃目录部分，仅保留 basename
    - 将路径分隔符替换为下划线
    - 拒绝空字符串 / "." / ".."
    """

    cleaned = os.path.basename(name).strip()
    if not cleaned or cleaned in {".", ".."}:
        return ""
    for sep in (os.sep, os.altsep):
        if sep:
            cleaned = cleaned.replace(sep, "_")
    return cleaned


def sanitize_path_segment(segment: str) -> str:
    """清洗目录片段（URL/path 安全，避免穿越）。

    仅保留 [A-Za-z0-9_-]，其余替换为 "_"
    """

    cleaned = []
    for ch in segment:
        if (
            ("a" <= ch <= "z")
            or ("A" <= ch <= "Z")
            or ch.isdigit()
            or ch
            in {
                "-",
                "_",
            }
        ):
            cleaned.append(ch)
        else:
            cleaned.append("_")
    result = "".join(cleaned).strip("_")
    return result or "_"


def config_key_to_folder(key_path: str) -> str:
    """将 dot-path 的配置 key 转成稳定的文件夹路径。"""

    parts = [sanitize_path_segment(p) for p in key_path.split(".") if p]
    return "/".join(parts) if parts else "_"


def normalize_rel_path(rel_path: str | None) -> str | None:
    """规范化用户传入的相对路径，并阻止路径穿越。"""

    if not isinstance(rel_path, str):
        return None
    rel = rel_path.replace("\\", "/").lstrip("/")
    if not rel:
        return None
    parts = [p for p in rel.split("/") if p]
    if any(part in {".", ".."} for part in parts):
        return None
    if rel.startswith("../") or "/../" in rel:
        return None
    return "/".join(parts)