From 112fc3043718ae2c07d9b7d6d1768e9e5f50cbc9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=80=97=E5=AD=90?= <i@haozi.net>
Date: Tue, 19 Nov 2024 01:26:06 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E9=98=BB=E6=AD=A2=E5=88=A0=E9=99=A4?=
 =?UTF-8?q?=E5=85=B3=E9=94=AE=E7=9B=AE=E5=BD=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/service/file.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/internal/service/file.go b/internal/service/file.go
index b3809d9e..a23c4184 100644
--- a/internal/service/file.go
+++ b/internal/service/file.go
@@ -17,6 +17,7 @@ import (
 	"github.com/go-rat/chix"
 	"github.com/spf13/cast"
 
+	"github.com/TheTNB/panel/internal/app"
 	"github.com/TheTNB/panel/internal/biz"
 	"github.com/TheTNB/panel/internal/data"
 	"github.com/TheTNB/panel/internal/http/request"
@@ -117,6 +118,12 @@ func (s *FileService) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	banned := []string{"/", app.Root, filepath.Join(app.Root, "server"), filepath.Join(app.Root, "panel")}
+	if slices.Contains(banned, req.Path) {
+		Error(w, http.StatusForbidden, "please don't do this")
+		return
+	}
+
 	if err = io.Remove(req.Path); err != nil {
 		Error(w, http.StatusInternalServerError, "%v", err)
 		return