fix: 解决CI告警问题

Dockerfile

@@ -1,6 +1,9 @@
 FROM python:3.10 AS builder
 ENV DEBIAN_FRONTEND=noninteractive
 WORKDIR /app
+RUN curl https://sh.rustup.rs -sSf | \
+    sh -s -- --default-toolchain stable -y
+ENV PATH=/root/.cargo/bin:$PATH
 COPY requirements.txt .
 RUN python3 -m venv .venv && .venv/bin/pip install --upgrade pip && .venv/bin/pip install --no-cache-dir -r requirements.txt
 COPY install_dependencies.sh .

xiaomusic/httpserver.py

@@ -88,19 +88,18 @@ def HttpInit(_xiaomusic):
 
 @app.get("/music/{file_path:path}")
 async def read_music_file(file_path: str):
-    base_dir = Path(config.music_path).resolve()
+    base_dir = os.path.abspath(config.music_path)
     real_path = os.path.normpath(os.path.join(base_dir, file_path))
-    file_location = Path(real_path).resolve()
     log.info(f"read_music_file. file_path:{file_path} real_path:{real_path}")
-    if not file_location.exists() or not file_location.is_file():
-        raise HTTPException(status_code=404, detail="File not found")
-
-    # 确保请求的文件在我们的基础目录下
-    if base_dir not in file_location.parents:
+    if not real_path.startswith(base_dir):
         raise HTTPException(
             status_code=403, detail="Access to this file is not permitted"
         )
 
+    file_location = Path(real_path).resolve()
+    if not file_location.exists() or not file_location.is_file():
+        raise HTTPException(status_code=404, detail="File not found")
+
     return FileResponse(file_location)