fix: 鉴权强制 + HTTPS + 路径遍历防护

- 新增 AuthenticationMiddleware：5001 端口未认证请求 401\n- 新增 PathGuard：路径基目录约束工具\n- ServerManager：HTTPS + #if !DEBUG + 注册中间件\n- GetLocalImagePreview/DdsExtractor/Emote：路径限制到游戏目录内\n- EmoteController：ArgumentList 防注入 + ExitCode 检查

Author: Applesaber

ChuChartManager/AuthenticationMiddleware.cs

@@ -0,0 +1,24 @@
+namespace ChuChartManager;
+
+public class AuthenticationMiddleware
+{
+    private readonly RequestDelegate _next;
+
+    public AuthenticationMiddleware(RequestDelegate next)
+    {
+        _next = next;
+    }
+
+    public async Task Invoke(HttpContext context)
+    {
+        if (!context.User.Identity?.IsAuthenticated == true && context.Connection.LocalPort == 5001)
+        {
+            context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+            context.Response.Headers.Append("WWW-Authenticate", "Basic");
+            await context.Response.WriteAsync("Unauthorized");
+            return;
+        }
+
+        await _next(context);
+    }
+}

ChuChartManager/Controllers/CustomResourceController.cs

@@ -413,6 +413,12 @@ public ActionResult GetLocalImagePreview([FromQuery] string path)
         if (string.IsNullOrWhiteSpace(path) || !System.IO.File.Exists(path))
             return NotFound();
 
+        var safe = PathGuard.EnsureWithin(StaticSettings.GamePath, path)
+                   ?? PathGuard.EnsureWithin(StaticSettings.AppDataDir, path)
+                   ?? PathGuard.EnsureWithin(StaticSettings.ExeDir, path);
+        if (safe == null)
+            return Forbid();
+
         var ext = Path.GetExtension(path).ToLowerInvariant();
         var mime = ext switch
         {

ChuChartManager/Controllers/DdsExtractorController.cs

@@ -12,6 +12,7 @@ public class ExtractResult
         public int DdsCount { get; set; }
         public string OutputDir { get; set; } = "";
         public List<string> Files { get; set; } = [];
+        public string? Error { get; set; }
     }
 
     public class ExtractDdsRequest
@@ -69,22 +70,35 @@ public ActionResult<List<ExtractResult>> ExtractDds([FromBody] ExtractDdsRequest
         if (string.IsNullOrWhiteSpace(request.Path))
             return BadRequest("路径不能为空");
 
+        if (!string.IsNullOrWhiteSpace(request.OutputDir))
+        {
+            var safeOut = PathGuard.EnsureWithin(StaticSettings.GamePath, request.OutputDir);
+            if (safeOut == null)
+                return BadRequest("输出目录不在游戏目录范围内");
+            request.OutputDir = safeOut;
+        }
+
         var results = new List<ExtractResult>();
 
         if (System.IO.File.Exists(request.Path))
         {
-            var result = ExtractFromFile(request.Path, request.OutputDir);
-            if (result != null) results.Add(result);
+            var safeIn = PathGuard.EnsureWithin(StaticSettings.GamePath, request.Path);
+            if (safeIn == null)
+                return BadRequest("源文件不在游戏目录范围内");
+            results.Add(ExtractFromFile(safeIn, request.OutputDir));
         }
         else if (Directory.Exists(request.Path))
         {
-            var files = Directory.GetFiles(request.Path, "*.afb", SearchOption.TopDirectoryOnly)
-                .Concat(Directory.GetFiles(request.Path, "*.svo", SearchOption.TopDirectoryOnly));
+            var safeIn = PathGuard.EnsureWithin(StaticSettings.GamePath, request.Path);
+            if (safeIn == null)
+                return BadRequest("源目录不在游戏目录范围内");
+
+            var files = Directory.GetFiles(safeIn, "*.afb", SearchOption.TopDirectoryOnly)
+                .Concat(Directory.GetFiles(safeIn, "*.svo", SearchOption.TopDirectoryOnly));
 
             foreach (var file in files)
             {
-                var result = ExtractFromFile(file, request.OutputDir);
-                if (result != null) results.Add(result);
+                results.Add(ExtractFromFile(file, request.OutputDir));
             }
         }
         else
@@ -95,36 +109,45 @@ public ActionResult<List<ExtractResult>> ExtractDds([FromBody] ExtractDdsRequest
         return Ok(results);
     }
 
-    private static ExtractResult? ExtractFromFile(string filePath, string? outputDirOverride)
+    private static ExtractResult ExtractFromFile(string filePath, string? outputDirOverride)
     {
-        var ext = System.IO.Path.GetExtension(filePath).ToLowerInvariant();
-        if (ext != ".afb" && ext != ".svo") return null;
+        try
+        {
+            var ext = System.IO.Path.GetExtension(filePath).ToLowerInvariant();
+            if (ext != ".afb" && ext != ".svo")
+                return new ExtractResult { SourceFile = filePath, Error = $"不支持的文件格式: {ext}" };
 
-        var fileData = System.IO.File.ReadAllBytes(filePath);
-        var ddsList = DDSExtractor.DdsExtractor.ExtractDdsFiles(fileData, ext == ".afb");
-        if (ddsList.Count == 0) return null;
+            var fileData = System.IO.File.ReadAllBytes(filePath);
+            var ddsList = DDSExtractor.DdsExtractor.ExtractDdsFiles(fileData, ext == ".afb");
+            if (ddsList.Count == 0)
+                return new ExtractResult { SourceFile = filePath, Error = "未提取到 DDS" };
 
-        var baseName = System.IO.Path.GetFileNameWithoutExtension(filePath);
-        var outputDir = !string.IsNullOrWhiteSpace(outputDirOverride)
-            ? System.IO.Path.Combine(outputDirOverride, $"{baseName}_extracted")
-            : System.IO.Path.Combine(System.IO.Path.GetDirectoryName(filePath)!, $"{baseName}_extracted");
+            var baseName = System.IO.Path.GetFileNameWithoutExtension(filePath);
+            var outputDir = !string.IsNullOrWhiteSpace(outputDirOverride)
+                ? System.IO.Path.Combine(outputDirOverride, $"{baseName}_extracted")
+                : System.IO.Path.Combine(System.IO.Path.GetDirectoryName(filePath)!, $"{baseName}_extracted");
 
-        Directory.CreateDirectory(outputDir);
+            Directory.CreateDirectory(outputDir);
 
-        var savedFiles = new List<string>();
-        for (var i = 0; i < ddsList.Count; i++)
-        {
-            var outputPath = System.IO.Path.Combine(outputDir, $"{baseName}_{i + 1}.dds");
-            System.IO.File.WriteAllBytes(outputPath, ddsList[i]);
-            savedFiles.Add(outputPath);
-        }
+            var savedFiles = new List<string>();
+            for (var i = 0; i < ddsList.Count; i++)
+            {
+                var outputPath = System.IO.Path.Combine(outputDir, $"{baseName}_{i + 1}.dds");
+                System.IO.File.WriteAllBytes(outputPath, ddsList[i]);
+                savedFiles.Add(outputPath);
+            }
 
-        return new ExtractResult
+            return new ExtractResult
+            {
+                SourceFile = filePath,
+                DdsCount = ddsList.Count,
+                OutputDir = outputDir,
+                Files = savedFiles,
+            };
+        }
+        catch (Exception ex)
         {
-            SourceFile = filePath,
-            DdsCount = ddsList.Count,
-            OutputDir = outputDir,
-            Files = savedFiles,
-        };
+            return new ExtractResult { SourceFile = filePath, Error = ex.Message };
+        }
     }
 }

ChuChartManager/Controllers/EmoteController.cs

@@ -17,6 +17,12 @@ public class EmoteDataItem
         public long FileSize { get; set; }
     }
 
+    private static string? SafeGameFilePath(string filePath)
+    {
+        if (string.IsNullOrEmpty(StaticSettings.GamePath)) return null;
+        return PathGuard.FileExistsWithin(StaticSettings.GamePath, filePath, out var safe) ? safe : null;
+    }
+
     [HttpGet]
     public ActionResult<List<EmoteDataItem>> GetEmoteDataList([FromQuery] string? source = null)
     {
@@ -54,8 +60,8 @@ public ActionResult LaunchViewer([FromBody] LaunchViewerRequest request)
         if (string.IsNullOrWhiteSpace(request.FilePath))
             return BadRequest("文件路径不能为空");
 
-        if (!System.IO.File.Exists(request.FilePath))
-            return BadRequest("文件不存在");
+        if (SafeGameFilePath(request.FilePath) == null)
+            return BadRequest("文件不在游戏目录范围内");
 
         var viewerPath = Path.Combine(StaticSettings.ExeDir, "tools", "FreeMoteViewer.exe");
         if (!System.IO.File.Exists(viewerPath))
@@ -93,7 +99,7 @@ public class LaunchViewerRequest
     [HttpGet]
     public ActionResult GetEmoteWebGLData([FromQuery] string filePath)
     {
-        if (string.IsNullOrWhiteSpace(filePath) || !System.IO.File.Exists(filePath))
+        if (SafeGameFilePath(filePath) == null)
             return NotFound();
 
         if (WebGLCache.TryGetValue(filePath, out var cached))
@@ -123,14 +129,16 @@ public ActionResult GetEmoteWebGLData([FromQuery] string filePath)
                 var decompileProc = Process.Start(new ProcessStartInfo
                 {
                     FileName = decompilePath,
-                    Arguments = $"\"{tempEmtbytes}\"",
                     UseShellExecute = false,
                     WorkingDirectory = tempDir,
                     RedirectStandardOutput = true,
                     RedirectStandardError = true,
                     CreateNoWindow = true,
+                    ArgumentList = { tempEmtbytes },
                 });
                 decompileProc?.WaitForExit(30000);
+                if (decompileProc == null || decompileProc.ExitCode != 0)
+                    return BadRequest($"PsbDecompile 失败，退出码: {decompileProc?.ExitCode ?? -1}");
 
                 var jsonPath = Path.Combine(tempDir, baseName + ".json");
                 if (!System.IO.File.Exists(jsonPath))
@@ -145,14 +153,16 @@ public ActionResult GetEmoteWebGLData([FromQuery] string filePath)
                 var buildProc = Process.Start(new ProcessStartInfo
                 {
                     FileName = buildPath,
-                    Arguments = $"-p ems -o \"{outputPath}\" \"{jsonPath}\"",
                     UseShellExecute = false,
                     WorkingDirectory = tempDir,
                     RedirectStandardOutput = true,
                     RedirectStandardError = true,
                     CreateNoWindow = true,
+                    ArgumentList = { "-p", "ems", "-o", outputPath, jsonPath },
                 });
                 buildProc?.WaitForExit(30000);
+                if (buildProc == null || buildProc.ExitCode != 0)
+                    return BadRequest($"PsBuild 失败，退出码: {buildProc?.ExitCode ?? -1}");
 
                 if (!System.IO.File.Exists(outputPath))
                     return BadRequest("PsBuild 失败：未生成 pure.psb 文件");

ChuChartManager/PathGuard.cs

@@ -0,0 +1,27 @@
+namespace ChuChartManager;
+
+public static class PathGuard
+{
+    /// <summary>
+    /// 验证 userPath 是否在 allowedBaseDir 范围内，防止路径遍历。
+    /// 返回规范化后的全路径；越界时返回 null。
+    /// </summary>
+    public static string? EnsureWithin(string allowedBaseDir, string userPath)
+    {
+        var fullBase = Path.GetFullPath(allowedBaseDir);
+        var fullTarget = Path.GetFullPath(userPath);
+        return fullTarget.StartsWith(fullBase, StringComparison.OrdinalIgnoreCase) ? fullTarget : null;
+    }
+
+    /// <summary>
+    /// 验证 userPath 在 allowedBaseDir 范围内，是存在的文件。
+    /// </summary>
+    public static bool FileExistsWithin(string allowedBaseDir, string userPath, out string safePath)
+    {
+        safePath = "";
+        var resolved = EnsureWithin(allowedBaseDir, userPath);
+        if (resolved == null || !File.Exists(resolved)) return false;
+        safePath = resolved;
+        return true;
+    }
+}

ChuChartManager/ServerManager.cs

@@ -65,10 +65,18 @@ public static void StartApp(bool export = false, Action<string>? onStart = null)
         {
             serverOptions.Limits.MaxRequestBodySize = null;
             serverOptions.Listen(IPAddress.Loopback, 0);
+#if !DEBUG
             if (export)
             {
-                serverOptions.Listen(IPAddress.Any, 5001);
+                serverOptions.Listen(IPAddress.Any, 5001, listenOptions =>
+                {
+                    listenOptions.UseHttps(new HttpsConnectionAdapterOptions
+                    {
+                        ServerCertificate = GetCert()
+                    });
+                });
             }
+#endif
         });
 
         builder.Services
@@ -114,6 +122,7 @@ public static void StartApp(bool export = false, Action<string>? onStart = null)
         {
             App.UseAuthentication();
             App.UseAuthorization();
+            App.UseMiddleware<AuthenticationMiddleware>();
         }
 
         App