fix: 修复 PR langhuihui#379 中的安全问题和逻辑缺陷

1. 安全修复：
   - 在 MP4/FLV/HLS 插件中添加文件名安全验证
   - 使用 filepath.Base() 清理路径分隔符，防止路径遍历攻击
   - 验证文件名不为空且不是特殊路径（. 或 ..）

2. 逻辑修复：
   - 修复 MP4 API 中的录制任务查找逻辑
   - 正确处理空文件名场景，避免重复录制任务

3. 代码质量：
   - 格式化 HLS 插件代码（修复空格/制表符混用问题）
   - 统一数据库模型字段命名（Filename -> FileName）

4. 配置解析修复：
   - 修复配置解析时的类型转换问题
   - 使用 unmarshal 函数正确处理类型转换

Author: eanfs

pkg/config/config.go

@@ -376,7 +376,11 @@ func (config *Config) ParseUserFile(conf map[string]any) {
 						prop.ParseUserFile(vv)
 					default:
 						// If the value is not a map (single non-struct value), assign it to the first field
-						prop.props[0].Ptr.Set(reflect.ValueOf(v))
+						// Use unmarshal to handle type conversion properly
+						fv := unmarshal(prop.props[0].Ptr.Type(), v)
+						if fv.IsValid() {
+							prop.props[0].Ptr.Set(fv)
+						}
 					}
 				}
 			} else {

plugin/flv/pkg/record.go

@@ -150,11 +150,19 @@ type Recorder struct {
 
 var CustomFileName = func(job *m7s.RecordJob) string {
 	if fn := job.RecConf.FileName; fn != "" {
+		// 安全验证：清理文件名，移除路径分隔符，防止路径遍历攻击
+		fn = filepath.Base(fn)
+		// 验证文件名不为空且不是特殊路径
+		if fn == "" || fn == "." || fn == ".." {
+			// 回退到默认命名
+			goto defaultNaming
+		}
 		if !strings.HasSuffix(strings.ToLower(fn), ".flv") {
 			fn = fn + ".flv"
 		}
 		return filepath.Join(job.RecConf.FilePath, fn)
 	}
+defaultNaming:
 	if job.RecConf.Fragment == 0 || job.RecConf.Append {
 		return fmt.Sprintf("%s.flv", job.RecConf.FilePath)
 	}

plugin/hls/pkg/record.go

@@ -1,11 +1,11 @@
 package hls
 
 import (
-    "context"
-    "fmt"
-    "strings"
-    "path/filepath"
-    "time"
+	"context"
+	"fmt"
+	"path/filepath"
+	"strings"
+	"time"
 
 	"m7s.live/v5"
 	"m7s.live/v5/pkg/codec"
@@ -29,26 +29,34 @@ type Recorder struct {
 }
 
 var CustomFileName = func(job *m7s.RecordJob) string {
-    if fn := job.RecConf.FileName; fn != "" {
-        if !strings.HasSuffix(strings.ToLower(fn), ".ts") {
-            fn = fn + ".ts"
-        }
-        return filepath.Join(job.RecConf.FilePath, fn)
-    }
-    if job.RecConf.Fragment == 0 || job.RecConf.Append {
-        return fmt.Sprintf("%s/%s.ts", job.RecConf.FilePath, time.Now().Format("20060102150405"))
-    }
-    return filepath.Join(job.RecConf.FilePath, time.Now().Format("20060102150405")+".ts")
+	if fn := job.RecConf.FileName; fn != "" {
+		// 安全验证：清理文件名，移除路径分隔符，防止路径遍历攻击
+		fn = filepath.Base(fn)
+		// 验证文件名不为空且不是特殊路径
+		if fn == "" || fn == "." || fn == ".." {
+			// 回退到默认命名
+			goto defaultNaming
+		}
+		if !strings.HasSuffix(strings.ToLower(fn), ".ts") {
+			fn = fn + ".ts"
+		}
+		return filepath.Join(job.RecConf.FilePath, fn)
+	}
+defaultNaming:
+	if job.RecConf.Fragment == 0 || job.RecConf.Append {
+		return fmt.Sprintf("%s/%s.ts", job.RecConf.FilePath, time.Now().Format("20060102150405"))
+	}
+	return filepath.Join(job.RecConf.FilePath, time.Now().Format("20060102150405")+".ts")
 }
 
 func (r *Recorder) createStream(start time.Time) (err error) {
-    r.RecordJob.RecConf.Type = "ts"
-    err = r.CreateStream(start, CustomFileName)
-    if err != nil {
-        return err
-    }
-    r.Debug("ts create file", "filePath", r.Event.FilePath)
-    return nil
+	r.RecordJob.RecConf.Type = "ts"
+	err = r.CreateStream(start, CustomFileName)
+	if err != nil {
+		return err
+	}
+	r.Debug("ts create file", "filePath", r.Event.FilePath)
+	return nil
 }
 
 func (r *Recorder) writeTailer(end time.Time) {

plugin/mp4/api.go

@@ -572,7 +572,15 @@ func (p *MP4Plugin) StartRecord(ctx context.Context, req *mp4pb.ReqStartRecord)
 	p.Debug("mp4 plugin start record", "streamPath", req.StreamPath, "filePath", filePath, "fileName", fileName, "fragment", fragment)
 	res = &mp4pb.ResponseStartRecord{}
 	_, recordExists = p.Server.Records.Find(func(job *m7s.RecordJob) bool {
-		return job.StreamPath == req.StreamPath && job.RecConf.FilePath == req.FilePath && job.RecConf.FileName == req.FileName
+		if job.StreamPath != req.StreamPath {
+			return false
+		}
+		// 如果两者都指定了文件名，需要完全匹配
+		if req.FileName != "" && job.RecConf.FileName != "" {
+			return job.RecConf.FilePath == req.FilePath && job.RecConf.FileName == req.FileName
+		}
+		// 如果只有路径匹配，也认为是同一个录制任务
+		return job.RecConf.FilePath == req.FilePath
 	})
 	if recordExists {
 		err = pkg.ErrRecordExists

plugin/mp4/pkg/record.go

@@ -148,12 +148,20 @@ func (r *Recorder) writeTailer(end time.Time) {
 var CustomFileName = func(job *m7s.RecordJob) string {
 	// 如果指定了文件名，使用指定的文件名
 	if fn := job.RecConf.FileName; fn != "" {
+		// 安全验证：清理文件名，移除路径分隔符，防止路径遍历攻击
+		fn = filepath.Base(fn)
+		// 验证文件名不为空且不是特殊路径
+		if fn == "" || fn == "." || fn == ".." {
+			// 回退到默认命名
+			goto defaultNaming
+		}
 		// 确保文件名包含 .mp4 扩展名
 		if !strings.HasSuffix(strings.ToLower(fn), ".mp4") {
 			fn = fn + ".mp4"
 		}
 		return filepath.Join(job.RecConf.FilePath, fn)
 	}
+defaultNaming:
 	// 否则使用时间戳生成文件名
 	now := time.Now()
 	return filepath.Join(job.RecConf.FilePath, fmt.Sprintf("%s_%09d.mp4", time.Now().Local().Format("2006-01-02-15-04-05"), now.Nanosecond()))

recoder.go

@@ -45,7 +45,7 @@ type (
 		StartTime    time.Time `gorm:"default:NULL"`
 		EndTime      time.Time `gorm:"default:NULL"`
 		Duration     uint32    `gorm:"comment:录像时长;default:0"`
-		Filename     string    `json:"fileName" desc:"文件名" gorm:"type:varchar(255);comment:文件名"`
+		FileName     string    `json:"fileName" desc:"文件名" gorm:"type:varchar(255);comment:文件名"`
 		Type         string    `json:"type" desc:"录像文件类型" gorm:"type:varchar(255);comment:录像文件类型,flv,mp4,raw,fmp4,hls"`
 		FilePath     string
 		StreamPath   string
@@ -89,7 +89,7 @@ func (r *DefaultRecorder) CreateStream(start time.Time, customFileName func(*Rec
 		StartTime:    start,
 		StreamPath:   sub.StreamPath,
 		FilePath:     filePath,
-		Filename:     fileName,
+		FileName:     fileName,
 		Type:         recordJob.RecConf.Type,
 		StorageLevel: 1, // 默认为主存储
 		StorageType:  storageType,