Feature/render pipeline (#232)

* refactor(engine): 重构2D渲染管线坐标系统 * feat(engine): 完善2D渲染管线和编辑器视口功能 * feat(editor): 实现Viewport变换工具系统 * feat(editor): 优化Inspector渲染性能并修复Gizmo变换工具显示 * feat(editor): 实现Run on Device移动预览功能 * feat(editor): 添加组件属性控制和依赖关系系统 * feat(editor): 实现动画预览功能和优化SpriteAnimator编辑器 * feat(editor): 修复SpriteAnimator动画预览功能并迁移CI到pnpm * feat(editor): 修复SpriteAnimator动画预览并迁移到pnpm * feat(editor): 修复SpriteAnimator动画预览并迁移到pnpm * feat(editor): 修复SpriteAnimator动画预览并迁移到pnpm * feat(editor): 修复SpriteAnimator动画预览并迁移到pnpm * feat(ci): 迁移项目到pnpm并修复CI构建问题 * chore: 迁移CI工作流到pnpm并添加WASM构建支持 * chore: 迁移CI工作流到pnpm并添加WASM构建支持 * chore: 迁移CI工作流到pnpm并添加WASM构建支持 * chore: 迁移CI工作流到pnpm并添加WASM构建支持 * chore: 迁移CI工作流到pnpm并添加WASM构建支持 * chore: 迁移CI工作流到pnpm并添加WASM构建支持 * chore: 移除 network 相关包 * chore: 移除 network 相关包
2025-11-23 14:49:37 +08:00
parent b15cbab313
commit a3f7cc38b1
247 changed files with 33561 additions and 52047 deletions
--- a/packages/asset-system/src/utils/PathValidator.ts
+++ b/packages/asset-system/src/utils/PathValidator.ts
@@ -0,0 +1,165 @@
+/**
+ * Path Validator
+ * 路径验证器
+ *
+ * Validates and sanitizes asset paths for security
+ * 验证并清理资产路径以确保安全
+ */
+
+export class PathValidator {
+    // Dangerous path patterns
+    private static readonly DANGEROUS_PATTERNS = [
+        /\.\.[/\\]/g,  // Path traversal attempts (..)
+        /^[/\\]/,      // Absolute paths on Unix
+        /^[a-zA-Z]:[/\\]/,  // Absolute paths on Windows
+        /[<>:"|?*]/,    // Invalid characters for Windows paths
+        /\0/,           // Null bytes
+        /%00/,          // URL encoded null bytes
+        /\.\.%2[fF]/   // URL encoded path traversal
+    ];
+
+    // Valid path characters (alphanumeric, dash, underscore, dot, slash)
+    private static readonly VALID_PATH_REGEX = /^[a-zA-Z0-9\-_./\\@]+$/;
+
+    // Maximum path length
+    private static readonly MAX_PATH_LENGTH = 260;
+
+    /**
+     * Validate if a path is safe
+     * 验证路径是否安全
+     */
+    static validate(path: string): { valid: boolean; reason?: string } {
+        // Check for null/undefined/empty
+        if (!path || typeof path !== 'string') {
+            return { valid: false, reason: 'Path is empty or invalid' };
+        }
+
+        // Check length
+        if (path.length > this.MAX_PATH_LENGTH) {
+            return { valid: false, reason: `Path exceeds maximum length of ${this.MAX_PATH_LENGTH} characters` };
+        }
+
+        // Check for dangerous patterns
+        for (const pattern of this.DANGEROUS_PATTERNS) {
+            if (pattern.test(path)) {
+                return { valid: false, reason: 'Path contains dangerous pattern' };
+            }
+        }
+
+        // Check for valid characters
+        if (!this.VALID_PATH_REGEX.test(path)) {
+            return { valid: false, reason: 'Path contains invalid characters' };
+        }
+
+        return { valid: true };
+    }
+
+    /**
+     * Sanitize a path
+     * 清理路径
+     */
+    static sanitize(path: string): string {
+        if (!path || typeof path !== 'string') {
+            return '';
+        }
+
+        // Remove dangerous patterns
+        let sanitized = path;
+
+        // Remove path traversal (apply repeatedly until fully removed)
+        let prev;
+        do {
+            prev = sanitized;
+            sanitized = sanitized.replace(/\.\.[/\\]/g, '');
+        } while (sanitized !== prev);
+
+        // Remove leading slashes
+        sanitized = sanitized.replace(/^[/\\]+/, '');
+
+        // Remove null bytes
+        sanitized = sanitized.replace(/\0/g, '');
+        sanitized = sanitized.replace(/%00/g, '');
+
+        // Remove invalid Windows characters
+        sanitized = sanitized.replace(/[<>:"|?*]/g, '_');
+
+        // Normalize slashes
+        sanitized = sanitized.replace(/\\/g, '/');
+
+        // Remove double slashes
+        sanitized = sanitized.replace(/\/+/g, '/');
+
+        // Trim whitespace
+        sanitized = sanitized.trim();
+
+        // Truncate if too long
+        if (sanitized.length > this.MAX_PATH_LENGTH) {
+            sanitized = sanitized.substring(0, this.MAX_PATH_LENGTH);
+        }
+
+        return sanitized;
+    }
+
+    /**
+     * Check if path is trying to escape the base directory
+     * 检查路径是否试图逃离基础目录
+     */
+    static isPathTraversal(path: string): boolean {
+        const normalized = path.replace(/\\/g, '/');
+        return normalized.includes('../') || normalized.includes('..\\');
+    }
+
+    /**
+     * Normalize a path for consistent handling
+     * 规范化路径以便一致处理
+     */
+    static normalize(path: string): string {
+        if (!path) return '';
+
+        // Sanitize first
+        let normalized = this.sanitize(path);
+
+        // Convert backslashes to forward slashes
+        normalized = normalized.replace(/\\/g, '/');
+
+        // Remove trailing slash (except for root)
+        if (normalized.length > 1 && normalized.endsWith('/')) {
+            normalized = normalized.slice(0, -1);
+        }
+
+        return normalized;
+    }
+
+    /**
+     * Join path segments safely
+     * 安全地连接路径段
+     */
+    static join(...segments: string[]): string {
+        const validSegments = segments
+            .filter((s) => s && typeof s === 'string')
+            .map((s) => this.sanitize(s))
+            .filter((s) => s.length > 0);
+
+        if (validSegments.length === 0) {
+            return '';
+        }
+
+        return this.normalize(validSegments.join('/'));
+    }
+
+    /**
+     * Get file extension safely
+     * 安全地获取文件扩展名
+     */
+    static getExtension(path: string): string {
+        const sanitized = this.sanitize(path);
+        const lastDot = sanitized.lastIndexOf('.');
+        const lastSlash = sanitized.lastIndexOf('/');
+
+        if (lastDot > lastSlash && lastDot > 0) {
+            return sanitized.substring(lastDot + 1).toLowerCase();
+        }
+
+        return '';
+    }
+}