From bcc56cc0d03425ca32d7f427d19d003d609b807d Mon Sep 17 00:00:00 2001
From: huyuantao <huyuantao@ultrarisc.com>
Date: Tue, 11 Nov 2025 15:19:55 +0800
Subject: [PATCH 1/2] fix(FsRemove): add validation for empty items in delete
 file list

If Req.Names contains an empty string item, the whole directory will be removed. As a result we need add a simple guard to prevent such cases.

Signed-off-by: huyuantao <huyuantao@ultrarisc.com>
---
 server/handles/fsmanage.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server/handles/fsmanage.go b/server/handles/fsmanage.go
index 3fe86726f..e25d786fe 100644
--- a/server/handles/fsmanage.go
+++ b/server/handles/fsmanage.go
@@ -261,6 +261,10 @@ func FsRemove(c *gin.Context) {
 		return
 	}
 	for _, name := range req.Names {
+		if name == "" {
+			common.ErrorStrResp(c, "Unexpected empty item name", 400)
+			return
+		}
 		err := fs.Remove(c.Request.Context(), stdpath.Join(reqDir, name))
 		if err != nil {
 			common.ErrorResp(c, err, 500)

From 9beb430936be37f9e648dd87115552ed4373511f Mon Sep 17 00:00:00 2001
From: huyuantao <huyuantao@ultrarisc.com>
Date: Tue, 16 Dec 2025 10:23:01 +0800
Subject: [PATCH 2/2] fix(FsRemove): enhance validation to prevent unintended
 directory deletion

1. Use `utils.FixAndCleanPath` to correctly identify and block invalid names.
2. Change error handling from `return` to `continue`.

Signed-off-by: huyuantao <huyuantao@ultrarisc.com>
---
 server/handles/fsmanage.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server/handles/fsmanage.go b/server/handles/fsmanage.go
index cd805c53f..2a1c5e5a7 100644
--- a/server/handles/fsmanage.go
+++ b/server/handles/fsmanage.go
@@ -282,9 +282,10 @@ func FsRemove(c *gin.Context) {
 		return
 	}
 	for _, name := range req.Names {
-		if name == "" {
-			common.ErrorStrResp(c, "Unexpected empty item name", 400)
-			return
+		// Skip invalid item names (empty string, whitespace, ".", "/","\t\t","..") to prevent accidental removal of current directory
+		if strings.TrimSpace(utils.FixAndCleanPath(name)) == "/" {
+			utils.Log.Warnf("FsRemove: invalid item skipped: %s (parent directory: %s)\n", name, reqDir)
+			continue
 		}
 		err := fs.Remove(c.Request.Context(), stdpath.Join(reqDir, name))
 		if err != nil {