feat(share): support more secure file sharing (#991)

提供一种类似大多数网盘的文件分享操作，这种分享方式可以通过强制 Web 代理隐藏文件源路径，可以设置分享码、最大访问数和过期时间，并且不需要启用 guest 用户。在全局设置中可以调整： - 是否强制 Web 代理 - 是否允许预览 - 是否允许预览压缩文件 - 分享文件后，点击“复制链接”按钮复制的内容前端部分：OpenListTeam/OpenList-Frontend#156 文档部分：OpenListTeam/OpenList-Docs#130 Close #183 Close #526 Close #860 Close #892 Close #1079 * feat(share): support more secure file sharing * feat(share): add archive preview * fix(share): fix some bugs * feat(openlist_share): add openlist share driver * fix(share): lack unwrap when get virtual path * fix: use unwrapPath instead of path for virtual file name comparison * fix(share): change request method of /api/share/list from GET to Any * fix(share): path traversal vulnerability in sharing path check * 修复分享alias驱动的文件没开代理时无法获取URL * fix(sharing): update error message for sharing root link extraction --------- Co-authored-by: Suyunmeng <69945917+Suyunmeng@users.noreply.github.com> Co-authored-by: j2rong4cn <j2rong@qq.com>
2025-09-19 04:06:18 +08:00 · 2025-08-19 15:10:02 +08:00
parent 5d8bd258c0
commit e4c902dd93
28 changed files with 1698 additions and 94 deletions
--- a/drivers/all.go
+++ b/drivers/all.go
@ -48,6 +48,7 @@ import (
 	_ "github.com/OpenListTeam/OpenList/v4/drivers/onedrive_app"
 	_ "github.com/OpenListTeam/OpenList/v4/drivers/onedrive_sharelink"
 	_ "github.com/OpenListTeam/OpenList/v4/drivers/openlist"
+	_ "github.com/OpenListTeam/OpenList/v4/drivers/openlist_share"
 	_ "github.com/OpenListTeam/OpenList/v4/drivers/pikpak"
 	_ "github.com/OpenListTeam/OpenList/v4/drivers/pikpak_share"
 	_ "github.com/OpenListTeam/OpenList/v4/drivers/quark_open"
--- a/drivers/openlist_share/driver.go
+++ b/drivers/openlist_share/driver.go
@ -0,0 +1,181 @@
+package openlist_share
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+	stdpath "path"
+	"strings"
+
+	"github.com/OpenListTeam/OpenList/v4/internal/driver"
+	"github.com/OpenListTeam/OpenList/v4/internal/errs"
+	"github.com/OpenListTeam/OpenList/v4/internal/model"
+	"github.com/OpenListTeam/OpenList/v4/pkg/utils"
+	"github.com/OpenListTeam/OpenList/v4/server/common"
+	"github.com/go-resty/resty/v2"
+)
+
+type OpenListShare struct {
+	model.Storage
+	Addition
+	serverArchivePreview bool
+}
+
+func (d *OpenListShare) Config() driver.Config {
+	return config
+}
+
+func (d *OpenListShare) GetAddition() driver.Additional {
+	return &d.Addition
+}
+
+func (d *OpenListShare) Init(ctx context.Context) error {
+	d.Addition.Address = strings.TrimSuffix(d.Addition.Address, "/")
+	var settings common.Resp[map[string]string]
+	_, _, err := d.request("/public/settings", http.MethodGet, func(req *resty.Request) {
+		req.SetResult(&settings)
+	})
+	if err != nil {
+		return err
+	}
+	d.serverArchivePreview = settings.Data["share_archive_preview"] == "true"
+	return nil
+}
+
+func (d *OpenListShare) Drop(ctx context.Context) error {
+	return nil
+}
+
+func (d *OpenListShare) List(ctx context.Context, dir model.Obj, args model.ListArgs) ([]model.Obj, error) {
+	var resp common.Resp[FsListResp]
+	_, _, err := d.request("/fs/list", http.MethodPost, func(req *resty.Request) {
+		req.SetResult(&resp).SetBody(ListReq{
+			PageReq: model.PageReq{
+				Page:    1,
+				PerPage: 0,
+			},
+			Path:     stdpath.Join(fmt.Sprintf("/@s/%s", d.ShareId), dir.GetPath()),
+			Password: d.Pwd,
+			Refresh:  false,
+		})
+	})
+	if err != nil {
+		return nil, err
+	}
+	var files []model.Obj
+	for _, f := range resp.Data.Content {
+		file := model.ObjThumb{
+			Object: model.Object{
+				Name:     f.Name,
+				Modified: f.Modified,
+				Ctime:    f.Created,
+				Size:     f.Size,
+				IsFolder: f.IsDir,
+				HashInfo: utils.FromString(f.HashInfo),
+			},
+			Thumbnail: model.Thumbnail{Thumbnail: f.Thumb},
+		}
+		files = append(files, &file)
+	}
+	return files, nil
+}
+
+func (d *OpenListShare) Link(ctx context.Context, file model.Obj, args model.LinkArgs) (*model.Link, error) {
+	path := utils.FixAndCleanPath(stdpath.Join(d.ShareId, file.GetPath()))
+	u := fmt.Sprintf("%s/sd%s?pwd=%s", d.Address, path, d.Pwd)
+	return &model.Link{URL: u}, nil
+}
+
+func (d *OpenListShare) GetArchiveMeta(ctx context.Context, obj model.Obj, args model.ArchiveArgs) (model.ArchiveMeta, error) {
+	if !d.serverArchivePreview || !d.ForwardArchiveReq {
+		return nil, errs.NotImplement
+	}
+	var resp common.Resp[ArchiveMetaResp]
+	_, code, err := d.request("/fs/archive/meta", http.MethodPost, func(req *resty.Request) {
+		req.SetResult(&resp).SetBody(ArchiveMetaReq{
+			ArchivePass: args.Password,
+			Path:        stdpath.Join(fmt.Sprintf("/@s/%s", d.ShareId), obj.GetPath()),
+			Password:    d.Pwd,
+			Refresh:     false,
+		})
+	})
+	if code == 202 {
+		return nil, errs.WrongArchivePassword
+	}
+	if err != nil {
+		return nil, err
+	}
+	var tree []model.ObjTree
+	if resp.Data.Content != nil {
+		tree = make([]model.ObjTree, 0, len(resp.Data.Content))
+		for _, content := range resp.Data.Content {
+			tree = append(tree, &content)
+		}
+	}
+	return &model.ArchiveMetaInfo{
+		Comment:   resp.Data.Comment,
+		Encrypted: resp.Data.Encrypted,
+		Tree:      tree,
+	}, nil
+}
+
+func (d *OpenListShare) ListArchive(ctx context.Context, obj model.Obj, args model.ArchiveInnerArgs) ([]model.Obj, error) {
+	if !d.serverArchivePreview || !d.ForwardArchiveReq {
+		return nil, errs.NotImplement
+	}
+	var resp common.Resp[ArchiveListResp]
+	_, code, err := d.request("/fs/archive/list", http.MethodPost, func(req *resty.Request) {
+		req.SetResult(&resp).SetBody(ArchiveListReq{
+			ArchiveMetaReq: ArchiveMetaReq{
+				ArchivePass: args.Password,
+				Path:        stdpath.Join(fmt.Sprintf("/@s/%s", d.ShareId), obj.GetPath()),
+				Password:    d.Pwd,
+				Refresh:     false,
+			},
+			PageReq: model.PageReq{
+				Page:    1,
+				PerPage: 0,
+			},
+			InnerPath: args.InnerPath,
+		})
+	})
+	if code == 202 {
+		return nil, errs.WrongArchivePassword
+	}
+	if err != nil {
+		return nil, err
+	}
+	var files []model.Obj
+	for _, f := range resp.Data.Content {
+		file := model.ObjThumb{
+			Object: model.Object{
+				Name:     f.Name,
+				Modified: f.Modified,
+				Ctime:    f.Created,
+				Size:     f.Size,
+				IsFolder: f.IsDir,
+				HashInfo: utils.FromString(f.HashInfo),
+			},
+			Thumbnail: model.Thumbnail{Thumbnail: f.Thumb},
+		}
+		files = append(files, &file)
+	}
+	return files, nil
+}
+
+func (d *OpenListShare) Extract(ctx context.Context, obj model.Obj, args model.ArchiveInnerArgs) (*model.Link, error) {
+	if !d.serverArchivePreview || !d.ForwardArchiveReq {
+		return nil, errs.NotSupport
+	}
+	path := utils.FixAndCleanPath(stdpath.Join(d.ShareId, obj.GetPath()))
+	u := fmt.Sprintf("%s/sad%s?pwd=%s&inner=%s&pass=%s",
+		d.Address,
+		path,
+		d.Pwd,
+		utils.EncodePath(args.InnerPath, true),
+		url.QueryEscape(args.Password))
+	return &model.Link{URL: u}, nil
+}
+
+var _ driver.Driver = (*OpenListShare)(nil)
--- a/drivers/openlist_share/meta.go
+++ b/drivers/openlist_share/meta.go
@ -0,0 +1,27 @@
+package openlist_share
+
+import (
+	"github.com/OpenListTeam/OpenList/v4/internal/driver"
+	"github.com/OpenListTeam/OpenList/v4/internal/op"
+)
+
+type Addition struct {
+	driver.RootPath
+	Address           string `json:"url" required:"true"`
+	ShareId           string `json:"sid" required:"true"`
+	Pwd               string `json:"pwd"`
+	ForwardArchiveReq bool   `json:"forward_archive_requests" default:"true"`
+}
+
+var config = driver.Config{
+	Name:        "OpenListShare",
+	LocalSort:   true,
+	NoUpload:    true,
+	DefaultRoot: "/",
+}
+
+func init() {
+	op.RegisterDriver(func() driver.Driver {
+		return &OpenListShare{}
+	})
+}
--- a/drivers/openlist_share/types.go
+++ b/drivers/openlist_share/types.go
@ -0,0 +1,111 @@
+package openlist_share
+
+import (
+	"time"
+
+	"github.com/OpenListTeam/OpenList/v4/internal/model"
+	"github.com/OpenListTeam/OpenList/v4/pkg/utils"
+)
+
+type ListReq struct {
+	model.PageReq
+	Path     string `json:"path" form:"path"`
+	Password string `json:"password" form:"password"`
+	Refresh  bool   `json:"refresh"`
+}
+
+type ObjResp struct {
+	Name     string    `json:"name"`
+	Size     int64     `json:"size"`
+	IsDir    bool      `json:"is_dir"`
+	Modified time.Time `json:"modified"`
+	Created  time.Time `json:"created"`
+	Sign     string    `json:"sign"`
+	Thumb    string    `json:"thumb"`
+	Type     int       `json:"type"`
+	HashInfo string    `json:"hashinfo"`
+}
+
+type FsListResp struct {
+	Content  []ObjResp `json:"content"`
+	Total    int64     `json:"total"`
+	Readme   string    `json:"readme"`
+	Write    bool      `json:"write"`
+	Provider string    `json:"provider"`
+}
+
+type ArchiveMetaReq struct {
+	ArchivePass string `json:"archive_pass"`
+	Password    string `json:"password"`
+	Path        string `json:"path"`
+	Refresh     bool   `json:"refresh"`
+}
+
+type TreeResp struct {
+	ObjResp
+	Children  []TreeResp `json:"children"`
+	hashCache *utils.HashInfo
+}
+
+func (t *TreeResp) GetSize() int64 {
+	return t.Size
+}
+
+func (t *TreeResp) GetName() string {
+	return t.Name
+}
+
+func (t *TreeResp) ModTime() time.Time {
+	return t.Modified
+}
+
+func (t *TreeResp) CreateTime() time.Time {
+	return t.Created
+}
+
+func (t *TreeResp) IsDir() bool {
+	return t.ObjResp.IsDir
+}
+
+func (t *TreeResp) GetHash() utils.HashInfo {
+	return utils.FromString(t.HashInfo)
+}
+
+func (t *TreeResp) GetID() string {
+	return ""
+}
+
+func (t *TreeResp) GetPath() string {
+	return ""
+}
+
+func (t *TreeResp) GetChildren() []model.ObjTree {
+	ret := make([]model.ObjTree, 0, len(t.Children))
+	for _, child := range t.Children {
+		ret = append(ret, &child)
+	}
+	return ret
+}
+
+func (t *TreeResp) Thumb() string {
+	return t.ObjResp.Thumb
+}
+
+type ArchiveMetaResp struct {
+	Comment   string     `json:"comment"`
+	Encrypted bool       `json:"encrypted"`
+	Content   []TreeResp `json:"content"`
+	RawURL    string     `json:"raw_url"`
+	Sign      string     `json:"sign"`
+}
+
+type ArchiveListReq struct {
+	model.PageReq
+	ArchiveMetaReq
+	InnerPath string `json:"inner_path"`
+}
+
+type ArchiveListResp struct {
+	Content []ObjResp `json:"content"`
+	Total   int64     `json:"total"`
+}
--- a/drivers/openlist_share/util.go
+++ b/drivers/openlist_share/util.go
@ -0,0 +1,32 @@
+package openlist_share
+
+import (
+	"fmt"
+
+	"github.com/OpenListTeam/OpenList/v4/drivers/base"
+	"github.com/OpenListTeam/OpenList/v4/pkg/utils"
+)
+
+func (d *OpenListShare) request(api, method string, callback base.ReqCallback) ([]byte, int, error) {
+	url := d.Address + "/api" + api
+	req := base.RestyClient.R()
+	if callback != nil {
+		callback(req)
+	}
+	res, err := req.Execute(method, url)
+	if err != nil {
+		code := 0
+		if res != nil {
+			code = res.StatusCode()
+		}
+		return nil, code, err
+	}
+	if res.StatusCode() >= 400 {
+		return nil, res.StatusCode(), fmt.Errorf("request failed, status: %s", res.Status())
+	}
+	code := utils.Json.Get(res.Body(), "code").ToInt()
+	if code != 200 {
+		return nil, code, fmt.Errorf("request failed, code: %d, message: %s", code, utils.Json.Get(res.Body(), "message").ToString())
+	}
+	return res.Body(), 200, nil
+}