From fa1b52ca74c16bc2af863c7f1c88bf19956ecf8b Mon Sep 17 00:00:00 2001 From: Hz_ Date: Thu, 2 Jul 2026 15:45:30 +0800 Subject: [PATCH] fix(go): prevent moving folders into themselves (#16522) --- internal/service/file.go | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/internal/service/file.go b/internal/service/file.go index 095dcca13f..cecd1a0b2f 100644 --- a/internal/service/file.go +++ b/internal/service/file.go @@ -788,6 +788,34 @@ func (s *FileService) MoveFiles(uid string, srcFileIDs []string, destFileID stri if !s.checkFileTeamPermission(destFolder, uid) { return false, "No authorization to write to destination folder." } + + if destFolder.Type != FileTypeFolder { + return false, "Destination is not a folder." + } + + destAncestors, err := s.fileDAO.GetAllParentFolders(destFolder.ID) + if err != nil { + return false, "Parent folder not found!" + } + + destAncestorIDs := make(map[string]struct{}, len(destAncestors)) + for _, folder := range destAncestors { + destAncestorIDs[folder.ID] = struct{}{} + } + + for _, file := range files { + if file.Type != FileTypeFolder { + continue + } + + if file.ID == destFolder.ID { + return false, "Cannot move a folder to itself." + } + + if _, ok := destAncestorIDs[file.ID]; ok { + return false, "Cannot move a folder into its own subfolder." + } + } } // 5. Validate new_name if provided