[WIP, NOT ready for review] 直接替换maidata.txt谱面的功能 #32

gemini-code-assist · 2026-01-28T06:51:17Z

The assetDir parameter, which is a route parameter and thus user-controlled, is used to construct file paths using Path.Combine (e.g., on line 106) without any validation or sanitization. An attacker can provide a path containing directory traversal sequences (e.g., ..) to escape the intended directory and overwrite arbitrary files on the server where the application has write permissions.

Remediation: Validate the assetDir parameter against an allowlist of expected directory names or sanitize it to remove any path traversal sequences before using it in file system operations.

@clansty 这个用管吗😰 虽然他说有问题的这段并不是我写的，我只是加了个shift参数而已（

gemini-code-assist · 2026-01-28T06:51:17Z

The ReplaceChart method at this line reads the entire content of an uploaded file into memory using reader.ReadToEnd() without any size validation. This creates a Denial of Service (DoS) risk, as a large file could lead to an OutOfMemoryException and application crash, especially when passed to ParseTNumAllFromMa2. Additionally, the current implementation has two code quality issues: it attempts to read the file stream multiple times (file.CopyTo(stream) then file.OpenReadStream()), which can cause errors with non-seekable streams, and it includes a redundant stream.Close() within a using statement. It is recommended to implement a maximum file size limit, process files using a stream-based approach, and refactor to read the file content only once for both writing and parsing.

这个不用太管吧，后端是在用户自己的电脑上运行的，我DoS我自己吗？

gemini-code-assist · 2026-01-28T06:51:17Z

这里有一个 console.log 语句，可能是用于调试的。在代码最终合并之前，建议移除这些调试相关的日志输出，以保持生产环境代码的整洁。

-Original file line number
+Diff line change
@@ Expand Up @@
         }
         [HttpPost]
-        public void ReplaceChart(int id, int level, IFormFile file, string assetDir)
+        public void ReplaceChart(int id, int level, IFormFile file, string assetDir,
+            [FromForm] ImportChartController.ShiftMethod? shift)
         {
             var music = settings.GetMusic(id, assetDir);
             if (music == null || file == null) return;
+            // TODO 判断是MA2还是maidata.txt，走不同的逻辑
             var targetChart = music.Charts[level];
             targetChart.Path = $"{id:000000}_0{level}.ma2";
             using var stream = System.IO.File.Open(Path.Combine(StaticSettings.StreamingAssets, assetDir, "music", $"music{id:000000}", targetChart.Path), FileMode.Create);
             file.CopyTo(stream);
             targetChart.Problems.Clear();
             stream.Close();
+            // 检查新谱面ma2的音符数量是否有变化，如果有修正之
+            string fileContent;
+            using (var reader = new StreamReader(file.OpenReadStream()))
+            {
+                fileContent = reader.ReadToEnd();
+            }
+            var newMaxNotes = ImportChartController.ParseTNumAllFromMa2(fileContent);
+            if (newMaxNotes != 0 && targetChart.MaxNotes != newMaxNotes)
+            {
+                targetChart.MaxNotes = newMaxNotes;
+            }
         }
     }

-Original file line number
+Diff line change
@@ Expand Up @@
         public record ImportChartCheckResult(bool Accept, IEnumerable<ImportChartMessage> Errors, float MusicPadding, bool IsDx, string? Title, float first, float bar);
         [HttpPost]
-        public ImportChartCheckResult ImportChartCheck(IFormFile file)
+        public ImportChartCheckResult ImportChartCheck(IFormFile file, [FromForm] bool isReplacement = false)
         {
             var errors = new List<ImportChartMessage>();
             var fatal = false;
+            if (isReplacement)
+            {
+                // 替换谱面的操作也需要检查的过程，但检查的逻辑和导入谱面时可以说是一模一样的，故直接共用逻辑
+                // 唯一的区别是给用户一个警告，明确说明直接替换谱面功能的适用范围
+                errors.Add(new ImportChartMessage(Locale.NotesReplacementWarning, MessageLevel.Warning));
+            }
             try
             {
                 var kvps = new SimaiFile(file.OpenReadStream()).ToKeyValuePairs();
@@ Expand Down Expand Up / @@ -559,6 +566,7 @@ public ImportChartResult ImportChart( @@
             music.AddVersionId = addVersionId;
             music.GenreId = genreId;
             music.Version = version;
+            music.ShiftMethod = shift.ToString();
             float wholebpm;
             if (float.TryParse(maiData.GetValueOrDefault("wholebpm"), out wholebpm))
                 music.Bpm = wholebpm;
@@ Expand All / @@ -568,7 +576,7 @@ public ImportChartResult ImportChart( @@
         }
-        private static int ParseTNumAllFromMa2(string ma2Content)
+        public static int ParseTNumAllFromMa2(string ma2Content)
         {
             var lines = ma2Content.Split('\n');
             // 从后往前读取，因为 T_NUM_ALL 在文件最后
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -266,6 +266,7 @@ export interface MusicXmlWithABJacket { @@
       subLockType?: number;
       disable?: boolean;
       longMusic?: boolean;
+      shiftMethod?: string | null;
       charts?: Chart[] | null;
       assetBundleJacket?: string | null;
       pseudoAssetBundleJacket?: string | null;
@@ Expand Down Expand Up @@
           data: {
             /** @format binary */
             file?: File;
+            shift?: ShiftMethod;
           },
           params: RequestParams = {},
         ) =>
@@ Expand Down Expand Up @@
           data: {
             /** @format binary */
             file?: File;
+            /** @default false */
+            isReplacement?: boolean;
           },
           params: RequestParams = {},
         ) =>
@@ Expand Down @@

-Original file line number
+Diff line change
@@ -1,24 +1,68 @@
     import { t } from '@/locales';
     import { globalCapture, selectedADir, selectedLevel, selectedMusic, selectMusicId, updateMusicList } from '@/store/refs';
-    import { NButton, NFlex, NModal, useMessage } from 'naive-ui';
-    import { defineComponent, PropType, ref, computed, watch, shallowRef } from 'vue';
+    import { NButton, NFlex, NModal, useDialog, useMessage } from 'naive-ui';
+    import { defineComponent, ref, shallowRef } from 'vue';
     import JacketBox from '../JacketBox';
     import { DIFFICULTY, LEVEL_COLOR } from '@/consts';
     import api from '@/client/api';
+    import CheckingModal from "@/components/ImportCreateChartButton/ImportChartButton/CheckingModal";
-    export const replaceChartFileHandle = shallowRef<FileSystemFileHandle | null>(null);
+    export let prepareReplaceChart = async (fileHandle?: FileSystemFileHandle) => {
+    }
     export default defineComponent({
       // props: {
       // },
       setup(props, { emit }) {
         const message = useMessage();
+        const dialog = useDialog();
-        const replaceChart = async () => {
-          if (!replaceChartFileHandle.value) return;
+        const checking = ref(false);
+        const ma2Handle = shallowRef<FileSystemFileHandle | null>(null);
+        prepareReplaceChart = async (fileHandle?: FileSystemFileHandle) => {
+          if (!fileHandle) {
+            [fileHandle] = await window.showOpenFilePicker({
+              id: 'chart',
+              startIn: 'downloads',
+              types: [
+                {
+                  description: t('music.edit.supportedFileTypes'),
+                  accept: {
+                    "application/x-supported": [".ma2", ".txt"], // 没办法限定只匹配maidata.txt，就只好先把一切txt都作为匹配
+                  },
+                },
+              ],
+            });
+          }
+          if (!fileHandle) return; // 用户未选择文件
+          const name = fileHandle.name;
+          // 对maidata.txt和ma2分类讨论，前者执行ImportCheck
+          if (name == "maidata.txt") {
+            try {
+              checking.value = true;
+              const file = await fileHandle.getFile();
+              const checkRet = (await api.ImportChartCheck({file, isReplacement: true})).data;
+              if (!checking.value) return; // 说明检查期间用户点击了关闭按钮、取消了操作。则不再执行后续流程。
+              // TODO 显示导入界面（类似ErrorDisplayIdInput）、完成导入流程
+              console.log(checkRet)
+              dialog.error({title: "NotImplemented"})
+            } finally {
+              checking.value = false;
+            }
+          } else if (name.endsWith(".ma2")) {
+            ma2Handle.value = fileHandle
+          } else {
+            dialog.error({title: t('error.unsupportedFileType'), content: t('music.edit.notValidChartFile')})
+          }
+        }
+        const replaceMa2 = async () => {
+          if (!ma2Handle.value) return;
           try {
-            const file = await replaceChartFileHandle.value.getFile();
-            replaceChartFileHandle.value = null;
+            const file = await ma2Handle.value.getFile();
+            ma2Handle.value = null;
             await api.ReplaceChart(selectMusicId.value, selectedLevel.value, selectedADir.value, { file });
             message.success(t('music.edit.replaceChartSuccess'));
             await updateMusicList();
@@ Expand All / @@ -28,34 +72,37 @@ export default defineComponent({ @@
           }
         }
-        return () => <NModal
-          preset="card"
-          class="w-[min(90vw,50em)]"
-          title={t('music.edit.replaceChart')}
-          show={replaceChartFileHandle.value !== null}
-          onUpdateShow={() => replaceChartFileHandle.value = null}
-        >{{
-          default: () => <div class="flex flex-col gap-2">
-            {t('music.edit.replaceChartConfirm', { level: DIFFICULTY[selectedLevel.value!] })}
-            <div class="text-4.5 text-center">{replaceChartFileHandle.value?.name}</div>
-            <div class="text-6 text-center">↓</div>
-            <div class="flex justify-center gap-2">
-              <JacketBox info={selectedMusic.value!} class="h-8em w-8em" upload={false} />
-              <div class="flex flex-col gap-1 max-w-24em justify-end">
-                <div class="text-3.5 op-70">#{selectMusicId.value}</div>
-                <div class="text-2xl overflow-hidden text-ellipsis whitespace-nowrap">{selectedMusic.value!.name}</div>
-                <div class="flex">
-                  <div class="c-white rounded-full px-2" style={{ backgroundColor: LEVEL_COLOR[selectedLevel.value!] }}>
-                    {selectedMusic.value!.charts![selectedLevel.value!]?.level}.{selectedMusic.value!.charts![selectedLevel.value!]?.levelDecimal}
+        return () => <div>
+            <NModal
+            preset="card"
+            class="w-[min(90vw,50em)]"
+            title={t('music.edit.replaceChart')}
+            show={ma2Handle.value !== null}
+            onUpdateShow={() => ma2Handle.value = null}
+          >{{
+            default: () => <div class="flex flex-col gap-2">
+              {t('music.edit.replaceChartConfirm', { level: DIFFICULTY[selectedLevel.value!] })}
+              <div class="text-4.5 text-center">{ma2Handle.value?.name}</div>
+              <div class="text-6 text-center">↓</div>
+              <div class="flex justify-center gap-2">
+                <JacketBox info={selectedMusic.value!} class="h-8em w-8em" upload={false} />
+                <div class="flex flex-col gap-1 max-w-24em justify-end">
+                  <div class="text-3.5 op-70">#{selectMusicId.value}</div>
+                  <div class="text-2xl overflow-hidden text-ellipsis whitespace-nowrap">{selectedMusic.value!.name}</div>
+                  <div class="flex">
+                    <div class="c-white rounded-full px-2" style={{ backgroundColor: LEVEL_COLOR[selectedLevel.value!] }}>
+                      {selectedMusic.value!.charts![selectedLevel.value!]?.level}.{selectedMusic.value!.charts![selectedLevel.value!]?.levelDecimal}
+                    </div>
                   </div>
                 </div>
               </div>
-            </div>
-          </div>,
-          footer: () => <NFlex justify="end">
-            <NButton onClick={() => replaceChartFileHandle.value = null}>{t('common.cancel')}</NButton>
-            <NButton onClick={replaceChart} type="primary">{t('common.confirm')}</NButton>
-          </NFlex>
-        }}</NModal>;
+            </div>,
+            footer: () => <NFlex justify="end">
+              <NButton onClick={() => ma2Handle.value = null}>{t('common.cancel')}</NButton>
+              <NButton onClick={replaceMa2} type="primary">{t('common.confirm')}</NButton>
+            </NFlex>
+          }}</NModal>
+          <CheckingModal title={t('chart.import.checkingTitle')} show={checking.value} closeModal={()=>checking.value=false} />
+        </div>;
       },
     });

-Original file line number
+Diff line change
@@ Expand Up @@
     import { uploadFlow as uploadFlowAcbAwb } from '@/components/MusicEdit/AcbAwb';
     import { selectedADir, selectedMusic } from '@/store/refs';
     import { upload as uploadJacket } from '@/components/JacketBox';
-    import ReplaceChartModal, { replaceChartFileHandle } from './ReplaceChartModal';
+    import ReplaceChartModal, { prepareReplaceChart } from './ReplaceChartModal';
     import AquaMaiManualInstaller, { setManualInstallAquaMai } from './AquaMaiManualInstaller';
     export const mainDivRef = shallowRef<HTMLDivElement>();
@@ Expand Down Expand Up / @@ -48,8 +48,8 @@ export default defineComponent({ @@
             else if (file.kind === 'file' && (firstType.startsWith('image/') || file.name.endsWith('.jpeg') || file.name.endsWith('.jpg') || file.name.endsWith('.png'))) {
               uploadJacket(file);
             }
-            else if (file.kind === 'file' && file.name.endsWith('.ma2')) {
-              replaceChartFileHandle.value = file;
+            else if (file.kind === 'file' && (file.name.endsWith('.ma2') || file.name == "maidata.txt")) {
+              prepareReplaceChart(file);
             }
           }
         }
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[WIP, NOT ready for review] 直接替换maidata.txt谱面的功能 #32

Uh oh!

Diff view

Diff view

There are no files selected for viewing

gemini-code-assist bot Jan 28, 2026

Uh oh!

Starrah Jan 28, 2026

Uh oh!

gemini-code-assist bot Jan 28, 2026

Uh oh!

Starrah Jan 28, 2026

Uh oh!

Uh oh!

gemini-code-assist bot Jan 28, 2026

Uh oh!

Uh oh!

Uh oh!

-Original file line number
+Diff line change
@@ -1,12 +1,13 @@
     import { computed, defineComponent, PropType, watch } from "vue";
     import { Chart } from "@/client/apiGen";
-    import { NFlex, NForm, NFormItem, NInput, NInputNumber, NSelect, NSwitch } from "naive-ui";
+    import { NButton, NFlex, NForm, NFormItem, NInput, NInputNumber, NSelect, NSwitch } from "naive-ui";
     import api from "@/client/api";
     import { selectedADir, selectedMusic } from "@/store/refs";
     import { LEVELS } from "@/consts";
     import ProblemsDisplay from "@/components/ProblemsDisplay";
     import PreviewChartButton from "@/components/MusicEdit/PreviewChartButton";
     import { useI18n } from 'vue-i18n';
+    import { prepareReplaceChart } from "@/components/DragDropDispatcher/ReplaceChartModal";
     const LEVELS_OPTIONS = LEVELS.map((level, index) => ({label: level, value: index}));
@@ Expand Down Expand Up / @@ -43,6 +44,9 @@ export default defineComponent({ @@
           <NFlex vertical>
             <NFlex align="center" class="absolute right-0 top-0 m-xy mt-2 z-2">
               <PreviewChartButton songId={props.songId} level={props.chartIndex}/>
+              <NButton secondary onClick={() => prepareReplaceChart()}>
+                {t('music.edit.replaceChart')}
+              </NButton>
             </NFlex>
             <NFormItem label={t('music.edit.chartEnable')} labelPlacement="left" class="ml-2px">
               <NFlex align="center">
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -133,6 +133,7 @@ music: @@
         replaceChartConfirm: Confirm to replace {level}?
         replaceChartFailed: Failed to replace chart
         replaceChartSuccess: Chart replaced successfully
+        notValidChartFile: Chart file must be .ma2 or maidata.txt.
       batch:
         title: Batch Actions
         batchAndSearch: Batch Actions & Search
@@ Expand Down Expand Up / @@ -456,6 +457,7 @@ error: @@
         confirm: Got it
       file:
         notSelected: No file selected
+      unsupportedFileType: 'Unsupported file type'
     message:
       notice: Notice
       saveSuccess: Saved successfully
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -126,6 +126,7 @@ music: @@
         replaceChartConfirm: 確認要替換 {level} 譜面嗎？
         replaceChartFailed: 替換譜面失敗
         replaceChartSuccess: 替換譜面成功
+        notValidChartFile: 譜面檔案必須是 .ma2 或 maidata.txt。
       batch:
         title: 批次操作
         batchAndSearch: 批次操作與搜尋
@@ Expand Down Expand Up / @@ -417,6 +418,7 @@ error: @@
       feedbackError: 回饋錯誤
       file:
         notSelected: 未選擇檔案
+      unsupportedFileType: '不支援的檔案類型'
     message:
       notice: 提示
       saveSuccess: 儲存成功
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -126,6 +126,7 @@ music: @@
         replaceChartConfirm: 确认要替换 {level} 谱面吗？
         replaceChartFailed: 替换谱面失败
         replaceChartSuccess: 替换谱面成功
+        notValidChartFile: 谱面文件必须是.ma2或maidata.txt
       batch:
         title: 批量操作
         batchAndSearch: 批量操作与搜索
@@ Expand Down Expand Up / @@ -418,6 +419,7 @@ error: @@
       feedbackError: 反馈错误
       file:
         notSelected: 未选择文件
+      unsupportedFileType: 不支持的文件类型
     message:
       notice: 提示
       saveSuccess: 保存成功
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up @@
         <data name="LauncherOpenToLanDesc" xml:space="preserve">
           <value>Automatically run in server mode and minimize to the system tray upon startup.</value>
         </data>
+        <data name="NotesReplacementWarning" xml:space="preserve">
+          <value>Caution! This "Replace Chart" function should only be used when modifying the note content of the existing chart, while the audio remains unchanged, the &amp;first offset remains unchanged, and the timing of the first note remains unchanged. Otherwise, you will need to delete the entire chart and re-import it.</value>
+        </data>
     </root>

[WIP, NOT ready for review] 直接替换maidata.txt谱面的功能 #32

Are you sure you want to change the base?

Uh oh!

[WIP, NOT ready for review] 直接替换maidata.txt谱面的功能 #32

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

gemini-code-assist bot Jan 28, 2026

Choose a reason for hiding this comment

Uh oh!

Starrah Jan 28, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist bot Jan 28, 2026

Choose a reason for hiding this comment

Uh oh!

Starrah Jan 28, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

gemini-code-assist bot Jan 28, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!