From f3490eaec22b062bc2a718386cc25f513cc397a9 Mon Sep 17 00:00:00 2001 From: jishenghua <752718920@qq.com> Date: Mon, 20 May 2024 22:27:58 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E6=96=87=E4=BB=B6=E4=B8=8A?= =?UTF-8?q?=E4=BC=A0=E7=9A=84=E6=8E=A5=E5=8F=A3=EF=BC=8C=E5=8A=A0=E4=B8=8A?= =?UTF-8?q?=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../controller/SystemConfigController.java | 5 +- .../systemConfig/SystemConfigService.java | 67 ++++++++++++------- 2 files changed, 45 insertions(+), 27 deletions(-) diff --git a/jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java b/jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java index f73359ef..01e58943 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java @@ -129,13 +129,12 @@ public class SystemConfigController { try { String savePath = ""; String bizPath = request.getParameter("biz"); - String name = request.getParameter("name"); MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request; MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象 if(fileUploadType == 1) { - savePath = systemConfigService.uploadLocal(file, bizPath, name, request); + savePath = systemConfigService.uploadLocal(file, bizPath, request); } else if(fileUploadType == 2) { - savePath = systemConfigService.uploadAliOss(file, bizPath, name, request); + savePath = systemConfigService.uploadAliOss(file, bizPath, request); } if(StringUtil.isNotEmpty(savePath)){ res.code = 200; diff --git a/jshERP-boot/src/main/java/com/jsh/erp/service/systemConfig/SystemConfigService.java b/jshERP-boot/src/main/java/com/jsh/erp/service/systemConfig/SystemConfigService.java index aafeca43..18672e2d 100644 --- a/jshERP-boot/src/main/java/com/jsh/erp/service/systemConfig/SystemConfigService.java +++ b/jshERP-boot/src/main/java/com/jsh/erp/service/systemConfig/SystemConfigService.java @@ -177,14 +177,17 @@ public class SystemConfigService { * 本地文件上传 * @param mf 文件 * @param bizPath 自定义路径 - * @param name 自定义文件名 * @return */ - public String uploadLocal(MultipartFile mf, String bizPath, String name, HttpServletRequest request) throws Exception { + public String uploadLocal(MultipartFile mf, String bizPath, HttpServletRequest request) throws Exception { try { if(StringUtil.isEmpty(bizPath)){ bizPath = ""; } + // Validate bizPath to prevent directory traversal + if (bizPath.contains("..") || bizPath.contains("/")) { + throw new IllegalArgumentException("Invalid bizPath"); + } String token = request.getHeader("X-Access-Token"); Long tenantId = Tools.getTenantIdByToken(token); bizPath = bizPath + File.separator + tenantId; @@ -196,28 +199,30 @@ public class SystemConfigService { } String orgName = mf.getOriginalFilename();// 获取文件名 orgName = FileUtils.getFileName(orgName); - if(orgName.contains(".")){ - if(StringUtil.isNotEmpty(name)) { - fileName = name.substring(0, name.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); - } else { - fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); + + // Validate file extension to allow only specific types + String[] allowedExtensions = {".gif", ".jpg", ".jpeg", ".png", ".pdf", ".txt",".doc",".docx",".xls",".xlsx", + ".ppt",".pptx",".zip",".rar",".mp3",".mp4",".avi"}; + boolean isValidExtension = false; + for (String ext : allowedExtensions) { + if (orgName.toLowerCase().endsWith(ext)) { + isValidExtension = true; + break; } + } + if (!isValidExtension) { + throw new IllegalArgumentException("Invalid file type"); + } + + if(orgName.contains(".")){ + fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); }else{ fileName = orgName+ "_" + System.currentTimeMillis(); } String savePath = file.getPath() + File.separator + fileName; File savefile = new File(savePath); FileCopyUtils.copy(mf.getBytes(), savefile); - // 保存缩略图 - // String fileUrl = getFileUrlLocal(bizPath + File.separator + fileName); - // InputStream imgInputStream = new BufferedInputStream(new FileInputStream(fileUrl)); - // BufferedImage smallImage = getImageMini(imgInputStream, 80); - // int index = fileName.lastIndexOf("."); - // String ext = fileName.substring(index + 1); - // String smallUrl = filePath + "-small" + File.separator + bizPath + File.separator + fileName; - // FileUtils.createFile(smallUrl); - // File saveSmallFile = new File(smallUrl); - // ImageIO.write(smallImage, ext, saveSmallFile); + // 返回路径 String dbpath = null; if(StringUtil.isNotEmpty(bizPath)){ @@ -239,13 +244,16 @@ public class SystemConfigService { * 阿里Oss文件上传 * @param mf 文件 * @param bizPath 自定义路径 - * @param name 自定义文件名 * @return */ - public String uploadAliOss(MultipartFile mf, String bizPath, String name, HttpServletRequest request) throws Exception { + public String uploadAliOss(MultipartFile mf, String bizPath, HttpServletRequest request) throws Exception { if(StringUtil.isEmpty(bizPath)){ bizPath = ""; } + // Validate bizPath to prevent directory traversal + if (bizPath.contains("..") || bizPath.contains("/")) { + throw new IllegalArgumentException("Invalid bizPath"); + } String token = request.getHeader("X-Access-Token"); Long tenantId = Tools.getTenantIdByToken(token); bizPath = bizPath + "/" + tenantId; @@ -257,12 +265,23 @@ public class SystemConfigService { String fileName = ""; String orgName = mf.getOriginalFilename();// 获取文件名 orgName = FileUtils.getFileName(orgName); - if(orgName.contains(".")){ - if(StringUtil.isNotEmpty(name)) { - fileName = name.substring(0, name.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); - } else { - fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); + + // Validate file extension to allow only specific types + String[] allowedExtensions = {".gif", ".jpg", ".jpeg", ".png", ".pdf", ".txt",".doc",".docx",".xls",".xlsx", + ".ppt",".pptx",".zip",".rar",".mp3",".mp4",".avi"}; + boolean isValidExtension = false; + for (String ext : allowedExtensions) { + if (orgName.toLowerCase().endsWith(ext)) { + isValidExtension = true; + break; } + } + if (!isValidExtension) { + throw new IllegalArgumentException("Invalid file type"); + } + + if(orgName.contains(".")){ + fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); }else{ fileName = orgName+ "_" + System.currentTimeMillis(); }