purovps/jshERP
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

优化文件上传的接口,加上校验

Browse Source
This commit is contained in:
jishenghua
2024-05-20 22:27:58 +08:00
parent 21e4eb7364
commit f3490eaec2
2 changed files with 45 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java
View File

@@ -129,13 +129,12 @@ public class SystemConfigController {
try { try {
String savePath = ""; String savePath = "";
String bizPath = request.getParameter("biz"); String bizPath = request.getParameter("biz");
String name = request.getParameter("name");
MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request; MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象 MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象
if(fileUploadType == 1) { if(fileUploadType == 1) {
savePath = systemConfigService.uploadLocal(file, bizPath, name, request); savePath = systemConfigService.uploadLocal(file, bizPath, request);
} else if(fileUploadType == 2) { } else if(fileUploadType == 2) {
savePath = systemConfigService.uploadAliOss(file, bizPath, name, request); savePath = systemConfigService.uploadAliOss(file, bizPath, request);
} }
if(StringUtil.isNotEmpty(savePath)){ if(StringUtil.isNotEmpty(savePath)){
res.code = 200; res.code = 200;

67
jshERP-boot/src/main/java/com/jsh/erp/service/systemConfig/SystemConfigService.java
View File

@@ -177,14 +177,17 @@ public class SystemConfigService {
* 本地文件上传 * 本地文件上传
* @param mf 文件 * @param mf 文件
* @param bizPath 自定义路径 * @param bizPath 自定义路径
* @param name 自定义文件名
* @return * @return
*/ */
public String uploadLocal(MultipartFile mf, String bizPath, String name, HttpServletRequest request) throws Exception { public String uploadLocal(MultipartFile mf, String bizPath, HttpServletRequest request) throws Exception {
try { try {
if(StringUtil.isEmpty(bizPath)){ if(StringUtil.isEmpty(bizPath)){
bizPath = ""; bizPath = "";
} }
// Validate bizPath to prevent directory traversal
if (bizPath.contains("..") || bizPath.contains("/")) {
throw new IllegalArgumentException("Invalid bizPath");
}
String token = request.getHeader("X-Access-Token"); String token = request.getHeader("X-Access-Token");
Long tenantId = Tools.getTenantIdByToken(token); Long tenantId = Tools.getTenantIdByToken(token);
bizPath = bizPath + File.separator + tenantId; bizPath = bizPath + File.separator + tenantId;
@@ -196,28 +199,30 @@ public class SystemConfigService {
} }
String orgName = mf.getOriginalFilename();// 获取文件名 String orgName = mf.getOriginalFilename();// 获取文件名
orgName = FileUtils.getFileName(orgName); orgName = FileUtils.getFileName(orgName);
if(orgName.contains(".")){
if(StringUtil.isNotEmpty(name)) { // Validate file extension to allow only specific types
fileName = name.substring(0, name.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); String[] allowedExtensions = {".gif", ".jpg", ".jpeg", ".png", ".pdf", ".txt",".doc",".docx",".xls",".xlsx",
} else { ".ppt",".pptx",".zip",".rar",".mp3",".mp4",".avi"};
fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); boolean isValidExtension = false;
for (String ext : allowedExtensions) {
if (orgName.toLowerCase().endsWith(ext)) {
isValidExtension = true;
break;
} }
}
if (!isValidExtension) {
throw new IllegalArgumentException("Invalid file type");
}
if(orgName.contains(".")){
fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf("."));
}else{ }else{
fileName = orgName+ "_" + System.currentTimeMillis(); fileName = orgName+ "_" + System.currentTimeMillis();
} }
String savePath = file.getPath() + File.separator + fileName; String savePath = file.getPath() + File.separator + fileName;
File savefile = new File(savePath); File savefile = new File(savePath);
FileCopyUtils.copy(mf.getBytes(), savefile); FileCopyUtils.copy(mf.getBytes(), savefile);
// 保存缩略图
// String fileUrl = getFileUrlLocal(bizPath + File.separator + fileName);
// InputStream imgInputStream = new BufferedInputStream(new FileInputStream(fileUrl));
// BufferedImage smallImage = getImageMini(imgInputStream, 80);
// int index = fileName.lastIndexOf(".");
// String ext = fileName.substring(index + 1);
// String smallUrl = filePath + "-small" + File.separator + bizPath + File.separator + fileName;
// FileUtils.createFile(smallUrl);
// File saveSmallFile = new File(smallUrl);
// ImageIO.write(smallImage, ext, saveSmallFile);
// 返回路径 // 返回路径
String dbpath = null; String dbpath = null;
if(StringUtil.isNotEmpty(bizPath)){ if(StringUtil.isNotEmpty(bizPath)){
@@ -239,13 +244,16 @@ public class SystemConfigService {
* 阿里Oss文件上传 * 阿里Oss文件上传
* @param mf 文件 * @param mf 文件
* @param bizPath 自定义路径 * @param bizPath 自定义路径
* @param name 自定义文件名
* @return * @return
*/ */
public String uploadAliOss(MultipartFile mf, String bizPath, String name, HttpServletRequest request) throws Exception { public String uploadAliOss(MultipartFile mf, String bizPath, HttpServletRequest request) throws Exception {
if(StringUtil.isEmpty(bizPath)){ if(StringUtil.isEmpty(bizPath)){
bizPath = ""; bizPath = "";
} }
// Validate bizPath to prevent directory traversal
if (bizPath.contains("..") || bizPath.contains("/")) {
throw new IllegalArgumentException("Invalid bizPath");
}
String token = request.getHeader("X-Access-Token"); String token = request.getHeader("X-Access-Token");
Long tenantId = Tools.getTenantIdByToken(token); Long tenantId = Tools.getTenantIdByToken(token);
bizPath = bizPath + "/" + tenantId; bizPath = bizPath + "/" + tenantId;
@@ -257,12 +265,23 @@ public class SystemConfigService {
String fileName = ""; String fileName = "";
String orgName = mf.getOriginalFilename();// 获取文件名 String orgName = mf.getOriginalFilename();// 获取文件名
orgName = FileUtils.getFileName(orgName); orgName = FileUtils.getFileName(orgName);
if(orgName.contains(".")){
if(StringUtil.isNotEmpty(name)) { // Validate file extension to allow only specific types
fileName = name.substring(0, name.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); String[] allowedExtensions = {".gif", ".jpg", ".jpeg", ".png", ".pdf", ".txt",".doc",".docx",".xls",".xlsx",
} else { ".ppt",".pptx",".zip",".rar",".mp3",".mp4",".avi"};
fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf(".")); boolean isValidExtension = false;
for (String ext : allowedExtensions) {
if (orgName.toLowerCase().endsWith(ext)) {
isValidExtension = true;
break;
} }
}
if (!isValidExtension) {
throw new IllegalArgumentException("Invalid file type");
}
if(orgName.contains(".")){
fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf("."));
}else{ }else{
fileName = orgName+ "_" + System.currentTimeMillis(); fileName = orgName+ "_" + System.currentTimeMillis();
} }