优化文件上传的接口，加上校验

2024-05-20 22:27:58 +08:00
parent 21e4eb7364
commit f3490eaec2
2 changed files with 45 additions and 27 deletions
--- a/jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/controller/SystemConfigController.java
@@ -129,13 +129,12 @@ public class SystemConfigController {
        try {
            String savePath = "";
            String bizPath = request.getParameter("biz");
-            String name = request.getParameter("name");
            MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
            MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象
            if(fileUploadType == 1) {
-                savePath = systemConfigService.uploadLocal(file, bizPath, name, request);
+                savePath = systemConfigService.uploadLocal(file, bizPath, request);
            } else if(fileUploadType == 2) {
-                savePath = systemConfigService.uploadAliOss(file, bizPath, name, request);
+                savePath = systemConfigService.uploadAliOss(file, bizPath, request);
            }
            if(StringUtil.isNotEmpty(savePath)){
                res.code = 200;
--- a/jshERP-boot/src/main/java/com/jsh/erp/service/systemConfig/SystemConfigService.java
+++ b/jshERP-boot/src/main/java/com/jsh/erp/service/systemConfig/SystemConfigService.java
@@ -177,14 +177,17 @@ public class SystemConfigService {
     * 本地文件上传
     * @param mf 文件
     * @param bizPath  自定义路径
-     * @param name  自定义文件名
     * @return
     */
-    public String uploadLocal(MultipartFile mf, String bizPath, String name, HttpServletRequest request) throws Exception {
+    public String uploadLocal(MultipartFile mf, String bizPath, HttpServletRequest request) throws Exception {
        try {
            if(StringUtil.isEmpty(bizPath)){
                bizPath = "";
            }
+            // Validate bizPath to prevent directory traversal
+            if (bizPath.contains("..") || bizPath.contains("/")) {
+                throw new IllegalArgumentException("Invalid bizPath");
+            }
            String token = request.getHeader("X-Access-Token");
            Long tenantId = Tools.getTenantIdByToken(token);
            bizPath = bizPath + File.separator + tenantId;
@@ -196,28 +199,30 @@ public class SystemConfigService {
            }
            String orgName = mf.getOriginalFilename();// 获取文件名
            orgName = FileUtils.getFileName(orgName);
-            if(orgName.contains(".")){
-                if(StringUtil.isNotEmpty(name)) {
-                    fileName = name.substring(0, name.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf("."));
-                } else {
-                    fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf("."));
+
+            // Validate file extension to allow only specific types
+            String[] allowedExtensions = {".gif", ".jpg", ".jpeg", ".png", ".pdf", ".txt",".doc",".docx",".xls",".xlsx",
+                    ".ppt",".pptx",".zip",".rar",".mp3",".mp4",".avi"};
+            boolean isValidExtension = false;
+            for (String ext : allowedExtensions) {
+                if (orgName.toLowerCase().endsWith(ext)) {
+                    isValidExtension = true;
+                    break;
                }
+            }
+            if (!isValidExtension) {
+                throw new IllegalArgumentException("Invalid file type");
+            }
+
+            if(orgName.contains(".")){
+                fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf("."));
            }else{
                fileName = orgName+ "_" + System.currentTimeMillis();
            }
            String savePath = file.getPath() + File.separator + fileName;
            File savefile = new File(savePath);
            FileCopyUtils.copy(mf.getBytes(), savefile);
-            // 保存缩略图
-            // String fileUrl = getFileUrlLocal(bizPath + File.separator + fileName);
-            // InputStream imgInputStream = new BufferedInputStream(new FileInputStream(fileUrl));
-            // BufferedImage smallImage = getImageMini(imgInputStream, 80);
-            // int index = fileName.lastIndexOf(".");
-            // String ext = fileName.substring(index + 1);
-            // String smallUrl = filePath + "-small" + File.separator + bizPath + File.separator + fileName;
-            // FileUtils.createFile(smallUrl);
-            // File saveSmallFile = new File(smallUrl);
-            // ImageIO.write(smallImage, ext, saveSmallFile);
+
            // 返回路径
            String dbpath = null;
            if(StringUtil.isNotEmpty(bizPath)){
@@ -239,13 +244,16 @@ public class SystemConfigService {
     * 阿里Oss文件上传
     * @param mf 文件
     * @param bizPath  自定义路径
-     * @param name  自定义文件名
     * @return
     */
-    public String uploadAliOss(MultipartFile mf, String bizPath, String name, HttpServletRequest request) throws Exception {
+    public String uploadAliOss(MultipartFile mf, String bizPath, HttpServletRequest request) throws Exception {
        if(StringUtil.isEmpty(bizPath)){
            bizPath = "";
        }
+        // Validate bizPath to prevent directory traversal
+        if (bizPath.contains("..") || bizPath.contains("/")) {
+            throw new IllegalArgumentException("Invalid bizPath");
+        }
        String token = request.getHeader("X-Access-Token");
        Long tenantId = Tools.getTenantIdByToken(token);
        bizPath = bizPath + "/" + tenantId;
@@ -257,12 +265,23 @@ public class SystemConfigService {
        String fileName = "";
        String orgName = mf.getOriginalFilename();// 获取文件名
        orgName = FileUtils.getFileName(orgName);
-        if(orgName.contains(".")){
-            if(StringUtil.isNotEmpty(name)) {
-                fileName = name.substring(0, name.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf("."));
-            } else {
-                fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf("."));
+
+        // Validate file extension to allow only specific types
+        String[] allowedExtensions = {".gif", ".jpg", ".jpeg", ".png", ".pdf", ".txt",".doc",".docx",".xls",".xlsx",
+                ".ppt",".pptx",".zip",".rar",".mp3",".mp4",".avi"};
+        boolean isValidExtension = false;
+        for (String ext : allowedExtensions) {
+            if (orgName.toLowerCase().endsWith(ext)) {
+                isValidExtension = true;
+                break;
            }
+        }
+        if (!isValidExtension) {
+            throw new IllegalArgumentException("Invalid file type");
+        }
+
+        if(orgName.contains(".")){
+            fileName = orgName.substring(0, orgName.lastIndexOf(".")) + "_" + System.currentTimeMillis() + orgName.substring(orgName.indexOf("."));
        }else{
            fileName = orgName+ "_" + System.currentTimeMillis();
        }