fix: 修复任意文件上传漏洞

2024-03-04 17:00:44 +08:00 · 2024-03-04 17:00:44 +08:00 · 1aace1ff13
commit 1aace1ff13
parent 33efdd2bfa
1 changed files with 6 additions and 0 deletions
--- a/core/backend/src/main/java/io/dataease/service/sys/PluginService.java
+++ b/core/backend/src/main/java/io/dataease/service/sys/PluginService.java
@ -64,6 +64,11 @@ public class PluginService {
        return extSysPluginMapper.query(request);
    }

+    private void checkFileName(String fileName){
+        if(StringUtils.isEmpty(fileName) || !fileName.endsWith(".jar") || fileName.contains("../")){
+            DataEaseException.throwException("非法的文件名: " + fileName);
+        }
+    }
    public void systemUpgrade() {
        extSysPluginMapper.updateVersion(version);
    }
@ -75,6 +80,7 @@ public class PluginService {
     * @return
     */
    public Map<String, Object> localInstall(MultipartFile file) throws Exception {
+        checkFileName(file.getOriginalFilename());
        //1.上传文件到服务器pluginDir目录下
        File dest = DeFileUtils.upload(file, pluginDir + "temp/");
        //2.解压目标文件dest 得到plugin.json和jar