From bc7d072e6a1ef5abe9521e8207839bd5cbb58157 Mon Sep 17 00:00:00 2001 From: fit2cloud-chenyw Date: Mon, 3 Jul 2023 10:17:39 +0800 Subject: [PATCH] =?UTF-8?q?fix(=E6=8F=92=E4=BB=B6=E7=AE=A1=E7=90=86):=20?= =?UTF-8?q?=E6=8F=92=E4=BB=B6=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E#5559?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/io/dataease/commons/utils/DeFileUtils.java | 13 +++++++++++++ .../controller/sys/SysPluginController.java | 7 +++++-- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/backend/src/main/java/io/dataease/commons/utils/DeFileUtils.java b/backend/src/main/java/io/dataease/commons/utils/DeFileUtils.java index 6adc42e9be..2dcee5fa41 100644 --- a/backend/src/main/java/io/dataease/commons/utils/DeFileUtils.java +++ b/backend/src/main/java/io/dataease/commons/utils/DeFileUtils.java @@ -1,5 +1,7 @@ package io.dataease.commons.utils; +import io.dataease.commons.exception.DEException; +import org.apache.commons.lang3.StringUtils; import org.springframework.web.multipart.MultipartFile; import java.io.*; @@ -41,6 +43,17 @@ public class DeFileUtils { if (dir.exists()) return ; dir.mkdirs(); } + + public static void validateFile(MultipartFile file) { + String name = getFileNameNoEx(file.getOriginalFilename()); + if (StringUtils.contains(name, "./")) { + DEException.throwException("file path invalid"); + } + String suffix = getExtensionName(file.getOriginalFilename()); + if (!StringUtils.equalsIgnoreCase(suffix, "zip")) { + DEException.throwException("please upload valid zip file"); + } + } /** * 将文件名解析成文件的上传路径 */ diff --git a/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java b/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java index 7f3b3e669f..d8e32122c4 100644 --- a/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java +++ b/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java @@ -3,10 +3,11 @@ package io.dataease.controller.sys; import com.github.pagehelper.Page; import com.github.pagehelper.PageHelper; import io.dataease.auth.annotation.SqlInjectValidator; -import io.dataease.plugins.common.base.domain.MyPlugin; +import io.dataease.commons.utils.DeFileUtils; import io.dataease.commons.utils.PageUtils; import io.dataease.commons.utils.Pager; import io.dataease.controller.sys.base.BaseGridRequest; +import io.dataease.plugins.common.base.domain.MyPlugin; import io.dataease.service.sys.PluginService; import io.swagger.annotations.Api; import io.swagger.annotations.ApiOperation; @@ -41,6 +42,7 @@ public class SysPluginController { @PostMapping("upload") @RequiresPermissions("plugin:upload") public Map localUpload(@RequestParam("file") MultipartFile file) throws Exception { + DeFileUtils.validateFile(file); return pluginService.localInstall(file); } @@ -54,7 +56,8 @@ public class SysPluginController { @ApiOperation("更新插件") @PostMapping("/update/{pluginId}") @RequiresPermissions("plugin:upload") - public Map update(@PathVariable("pluginId") Long pluginId, @RequestParam("file") MultipartFile file) throws Exception{ + public Map update(@PathVariable("pluginId") Long pluginId, @RequestParam("file") MultipartFile file) throws Exception { + DeFileUtils.validateFile(file); if (pluginService.uninstall(pluginId)) { return pluginService.localInstall(file); }