fix(文件管理): 增加上传文件名的校验

增加上传文件名的校验
2022-12-27 15:05:40 +08:00 · 2022-12-27 15:05:40 +08:00 · 60558fce6e
parent a3a4642ca2
commit 60558fce6e
2 changed files with 14 additions and 2 deletions
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java
@ -32,6 +32,11 @@ public class FileUtils {
    public static final String ATTACHMENT_DIR = "/opt/metersphere/data/attachment";
    public static final String ATTACHMENT_TMP_DIR = "/opt/metersphere/data/attachment/tmp";

+    public static void validateFileName(String fileName) {
+        if (StringUtils.isNotEmpty(fileName) && fileName.contains(File.separator)) {
+            MSException.throwException(Translator.get("invalid_parameter"));
+        }
+    }

    public static byte[] listBytesToZip(Map<String, byte[]> mapReport) {
        try {
@ -55,6 +60,7 @@ public class FileUtils {
    }

    public static void createFile(String filePath, byte[] fileBytes) {
+        validateFileName(filePath);
        File file = new File(filePath);
        if (file.exists()) {
            file.delete();
@ -93,6 +99,7 @@ public class FileUtils {
            }
            for (int i = 0; i < bodyUploadIds.size(); i++) {
                MultipartFile item = bodyFiles.get(i);
+                validateFileName(item.getOriginalFilename());
                File file = new File(filePath + File.separator + bodyUploadIds.get(i) + "_" + item.getOriginalFilename());
                try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) {
                    file.createNewFile();
@ -112,6 +119,7 @@ public class FileUtils {
    public static String create(String id, MultipartFile item) {
        String filePath = BODY_FILE_DIR + "/plugin";
        if (item != null) {
+            validateFileName(item.getOriginalFilename());
            File testDir = new File(filePath);
            if (!testDir.exists()) {
                testDir.mkdirs();
@ -141,6 +149,7 @@ public class FileUtils {
                testDir.mkdirs();
            }
            bodyFiles.forEach(item -> {
+                validateFileName(item.getOriginalFilename());
                File file = new File(path + File.separator + item.getOriginalFilename());
                try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) {
                    file.createNewFile();
@ -259,6 +268,7 @@ public class FileUtils {
    }

    public static String createFile(MultipartFile bodyFile) {
+        validateFileName(bodyFile.getOriginalFilename());
        String dir = "/opt/metersphere/data/body/tmp/";
        File fileDir = new File(dir);
        if (!fileDir.exists()) {
@ -290,6 +300,7 @@ public class FileUtils {
    }

    public static String uploadFile(MultipartFile uploadFile, String path, String name) {
+        validateFileName(name);
        if (uploadFile == null) {
            return null;
        }
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java
@ -127,12 +127,13 @@ public class LocalFileRepository implements FileRepository {


    private File createFile(FileRequest request) {
-        String path = StringUtils.join(FileUtils.BODY_FILE_DIR, "/", request.getProjectId());
+        FileUtils.validateFileName(request.getFileName());
+        String path = StringUtils.join(FileUtils.BODY_FILE_DIR, File.separator, request.getProjectId());
        File fileDir = new File(path);
        if (!fileDir.exists()) {
            fileDir.mkdirs();
        }
-        File file = new File(StringUtils.join(path, "/", request.getFileName()));
+        File file = new File(StringUtils.join(path, File.separator, request.getFileName()));
        return file;
    }
 }