diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java index 60007eaa60..c69259f849 100644 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java +++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java @@ -32,6 +32,11 @@ public class FileUtils { public static final String ATTACHMENT_DIR = "/opt/metersphere/data/attachment"; public static final String ATTACHMENT_TMP_DIR = "/opt/metersphere/data/attachment/tmp"; + public static void validateFileName(String fileName) { + if (StringUtils.isNotEmpty(fileName) && fileName.contains(File.separator)) { + MSException.throwException(Translator.get("invalid_parameter")); + } + } public static byte[] listBytesToZip(Map mapReport) { try { @@ -55,6 +60,7 @@ public class FileUtils { } public static void createFile(String filePath, byte[] fileBytes) { + validateFileName(filePath); File file = new File(filePath); if (file.exists()) { file.delete(); @@ -93,6 +99,7 @@ public class FileUtils { } for (int i = 0; i < bodyUploadIds.size(); i++) { MultipartFile item = bodyFiles.get(i); + validateFileName(item.getOriginalFilename()); File file = new File(filePath + File.separator + bodyUploadIds.get(i) + "_" + item.getOriginalFilename()); try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) { file.createNewFile(); @@ -112,6 +119,7 @@ public class FileUtils { public static String create(String id, MultipartFile item) { String filePath = BODY_FILE_DIR + "/plugin"; if (item != null) { + validateFileName(item.getOriginalFilename()); File testDir = new File(filePath); if (!testDir.exists()) { testDir.mkdirs(); @@ -141,6 +149,7 @@ public class FileUtils { testDir.mkdirs(); } bodyFiles.forEach(item -> { + validateFileName(item.getOriginalFilename()); File file = new File(path + File.separator + item.getOriginalFilename()); try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) { file.createNewFile(); @@ -259,6 +268,7 @@ public class FileUtils { } public static String createFile(MultipartFile bodyFile) { + validateFileName(bodyFile.getOriginalFilename()); String dir = "/opt/metersphere/data/body/tmp/"; File fileDir = new File(dir); if (!fileDir.exists()) { @@ -290,6 +300,7 @@ public class FileUtils { } public static String uploadFile(MultipartFile uploadFile, String path, String name) { + validateFileName(name); if (uploadFile == null) { return null; } diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java index a16e5c01be..c02092bff2 100644 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java +++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java @@ -127,12 +127,13 @@ public class LocalFileRepository implements FileRepository { private File createFile(FileRequest request) { - String path = StringUtils.join(FileUtils.BODY_FILE_DIR, "/", request.getProjectId()); + FileUtils.validateFileName(request.getFileName()); + String path = StringUtils.join(FileUtils.BODY_FILE_DIR, File.separator, request.getProjectId()); File fileDir = new File(path); if (!fileDir.exists()) { fileDir.mkdirs(); } - File file = new File(StringUtils.join(path, "/", request.getFileName())); + File file = new File(StringUtils.join(path, File.separator, request.getFileName())); return file; } }