From 60558fce6e4af7fa2c7b951e0605087c02c508e9 Mon Sep 17 00:00:00 2001 From: song-tianyang Date: Tue, 27 Dec 2022 15:05:40 +0800 Subject: [PATCH] =?UTF-8?q?fix(=E6=96=87=E4=BB=B6=E7=AE=A1=E7=90=86):=20?= =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E4=B8=8A=E4=BC=A0=E6=96=87=E4=BB=B6=E5=90=8D?= =?UTF-8?q?=E7=9A=84=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 增加上传文件名的校验 --- .../java/io/metersphere/commons/utils/FileUtils.java | 11 +++++++++++ .../metadata/repository/LocalFileRepository.java | 5 +++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java index 60007eaa60..c69259f849 100644 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java +++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java @@ -32,6 +32,11 @@ public class FileUtils { public static final String ATTACHMENT_DIR = "/opt/metersphere/data/attachment"; public static final String ATTACHMENT_TMP_DIR = "/opt/metersphere/data/attachment/tmp"; + public static void validateFileName(String fileName) { + if (StringUtils.isNotEmpty(fileName) && fileName.contains(File.separator)) { + MSException.throwException(Translator.get("invalid_parameter")); + } + } public static byte[] listBytesToZip(Map mapReport) { try { @@ -55,6 +60,7 @@ public class FileUtils { } public static void createFile(String filePath, byte[] fileBytes) { + validateFileName(filePath); File file = new File(filePath); if (file.exists()) { file.delete(); @@ -93,6 +99,7 @@ public class FileUtils { } for (int i = 0; i < bodyUploadIds.size(); i++) { MultipartFile item = bodyFiles.get(i); + validateFileName(item.getOriginalFilename()); File file = new File(filePath + File.separator + bodyUploadIds.get(i) + "_" + item.getOriginalFilename()); try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) { file.createNewFile(); @@ -112,6 +119,7 @@ public class FileUtils { public static String create(String id, MultipartFile item) { String filePath = BODY_FILE_DIR + "/plugin"; if (item != null) { + validateFileName(item.getOriginalFilename()); File testDir = new File(filePath); if (!testDir.exists()) { testDir.mkdirs(); @@ -141,6 +149,7 @@ public class FileUtils { testDir.mkdirs(); } bodyFiles.forEach(item -> { + validateFileName(item.getOriginalFilename()); File file = new File(path + File.separator + item.getOriginalFilename()); try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) { file.createNewFile(); @@ -259,6 +268,7 @@ public class FileUtils { } public static String createFile(MultipartFile bodyFile) { + validateFileName(bodyFile.getOriginalFilename()); String dir = "/opt/metersphere/data/body/tmp/"; File fileDir = new File(dir); if (!fileDir.exists()) { @@ -290,6 +300,7 @@ public class FileUtils { } public static String uploadFile(MultipartFile uploadFile, String path, String name) { + validateFileName(name); if (uploadFile == null) { return null; } diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java index a16e5c01be..c02092bff2 100644 --- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java +++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java @@ -127,12 +127,13 @@ public class LocalFileRepository implements FileRepository { private File createFile(FileRequest request) { - String path = StringUtils.join(FileUtils.BODY_FILE_DIR, "/", request.getProjectId()); + FileUtils.validateFileName(request.getFileName()); + String path = StringUtils.join(FileUtils.BODY_FILE_DIR, File.separator, request.getProjectId()); File fileDir = new File(path); if (!fileDir.exists()) { fileDir.mkdirs(); } - File file = new File(StringUtils.join(path, "/", request.getFileName())); + File file = new File(StringUtils.join(path, File.separator, request.getFileName())); return file; } }