test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix(文件管理): 增加上传文件名的校验 

增加上传文件名的校验
This commit is contained in:
song-tianyang 2022-12-27 15:05:40 +08:00 committed by 建国
parent a3a4642ca2
commit 60558fce6e
2 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FileUtils.java
View File

@ -32,6 +32,11 @@ public class FileUtils {
public static final String ATTACHMENT_DIR = "/opt/metersphere/data/attachment"; public static final String ATTACHMENT_DIR = "/opt/metersphere/data/attachment";
public static final String ATTACHMENT_TMP_DIR = "/opt/metersphere/data/attachment/tmp"; public static final String ATTACHMENT_TMP_DIR = "/opt/metersphere/data/attachment/tmp";
public static void validateFileName(String fileName) {
if (StringUtils.isNotEmpty(fileName) && fileName.contains(File.separator)) {
MSException.throwException(Translator.get("invalid_parameter"));
}
}
public static byte[] listBytesToZip(Map<String, byte[]> mapReport) { public static byte[] listBytesToZip(Map<String, byte[]> mapReport) {
try { try {
@ -55,6 +60,7 @@ public class FileUtils {
} }
public static void createFile(String filePath, byte[] fileBytes) { public static void createFile(String filePath, byte[] fileBytes) {
validateFileName(filePath);
File file = new File(filePath); File file = new File(filePath);
if (file.exists()) { if (file.exists()) {
file.delete(); file.delete();
@ -93,6 +99,7 @@ public class FileUtils {
} }
for (int i = 0; i < bodyUploadIds.size(); i++) { for (int i = 0; i < bodyUploadIds.size(); i++) {
MultipartFile item = bodyFiles.get(i); MultipartFile item = bodyFiles.get(i);
validateFileName(item.getOriginalFilename());
File file = new File(filePath + File.separator + bodyUploadIds.get(i) + "_" + item.getOriginalFilename()); File file = new File(filePath + File.separator + bodyUploadIds.get(i) + "_" + item.getOriginalFilename());
try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) { try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) {
file.createNewFile(); file.createNewFile();
@ -112,6 +119,7 @@ public class FileUtils {
public static String create(String id, MultipartFile item) { public static String create(String id, MultipartFile item) {
String filePath = BODY_FILE_DIR + "/plugin"; String filePath = BODY_FILE_DIR + "/plugin";
if (item != null) { if (item != null) {
validateFileName(item.getOriginalFilename());
File testDir = new File(filePath); File testDir = new File(filePath);
if (!testDir.exists()) { if (!testDir.exists()) {
testDir.mkdirs(); testDir.mkdirs();
@ -141,6 +149,7 @@ public class FileUtils {
testDir.mkdirs(); testDir.mkdirs();
} }
bodyFiles.forEach(item -> { bodyFiles.forEach(item -> {
validateFileName(item.getOriginalFilename());
File file = new File(path + File.separator + item.getOriginalFilename()); File file = new File(path + File.separator + item.getOriginalFilename());
try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) { try (InputStream in = item.getInputStream(); OutputStream out = new FileOutputStream(file)) {
file.createNewFile(); file.createNewFile();
@ -259,6 +268,7 @@ public class FileUtils {
} }
public static String createFile(MultipartFile bodyFile) { public static String createFile(MultipartFile bodyFile) {
validateFileName(bodyFile.getOriginalFilename());
String dir = "/opt/metersphere/data/body/tmp/"; String dir = "/opt/metersphere/data/body/tmp/";
File fileDir = new File(dir); File fileDir = new File(dir);
if (!fileDir.exists()) { if (!fileDir.exists()) {
@ -290,6 +300,7 @@ public class FileUtils {
} }
public static String uploadFile(MultipartFile uploadFile, String path, String name) { public static String uploadFile(MultipartFile uploadFile, String path, String name) {
validateFileName(name);
if (uploadFile == null) { if (uploadFile == null) {
return null; return null;
} }

5
framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/repository/LocalFileRepository.java
View File

@ -127,12 +127,13 @@ public class LocalFileRepository implements FileRepository {
private File createFile(FileRequest request) { private File createFile(FileRequest request) {
String path = StringUtils.join(FileUtils.BODY_FILE_DIR, "/", request.getProjectId()); FileUtils.validateFileName(request.getFileName());
String path = StringUtils.join(FileUtils.BODY_FILE_DIR, File.separator, request.getProjectId());
File fileDir = new File(path); File fileDir = new File(path);
if (!fileDir.exists()) { if (!fileDir.exists()) {
fileDir.mkdirs(); fileDir.mkdirs();
} }
File file = new File(StringUtils.join(path, "/", request.getFileName())); File file = new File(StringUtils.join(path, File.separator, request.getFileName()));
return file; return file;
} }
} }