From 76229a322ee69fdb0b1f03a7d0b244c71c77d617 Mon Sep 17 00:00:00 2001
From: song-cc-rock <changchang.song@fit2cloud.com>
Date: Mon, 26 Jun 2023 14:42:28 +0800
Subject: [PATCH] =?UTF-8?q?fix(=E6=B5=8B=E8=AF=95=E8=B7=9F=E8=B8=AA):=20?=
 =?UTF-8?q?=E7=94=A8=E4=BE=8B=E7=BC=BA=E9=99=B7=E9=99=84=E4=BB=B6=E4=B8=8A?=
 =?UTF-8?q?=E4=BC=A0=E7=B1=BB=E5=9E=8B=E6=B7=BB=E5=8A=A0=E6=A0=A1=E9=AA=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../controller/AttachmentController.java          | 15 +++++++++++++++
 .../io/metersphere/service/AttachmentService.java |  5 +++++
 2 files changed, 20 insertions(+)

diff --git a/test-track/backend/src/main/java/io/metersphere/controller/AttachmentController.java b/test-track/backend/src/main/java/io/metersphere/controller/AttachmentController.java
index 876e1a1c33..097905f70e 100644
--- a/test-track/backend/src/main/java/io/metersphere/controller/AttachmentController.java
+++ b/test-track/backend/src/main/java/io/metersphere/controller/AttachmentController.java
@@ -4,6 +4,9 @@ import io.metersphere.base.domain.FileAttachmentMetadata;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
 import io.metersphere.commons.constants.PermissionConstants;
+import io.metersphere.commons.exception.MSException;
+import io.metersphere.constants.AttachmentType;
+import io.metersphere.i18n.Translator;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.metadata.service.FileMetadataService;
 import io.metersphere.request.attachment.AttachmentDumpRequest;
@@ -97,6 +100,9 @@ public class AttachmentController {
     @MsAuditLog(module = OperLogModule.TRACK_TEST_CASE, type = OperLogConstants.UPDATE, content = "#msClass.getLogDetails(#request.belongId, #request.belongType, #request.metadataRefIds, true)", msClass = AttachmentService.class)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ_EDIT)
     public void caseRelate(@RequestBody AttachmentRequest request) {
+        if (!AttachmentType.TEST_CASE.type().equals(request.getBelongType())) {
+            MSException.throwException(Translator.get("invalid_parameter"));
+        }
         attachmentService.relate(request);
     }
 
@@ -104,6 +110,9 @@ public class AttachmentController {
     @MsAuditLog(module = OperLogModule.TRACK_BUG, type = OperLogConstants.UPDATE, content = "#msClass.getLogDetails(#request.belongId, #request.belongType, #request.metadataRefIds, true)", msClass = AttachmentService.class)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_EDIT)
     public void issueRelate(@RequestBody AttachmentRequest request) {
+        if (!AttachmentType.ISSUE.type().equals(request.getBelongType())) {
+            MSException.throwException(Translator.get("invalid_parameter"));
+        }
         attachmentService.relate(request);
     }
 
@@ -111,6 +120,9 @@ public class AttachmentController {
     @MsAuditLog(module = OperLogModule.TRACK_TEST_CASE, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request.belongId, #request.belongType, #request.metadataRefIds)", msClass = AttachmentService.class)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ_EDIT)
     public void caseUnrelated(@RequestBody AttachmentRequest request) {
+        if (!AttachmentType.TEST_CASE.type().equals(request.getBelongType())) {
+            MSException.throwException(Translator.get("invalid_parameter"));
+        }
         attachmentService.unrelated(request);
     }
 
@@ -118,6 +130,9 @@ public class AttachmentController {
     @MsAuditLog(module = OperLogModule.TRACK_BUG, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request.belongId, #request.belongType, #request.metadataRefIds)", msClass = AttachmentService.class)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_EDIT)
     public void issueUnrelated(@RequestBody AttachmentRequest request) {
+        if (!AttachmentType.ISSUE.type().equals(request.getBelongType())) {
+            MSException.throwException(Translator.get("invalid_parameter"));
+        }
         attachmentService.unrelated(request);
     }
 
diff --git a/test-track/backend/src/main/java/io/metersphere/service/AttachmentService.java b/test-track/backend/src/main/java/io/metersphere/service/AttachmentService.java
index 5b73d89901..6dca920039 100644
--- a/test-track/backend/src/main/java/io/metersphere/service/AttachmentService.java
+++ b/test-track/backend/src/main/java/io/metersphere/service/AttachmentService.java
@@ -87,6 +87,8 @@ public class AttachmentService {
             if (testCase == null) {
                 MSException.throwException(Translator.get("test_case_attachment_upload_not_found") + request.getBelongId());
             }
+        } else {
+            MSException.throwException(Translator.get("invalid_parameter"));
         }
 
         // 上传MS平台
@@ -451,6 +453,9 @@ public class AttachmentService {
     }
 
     public FileAttachmentMetadata saveAttachment(MultipartFile file, String attachmentType, String belongId) {
+        if (attachmentType.contains("/") || belongId.contains("/")) {
+            MSException.throwException(Translator.get("invalid_parameter"));
+        }
         String uploadPath = FileUtils.ATTACHMENT_DIR + "/" + attachmentType + "/" + belongId;
         FileUtils.uploadFile(file, uploadPath);
         final FileAttachmentMetadata fileAttachmentMetadata = new FileAttachmentMetadata();