test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

refactor: 文件路径校验,防止路径穿越问题

This commit is contained in:
fit2-zhao 2023-09-26 14:51:37 +08:00 committed by fit2-zhao
parent 37b7fd75fd
commit 77fc18b6f7
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
backend/framework/sdk/src/main/java/io/metersphere/sdk/file/LocalFileRepository.java
View File

@ -57,6 +57,7 @@ public class LocalFileRepository implements FileRepository {
@Override @Override
public void deleteFolder(FileRequest request) throws Exception { public void deleteFolder(FileRequest request) throws Exception {
MsFileUtils.validateFileName(request.getProjectId(), request.getFileName());
this.delete(request); this.delete(request);
} }
@ -81,10 +82,12 @@ public class LocalFileRepository implements FileRepository {
} }
private String getFilePath(FileRequest request) { private String getFilePath(FileRequest request) {
MsFileUtils.validateFileName(request.getProjectId(), request.getFileName());
return StringUtils.join(getFileDir(request), "/", request.getFileName()); return StringUtils.join(getFileDir(request), "/", request.getFileName());
} }
private String getFileDir(FileRequest request) { private String getFileDir(FileRequest request) {
MsFileUtils.validateFileName(request.getProjectId(), request.getFileName());
return StringUtils.join(MsFileUtils.DATE_ROOT_DIR, "/", request.getProjectId()); return StringUtils.join(MsFileUtils.DATE_ROOT_DIR, "/", request.getProjectId());
} }
} }

2
backend/framework/sdk/src/main/java/io/metersphere/sdk/util/MsFileUtils.java
View File

@ -14,7 +14,7 @@ public class MsFileUtils {
public static void validateFileName(String... fileNames) { public static void validateFileName(String... fileNames) {
if (fileNames != null) { if (fileNames != null) {
for (String fileName : fileNames) { for (String fileName : fileNames) {
if (StringUtils.isNotEmpty(fileName) && StringUtils.contains(fileName, "." + File.separator)) { if (StringUtils.isNotBlank(fileName) && StringUtils.contains(fileName, "." + File.separator)) {
throw new MSException(Translator.get("invalid_parameter")); throw new MSException(Translator.get("invalid_parameter"));
} }
} }