refactor: 文件路径校验，防止路径穿越问题

2023-09-26 14:51:37 +08:00 · 2023-09-26 14:51:37 +08:00 · 77fc18b6f7
parent 37b7fd75fd
commit 77fc18b6f7
2 changed files with 4 additions and 1 deletions
--- a/backend/framework/sdk/src/main/java/io/metersphere/sdk/file/LocalFileRepository.java
+++ b/backend/framework/sdk/src/main/java/io/metersphere/sdk/file/LocalFileRepository.java
@ -57,6 +57,7 @@ public class LocalFileRepository implements FileRepository {

    @Override
    public void deleteFolder(FileRequest request) throws Exception {
+        MsFileUtils.validateFileName(request.getProjectId(), request.getFileName());
        this.delete(request);
    }

@ -81,10 +82,12 @@ public class LocalFileRepository implements FileRepository {
    }

    private String getFilePath(FileRequest request) {
+        MsFileUtils.validateFileName(request.getProjectId(), request.getFileName());
        return StringUtils.join(getFileDir(request), "/", request.getFileName());
    }

    private String getFileDir(FileRequest request) {
+        MsFileUtils.validateFileName(request.getProjectId(), request.getFileName());
        return StringUtils.join(MsFileUtils.DATE_ROOT_DIR, "/", request.getProjectId());
    }
 }
--- a/backend/framework/sdk/src/main/java/io/metersphere/sdk/util/MsFileUtils.java
+++ b/backend/framework/sdk/src/main/java/io/metersphere/sdk/util/MsFileUtils.java
@ -14,7 +14,7 @@ public class MsFileUtils {
    public static void validateFileName(String... fileNames) {
        if (fileNames != null) {
            for (String fileName : fileNames) {
-                if (StringUtils.isNotEmpty(fileName) && StringUtils.contains(fileName, "." + File.separator)) {
+                if (StringUtils.isNotBlank(fileName) && StringUtils.contains(fileName, "." + File.separator)) {
                    throw new MSException(Translator.get("invalid_parameter"));
                }
            }