test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix(缺陷管理): 文件Path Manipulation漏洞修复

This commit is contained in:
song-cc-rock 2024-04-19 23:35:00 +08:00 committed by Craftsman
parent c4744ceeb2
commit 820862bcaf
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
backend/services/bug-management/src/main/java/io/metersphere/bug/service/BugAttachmentService.java
View File

@ -43,6 +43,7 @@ import io.metersphere.system.uid.IDGenerator;
import jakarta.annotation.Resource; import jakarta.annotation.Resource;
import org.apache.commons.collections.MapUtils; import org.apache.commons.collections.MapUtils;
import org.apache.commons.io.FileUtils; import org.apache.commons.io.FileUtils;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpHeaders; import org.springframework.http.HttpHeaders;
@ -440,7 +441,7 @@ public class BugAttachmentService {
FileMetadata meta = fileMetadataMap.get(fileId); FileMetadata meta = fileMetadataMap.get(fileId);
if (meta != null) { if (meta != null) {
try { try {
File uploadTmpFile = new File(LocalRepositoryDir.getBugTmpDir() + "/" + meta.getName() + "." + meta.getType()); File uploadTmpFile = new File(FilenameUtils.normalize(LocalRepositoryDir.getBugTmpDir() + File.separator + meta.getName() + "." + meta.getType()));
byte[] fileByte = fileMetadataService.getFileByte(meta); byte[] fileByte = fileMetadataService.getFileByte(meta);
FileUtils.writeByteArrayToFile(uploadTmpFile, fileByte); FileUtils.writeByteArrayToFile(uploadTmpFile, fileByte);
linkSyncFiles.add(new SyncAttachmentToPlatformRequest(platformBugKey, uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType())); linkSyncFiles.add(new SyncAttachmentToPlatformRequest(platformBugKey, uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType()));
@ -482,7 +483,7 @@ public class BugAttachmentService {
fileService.upload(file, fileRequest); fileService.upload(file, fileRequest);
if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) { if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) {
// 非本地平台同步附件到平台 // 非本地平台同步附件到平台
File uploadTmpFile = new File(LocalRepositoryDir.getBugTmpDir() + "/" + file.getOriginalFilename()); File uploadTmpFile = new File(FilenameUtils.normalize(LocalRepositoryDir.getBugTmpDir() + File.separator + file.getOriginalFilename()));
FileUtils.writeByteArrayToFile(uploadTmpFile, file.getBytes()); FileUtils.writeByteArrayToFile(uploadTmpFile, file.getBytes());
localSyncFiles.add(new SyncAttachmentToPlatformRequest(platformBugKey, uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType())); localSyncFiles.add(new SyncAttachmentToPlatformRequest(platformBugKey, uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType()));
} }
@ -510,7 +511,7 @@ public class BugAttachmentService {
FileMetadata fileMetadata = fileMetadataMapper.selectByExample(example).get(0); FileMetadata fileMetadata = fileMetadataMapper.selectByExample(example).get(0);
// 取消关联的附件同步至平台 // 取消关联的附件同步至平台
if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) { if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) {
File deleteTmpFile = new File(LocalRepositoryDir.getBugTmpDir() + "/" + fileMetadata.getName() + "." + fileMetadata.getType()); File deleteTmpFile = new File(FilenameUtils.normalize(LocalRepositoryDir.getBugTmpDir() + File.separator + fileMetadata.getName() + "." + fileMetadata.getType()));
linkSyncFiles.add(new SyncAttachmentToPlatformRequest(platformBugKey, deleteTmpFile, SyncAttachmentType.DELETE.syncOperateType())); linkSyncFiles.add(new SyncAttachmentToPlatformRequest(platformBugKey, deleteTmpFile, SyncAttachmentType.DELETE.syncOperateType()));
} }
// 取消关联的附件, FILE_ASSOCIATION表 // 取消关联的附件, FILE_ASSOCIATION表
@ -540,7 +541,7 @@ public class BugAttachmentService {
fileService.deleteFile(fileRequest); fileService.deleteFile(fileRequest);
// 删除的本地的附件同步至平台 // 删除的本地的附件同步至平台
if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) { if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) {
File deleteTmpFile = new File(LocalRepositoryDir.getBugTmpDir() + "/" + localAttachment.getFileName()); File deleteTmpFile = new File(FilenameUtils.normalize(LocalRepositoryDir.getBugTmpDir() + File.separator + localAttachment.getFileName()));
syncLocalFiles.add(new SyncAttachmentToPlatformRequest(platformBugKey, deleteTmpFile, SyncAttachmentType.DELETE.syncOperateType())); syncLocalFiles.add(new SyncAttachmentToPlatformRequest(platformBugKey, deleteTmpFile, SyncAttachmentType.DELETE.syncOperateType()));
} }
} catch (Exception e) { } catch (Exception e) {

9
backend/services/bug-management/src/main/java/io/metersphere/bug/service/BugService.java
View File

@ -59,6 +59,7 @@ import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.ListUtils; import org.apache.commons.collections4.ListUtils;
import org.apache.commons.collections4.MapUtils; import org.apache.commons.collections4.MapUtils;
import org.apache.commons.io.FileUtils; import org.apache.commons.io.FileUtils;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.ibatis.session.ExecutorType; import org.apache.ibatis.session.ExecutorType;
import org.apache.ibatis.session.SqlSession; import org.apache.ibatis.session.SqlSession;
@ -1059,7 +1060,7 @@ public class BugService {
FileCenter.getDefaultRepository().saveFile(bytes, buildBugFileRequest(request.getProjectId(), request.getId(), localAttachment.getFileId(), localFile.getFileName())); FileCenter.getDefaultRepository().saveFile(bytes, buildBugFileRequest(request.getProjectId(), request.getId(), localAttachment.getFileId(), localFile.getFileName()));
// 同步新上传的附件至平台 // 同步新上传的附件至平台
if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) { if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) {
File uploadTmpFile = new File(LocalRepositoryDir.getBugTmpDir() + "/" + localFile.getFileName()); File uploadTmpFile = new File(FilenameUtils.normalize(LocalRepositoryDir.getBugTmpDir() + "/" + localFile.getFileName()));
FileUtils.writeByteArrayToFile(uploadTmpFile, bytes); FileUtils.writeByteArrayToFile(uploadTmpFile, bytes);
uploadPlatformAttachments.add(new SyncAttachmentToPlatformRequest(platformBug.getPlatformBugKey(), uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType())); uploadPlatformAttachments.add(new SyncAttachmentToPlatformRequest(platformBug.getPlatformBugKey(), uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType()));
} }
@ -1091,7 +1092,7 @@ public class BugService {
fileService.upload(file, fileRequest); fileService.upload(file, fileRequest);
// 同步新上传的附件至平台 // 同步新上传的附件至平台
if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) { if (!StringUtils.equals(platformName, BugPlatform.LOCAL.getName())) {
File uploadTmpFile = new File(LocalRepositoryDir.getBugTmpDir() + "/" + file.getOriginalFilename()); File uploadTmpFile = new File(FilenameUtils.normalize(LocalRepositoryDir.getBugTmpDir() + File.separator + file.getOriginalFilename()));
FileUtils.writeByteArrayToFile(uploadTmpFile, file.getBytes()); FileUtils.writeByteArrayToFile(uploadTmpFile, file.getBytes());
uploadPlatformAttachments.add(new SyncAttachmentToPlatformRequest(platformBug.getPlatformBugKey(), uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType())); uploadPlatformAttachments.add(new SyncAttachmentToPlatformRequest(platformBug.getPlatformBugKey(), uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType()));
} }
@ -1115,7 +1116,7 @@ public class BugService {
FileMetadata meta = fileMetadataMap.get(fileId); FileMetadata meta = fileMetadataMap.get(fileId);
if (meta != null) { if (meta != null) {
try { try {
File uploadTmpFile = new File(LocalRepositoryDir.getBugTmpDir() + "/" + meta.getName() + "." + meta.getType()); File uploadTmpFile = new File(FilenameUtils.normalize(LocalRepositoryDir.getBugTmpDir() + File.separator + meta.getName() + "." + meta.getType()));
byte[] fileByte = fileMetadataService.getFileByte(meta); byte[] fileByte = fileMetadataService.getFileByte(meta);
FileUtils.writeByteArrayToFile(uploadTmpFile, fileByte); FileUtils.writeByteArrayToFile(uploadTmpFile, fileByte);
uploadPlatformAttachments.add(new SyncAttachmentToPlatformRequest(platformBug.getPlatformBugKey(), uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType())); uploadPlatformAttachments.add(new SyncAttachmentToPlatformRequest(platformBug.getPlatformBugKey(), uploadTmpFile, SyncAttachmentType.UPLOAD.syncOperateType()));
@ -1184,7 +1185,7 @@ public class BugService {
FileRequest downloadRequest = buildTmpImageFileRequest(tmpFileId); FileRequest downloadRequest = buildTmpImageFileRequest(tmpFileId);
try { try {
byte[] tmpBytes = fileService.download(downloadRequest); byte[] tmpBytes = fileService.download(downloadRequest);
File uploadTmpFile = new File(LocalRepositoryDir.getBugTmpDir() + "/" + tmpFileId + "/" + downloadRequest.getFileName()); File uploadTmpFile = new File(FilenameUtils.normalize(LocalRepositoryDir.getBugTmpDir() + File.separator + tmpFileId + File.separator + downloadRequest.getFileName()));
FileUtils.writeByteArrayToFile(uploadTmpFile, tmpBytes); FileUtils.writeByteArrayToFile(uploadTmpFile, tmpBytes);
platformRequest.getRichFileMap().put(tmpFileId, uploadTmpFile); platformRequest.getRichFileMap().put(tmpFileId, uploadTmpFile);
} catch (Exception e) { } catch (Exception e) {