test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix: 接口调用恶意删除文件漏洞

This commit is contained in:
AnAngle 2022-03-04 16:12:15 +08:00 committed by 刘瑞斌
parent 45dc9640ed
commit d2296fb6d2
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
backend/src/main/java/io/metersphere/service/ResourceService.java
View File

@ -28,8 +28,9 @@ public class ResourceService {
}
public ResponseEntity<FileSystemResource> getMdImage(String name) {
if (name.contains("/"))
if (name.contains("/")) {
MSException.throwException(Translator.get("invalid_parameter"));
}
File file = new File(FileUtils.MD_IMAGE_DIR + "/" + name);
HttpHeaders headers = new HttpHeaders();
String fileName = encodeFileName(file.getName());
@ -65,6 +66,9 @@ public class ResourceService {
}
public void mdDelete(String fileName) {
if (fileName.contains("/")) {
MSException.throwException(Translator.get("invalid_parameter"));
}
FileUtils.deleteFile(FileUtils.MD_IMAGE_DIR + "/" + fileName);
}
}