Merge pull request #5571 from dataease/pr@dev@fix_plugin_upload

fix(插件管理): 插件文件上传漏洞#5559
2023-07-03 10:18:46 +08:00 · 2023-07-03 10:18:46 +08:00 · 1bab732db2
commit 1bab732db2
parent d0efbdfd47 bc7d072e6a
2 changed files with 18 additions and 2 deletions
--- a/backend/src/main/java/io/dataease/commons/utils/DeFileUtils.java
+++ b/backend/src/main/java/io/dataease/commons/utils/DeFileUtils.java
@ -1,5 +1,7 @@
 package io.dataease.commons.utils;

+import io.dataease.commons.exception.DEException;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.multipart.MultipartFile;

 import java.io.*;
@ -41,6 +43,17 @@ public class DeFileUtils {
        if (dir.exists()) return ;
        dir.mkdirs();
    }
+
+    public static void validateFile(MultipartFile file) {
+        String name = getFileNameNoEx(file.getOriginalFilename());
+        if (StringUtils.contains(name, "./")) {
+            DEException.throwException("file path invalid");
+        }
+        String suffix = getExtensionName(file.getOriginalFilename());
+        if (!StringUtils.equalsIgnoreCase(suffix, "zip")) {
+            DEException.throwException("please upload valid zip file");
+        }
+    }
    /**
     * 将文件名解析成文件的上传路径
     */
--- a/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java
+++ b/backend/src/main/java/io/dataease/controller/sys/SysPluginController.java
@ -3,10 +3,11 @@ package io.dataease.controller.sys;
 import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import io.dataease.auth.annotation.SqlInjectValidator;
-import io.dataease.plugins.common.base.domain.MyPlugin;
+import io.dataease.commons.utils.DeFileUtils;
 import io.dataease.commons.utils.PageUtils;
 import io.dataease.commons.utils.Pager;
 import io.dataease.controller.sys.base.BaseGridRequest;
+import io.dataease.plugins.common.base.domain.MyPlugin;
 import io.dataease.service.sys.PluginService;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
@ -41,6 +42,7 @@ public class SysPluginController {
    @PostMapping("upload")
    @RequiresPermissions("plugin:upload")
    public Map<String, Object> localUpload(@RequestParam("file") MultipartFile file) throws Exception {
+        DeFileUtils.validateFile(file);
        return pluginService.localInstall(file);
    }

@ -54,7 +56,8 @@ public class SysPluginController {
    @ApiOperation("更新插件")
    @PostMapping("/update/{pluginId}")
    @RequiresPermissions("plugin:upload")
-    public Map<String, Object> update(@PathVariable("pluginId") Long pluginId, @RequestParam("file") MultipartFile file) throws Exception{
+    public Map<String, Object> update(@PathVariable("pluginId") Long pluginId, @RequestParam("file") MultipartFile file) throws Exception {
+        DeFileUtils.validateFile(file);
        if (pluginService.uninstall(pluginId)) {
            return pluginService.localInstall(file);
        }