From 099ee0e2386845704e85ec1ac53d6608096053ed Mon Sep 17 00:00:00 2001
From: wangjiahao <1522128093@qq.com>
Date: Wed, 18 Sep 2024 10:26:09 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dsvg=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?=E6=97=B6=E5=86=85=E5=AE=B9=E8=A2=AB=E7=AF=A1=E6=94=B9=E5=BC=95?=
 =?UTF-8?q?=E8=B5=B7=E7=9A=84xxe=E6=B3=A8=E5=85=A5=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../server/StaticResourceServer.java             | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java b/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
index 49e5c34f96..20ed12e4f7 100644
--- a/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
+++ b/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
@@ -68,8 +68,15 @@ public class StaticResourceServer implements StaticResourceApi {
             return false;
         }
         String mimeType = file.getContentType();
+        if (StringUtils.isEmpty(mimeType)) {
+            return false;
+        }
         // 判断是否为图片或SVG
-        return (mimeType != null && mimeType.startsWith("image/")) || isValidSVG(file);
+        if (mimeType.toLowerCase().equals("image/svg+xml")) {
+            return isValidSVG(file);
+        } else {
+            return mimeType.startsWith("image/");
+        }
     }
 
     public void saveFilesToServe(String staticResource) {
@@ -123,9 +130,14 @@ public class StaticResourceServer implements StaticResourceApi {
         }
 
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        dbf.setNamespaceAware(true);
 
         try (InputStream inputStream = file.getInputStream()) {
+            // 禁用外部实体解析以防止XXE攻击
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            dbf.setNamespaceAware(true);
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document doc = db.parse(inputStream);