center/dataease-dm
center/dataease-dm
13
0
Fork 0
forked from github/dataease
Code Pull Requests Activity

fix(仪表板): 修改任意上传文件不安全操作路径缺陷

Browse Source
This commit is contained in:
wangjiahao 2024-03-27 16:05:47 +08:00
parent 33edd9b3be
commit bc7551f40f
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
View File

@ -43,9 +43,10 @@ public class StaticResourceServer implements StaticResourceApi {
} }
String originName = file.getOriginalFilename(); String originName = file.getOriginalFilename();
String newFileName = fileId + originName.substring(originName.lastIndexOf("."), originName.length()); String newFileName = fileId + originName.substring(originName.lastIndexOf("."), originName.length());
Path uploadPath = Paths.get(staticDir.toString(), newFileName); Path basePath = Paths.get(staticDir.toString());
// create dir is absent // create dir is absent
FileUtils.createIfAbsent(Paths.get(staticDir.toString())); FileUtils.createIfAbsent(basePath);
Path uploadPath = basePath.resolve(newFileName);
Files.createFile(uploadPath); Files.createFile(uploadPath);
file.transferTo(uploadPath); file.transferTo(uploadPath);
} catch (IOException e) { } catch (IOException e) {
@ -82,9 +83,10 @@ public class StaticResourceServer implements StaticResourceApi {
} }
public void saveSingleFileToServe(String fileName, String content) { public void saveSingleFileToServe(String fileName, String content) {
Path uploadPath = Paths.get(staticDir.toString(), fileName); Path basePath = Paths.get(staticDir.toString());
Path uploadPath = basePath.resolve(fileName);
try { try {
if (uploadPath.toFile().exists()) { if (Files.exists(uploadPath)) {
LogUtil.info("file exists"); LogUtil.info("file exists");
} else { } else {
if (StringUtils.isNotEmpty(content)) { if (StringUtils.isNotEmpty(content)) {