From fc0a9ddaf1230e1905a0ae633a750fdda247ddbb Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Wed, 9 Jul 2025 07:42:52 +0000
Subject: [PATCH] Add path validation to prevent directory traversal attacks

Co-authored-by: zhijiantianya <zhijiantianya@gmail.com>
---
 test_path_validation.class                    | Bin 0 -> 3169 bytes
 .../infra/enums/ErrorCodeConstants.java       |   1 +
 .../file/core/utils/PathValidationUtils.java  | 104 ++++++++++++++++
 .../infra/service/file/FileServiceImpl.java   |  19 ++-
 .../core/utils/PathValidationUtilsTest.java   | 111 ++++++++++++++++++
 5 files changed, 229 insertions(+), 6 deletions(-)
 create mode 100644 test_path_validation.class
 create mode 100644 yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtils.java
 create mode 100644 yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtilsTest.java

diff --git a/test_path_validation.class b/test_path_validation.class
new file mode 100644
index 0000000000000000000000000000000000000000..299e5d4d4e62aaea8a9d9c5c2c2f5112020edd35
GIT binary patch
literal 3169
zcmaJ@?ROMc8UJ1OWo9=M5+*D$P-rLw!Y0{;ElDv!AYFn)5};iK6Vl>jcakjGo!#zC
z5>mCTN~Kj=YFkQ!ZLMfQZLrYR1*zf}k01OqJO=fXUp<~4@por8Z-=cpbDq8Tx%YYh
zJ<rWw{(I*xfNuOQh!yZC@M`eEFHn2hm^7jp!y1hq89r?$9RdIDw3T-D2zZ*e9ao?(
zyOeMWX=_wPPyi}4ft8MFJJD3SK-pYjTE$9%n&rHxidr(G%eg9aYIb?irShxEjYOjS
zOeY!58@4@_Qn5y0O(ZhJZz^r2a#Qw@J#9N?_R*M%FS!yFSSGR7m7qWciHF>?rr1a%
zLP9&F^OiOUJVbVT(j{eU+%DQ{6xh%dGu>}wVX<7xBLY>++}SKp7w@d#%NF`Fk<a9e
zlpT$2kL`?Z-w{n`jZxE9(M&Db>BvYrV@8}aP7q<VC}`EthKRswnY>eZ!x=j@X=KtV
z!%62Xfrj$N?6y+zjA>Z==Zhn-rMYjh;H6r2ZF`Uvz;^6V5YzA|b}p~Kn{{F%H$kX`
zN}}mp^eAEBP@!pLyL2M0L&Ia(B~YI=#?5%nN*d0Iv@^z)?HHD03+$@k%7dO%a4v{W
zbSc=a;VU3Y>)e2ryC9(Cr9&B}BUHhT#Pz;;Q5XC@XOd=K<}Zl7cw9pq`vrodrqgfQ
zHjBY*H&^gQhd_rc%U3lVL@({8?VfDjnf?O1gFz@bq@fS}yjw8y86!#EYntQn3fiUO
zBN~oM#i3-*a*VWPA7#Cd6^u!<U>g|)PYSGEEa{UImXpq!3(=@JCb0G1Tj&1vS@9pY
zKAO9G_THuU?_GT9U%x*;cmBn>*FOB`yYJom<l@}*OMjoe8pIPgF6Y7?Y4{r&1|-S?
zNr@q8RmDjG5tSi4rQvDmRgl#zIJPXUWPekGfnmzn6T`MUDP$gcD~6^ZrNNX+RMSc=
zs2J5ShBT*8#<WJAF?R~}O5Nj9cSh!__lp!-vIsd>WKhL30xKdB6~vl{V?f1(yWljM
z67ad5uY!e=%l4#-Z<V<RRD7q*jjMQ`u9SLQ#dqCxPgAT%#rGNILhq}1(cQ|UrWh5R
z<IM>FqO|sMc|AlIe#ELvKIe^!SLQeENg3b;4X;VmRXMr7+>}{}8@4I=uWNV%Z!%5u
z2oPAe6w~oBqmVG4nJ}%S*|m*<za^kOeX_f4&}e)1sm@4PDtTMOjEm2#;Uvf8Z21Y(
z6K#=a?`n8Y_G++<$L<W%?2YGAL}pE2+A<GMWQWbdF=IGGjyFpb$}*g+(5=S>suPZp
z9Pc;s?tKLxu+J)7rMX0IqL4HXaJX@3RhnfH32cs^$8$M{a5D1!rZbjH(fMCf{IBo4
z(I^_*_B09=v+n*<d0*qlZ-V#;Hx%5IbLeA%&5J#fwkC7qX0$Z@N~7t3;XYmhZ!b-3
z`C`fFLBmRAOnY-*E;l}r?|LxyC7fk~$ENdUh3iXGQhIrp4dSwjxRJ>u(vI21lJ;5_
zL6PBuXxa*XE70^nOqE<!aEtHN|G!Fvmg2%jcK!;^Z@|yd#(xn=f6Co@{_@F(FMJE)
zCKm$llgeYjg8+VpD_rxcXo8oZ0<PDt`U8{!k4Ox7^+004r&lEg{Cag_K+$Uw1FF6%
zF;MH*>qr$nM5^lbqyfEwG^np5t<u+%YWl;Z)%r%#mHH;q8oi0MR^OWFYw2&jyT{Yv
z4SCmJ!S2?OH`eKE@ZH9?PXEV<HuxI+chC+L@#Sl%U*HwdeFr@*`>a=7yZ@(~bbcBa
z@H)r;3OBSZ3<?ay#5$g=#|zlN^NqamFy2HXu982CP53!)#o)b<EPM)nQThbaavz)F
zU&2wSOeom<AJqMunGMKCyp%G0%9MGiXCQnV2WH?CH^Q|;wb3HJ*4J_yhi6dz8J-x>
z6Swg7Kaz2xzf~VBVrT||R&NofO55ZNYFa(5MT~e;MV#*EDmw#3T!Xju29=k>ilB<?
zE%aq8U1))hRy5F+P1u2E>?Cbx$2^98*u__>%MC9Cf8cX8Fo4fdN4h$=PX-f|PhL5K
zcK%8ztP1}b!7zQe48=>!p4kP<C9LdqHTvPH^6X>N%EzswLIldV`JkKx&undt3m`o&
z5mb-}awLK#C4$aK1U*X>`1Nm-D*AJzs{R6LK>r?TP(MprrT>6b(_bR3)_+L4Qa_*Q
zqld5dw;XP}+u`+e_(Hyr_X^gwg?zD2e`|xkh##{E-r2K0LSruM=K3<Uuzs<KOYX^%
zuu2JyGavhz(1S?gFki4Ec#ff+<BR$-*B5Y{4RV5^54z!RU_$R>RKi1X5hAI?Og)jY
zN~VQRZz(O9Vp?Qoca_r;z7f_hOPAg`RPu}{2ul={wh{$lkF0=;f<xiO(m%rg*ui&O
z!6|y0Wa&qU;Zb6GoL!$m2Xd}=K6nE4s|m=fZtbq&m;7Bx{9LCazjEn^_=LP5_n)%0
HZlmFUBq9Sk

literal 0
HcmV?d00001

diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/enums/ErrorCodeConstants.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/enums/ErrorCodeConstants.java
index 2233f353e7..a1aef35f96 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/enums/ErrorCodeConstants.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/enums/ErrorCodeConstants.java
@@ -33,6 +33,7 @@ public interface ErrorCodeConstants {
     ErrorCode FILE_PATH_EXISTS = new ErrorCode(1_001_003_000, "文件路径已存在");
     ErrorCode FILE_NOT_EXISTS = new ErrorCode(1_001_003_001, "文件不存在");
     ErrorCode FILE_IS_EMPTY = new ErrorCode(1_001_003_002, "文件为空");
+    ErrorCode FILE_PATH_INVALID = new ErrorCode(1_001_003_003, "文件路径无效，包含非法字符");
 
     // ========== 代码生成器 1-001-004-000 ==========
     ErrorCode CODEGEN_TABLE_EXISTS = new ErrorCode(1_001_004_002, "表定义已经存在");
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtils.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtils.java
new file mode 100644
index 0000000000..7ca12f886c
--- /dev/null
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtils.java
@@ -0,0 +1,104 @@
+package cn.iocoder.yudao.module.infra.framework.file.core.utils;
+
+import cn.hutool.core.util.StrUtil;
+import cn.iocoder.yudao.framework.common.exception.util.ServiceExceptionUtil;
+import static cn.iocoder.yudao.module.infra.enums.ErrorCodeConstants.*;
+
+/**
+ * 路径验证工具类
+ * 
+ * @author 芋道源码
+ */
+public class PathValidationUtils {
+
+    /**
+     * 验证并清理目录路径，防止路径遍历攻击
+     *
+     * @param directory 原始目录路径
+     * @return 清理后的目录路径
+     */
+    public static String validateAndCleanDirectory(String directory) {
+        if (StrUtil.isEmpty(directory)) {
+            return null;
+        }
+
+        // 1. 检查是否包含路径遍历攻击的字符序列
+        String normalizedPath = directory.replace('\\', '/'); // 统一使用正斜杠
+        if (containsPathTraversal(normalizedPath)) {
+            throw ServiceExceptionUtil.exception(FILE_PATH_INVALID);
+        }
+
+        // 2. 清理路径，移除多余的斜杠和点
+        String cleanedPath = cleanPath(normalizedPath);
+        
+        // 3. 确保路径不以斜杠开头或结尾
+        if (cleanedPath.startsWith("/")) {
+            cleanedPath = cleanedPath.substring(1);
+        }
+        if (cleanedPath.endsWith("/")) {
+            cleanedPath = cleanedPath.substring(0, cleanedPath.length() - 1);
+        }
+
+        return cleanedPath.isEmpty() ? null : cleanedPath;
+    }
+
+    /**
+     * 检查路径是否包含路径遍历攻击
+     *
+     * @param path 路径
+     * @return 是否包含路径遍历攻击
+     */
+    private static boolean containsPathTraversal(String path) {
+        if (StrUtil.isEmpty(path)) {
+            return false;
+        }
+
+        // 检查常见的路径遍历模式
+        String[] dangerousPatterns = {
+            "..", "..\\", "../", "..%2f", "..%5c", "..%2F", "..%5C",
+            "%2e%2e", "%2E%2E", "%2e%2e%2f", "%2E%2E%2F",
+            "....//", "....\\\\", "....%2f", "....%5c"
+        };
+
+        String lowerPath = path.toLowerCase();
+        for (String pattern : dangerousPatterns) {
+            if (lowerPath.contains(pattern)) {
+                return true;
+            }
+        }
+
+        // 检查绝对路径
+        if (path.startsWith("/") || path.matches("^[A-Za-z]:.*")) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * 清理路径，移除多余的斜杠和点
+     *
+     * @param path 原始路径
+     * @return 清理后的路径
+     */
+    private static String cleanPath(String path) {
+        if (StrUtil.isEmpty(path)) {
+            return path;
+        }
+
+        // 移除多余的斜杠
+        path = path.replaceAll("/+", "/");
+        
+        // 移除开头的斜杠
+        if (path.startsWith("/")) {
+            path = path.substring(1);
+        }
+
+        // 移除结尾的斜杠
+        if (path.endsWith("/")) {
+            path = path.substring(0, path.length() - 1);
+        }
+
+        return path;
+    }
+}
\ No newline at end of file
diff --git a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java
index 98447fb370..15e98dd0bb 100644
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/service/file/FileServiceImpl.java
@@ -15,6 +15,7 @@ import cn.iocoder.yudao.module.infra.dal.mysql.file.FileMapper;
 import cn.iocoder.yudao.module.infra.framework.file.core.client.FileClient;
 import cn.iocoder.yudao.module.infra.framework.file.core.client.s3.FilePresignedUrlRespDTO;
 import cn.iocoder.yudao.module.infra.framework.file.core.utils.FileTypeUtils;
+import cn.iocoder.yudao.module.infra.framework.file.core.utils.PathValidationUtils;
 import com.google.common.annotations.VisibleForTesting;
 import jakarta.annotation.Resource;
 import lombok.SneakyThrows;
@@ -94,7 +95,10 @@ public class FileServiceImpl implements FileService {
 
     @VisibleForTesting
     String generateUploadPath(String name, String directory) {
-        // 1. 生成前缀、后缀
+        // 1. 验证并清理目录路径，防止路径遍历攻击
+        directory = PathValidationUtils.validateAndCleanDirectory(directory);
+        
+        // 2. 生成前缀、后缀
         String prefix = null;
         if (PATH_PREFIX_DATE_ENABLE) {
             prefix = LocalDateTimeUtil.format(LocalDateTimeUtil.now(), PURE_DATE_PATTERN);
@@ -104,7 +108,7 @@ public class FileServiceImpl implements FileService {
             suffix = String.valueOf(System.currentTimeMillis());
         }
 
-        // 2.1 先拼接 suffix 后缀
+        // 3.1 先拼接 suffix 后缀
         if (StrUtil.isNotEmpty(suffix)) {
             String ext = FileUtil.extName(name);
             if (StrUtil.isNotEmpty(ext)) {
@@ -113,11 +117,11 @@ public class FileServiceImpl implements FileService {
                 name = name + StrUtil.C_UNDERLINE + suffix;
             }
         }
-        // 2.2 再拼接 prefix 前缀
+        // 3.2 再拼接 prefix 前缀
         if (StrUtil.isNotEmpty(prefix)) {
             name = prefix + StrUtil.SLASH + name;
         }
-        // 2.3 最后拼接 directory 目录
+        // 3.3 最后拼接 directory 目录
         if (StrUtil.isNotEmpty(directory)) {
             name = directory + StrUtil.SLASH + name;
         }
@@ -127,10 +131,13 @@ public class FileServiceImpl implements FileService {
     @Override
     @SneakyThrows
     public FilePresignedUrlRespVO getFilePresignedUrl(String name, String directory) {
-        // 1. 生成上传的 path，需要保证唯一
+        // 1. 验证并清理目录路径，防止路径遍历攻击
+        directory = PathValidationUtils.validateAndCleanDirectory(directory);
+        
+        // 2. 生成上传的 path，需要保证唯一
         String path = generateUploadPath(name, directory);
 
-        // 2. 获取文件预签名地址
+        // 3. 获取文件预签名地址
         FileClient fileClient = fileConfigService.getMasterFileClient();
         FilePresignedUrlRespDTO presignedObjectUrl = fileClient.getPresignedObjectUrl(path);
         return BeanUtils.toBean(presignedObjectUrl, FilePresignedUrlRespVO.class,
diff --git a/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtilsTest.java b/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtilsTest.java
new file mode 100644
index 0000000000..d2aeaf9226
--- /dev/null
+++ b/yudao-module-infra/src/test/java/cn/iocoder/yudao/module/infra/framework/file/core/utils/PathValidationUtilsTest.java
@@ -0,0 +1,111 @@
+package cn.iocoder.yudao.module.infra.framework.file.core.utils;
+
+import cn.iocoder.yudao.framework.common.exception.ServiceException;
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+/**
+ * 路径验证工具类测试
+ *
+ * @author 芋道源码
+ */
+class PathValidationUtilsTest {
+
+    @Test
+    void testValidateAndCleanDirectory_NullInput() {
+        String result = PathValidationUtils.validateAndCleanDirectory(null);
+        assertNull(result);
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_EmptyInput() {
+        String result = PathValidationUtils.validateAndCleanDirectory("");
+        assertNull(result);
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_ValidDirectory() {
+        String result = PathValidationUtils.validateAndCleanDirectory("test/directory");
+        assertEquals("test/directory", result);
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_WithTrailingSlash() {
+        String result = PathValidationUtils.validateAndCleanDirectory("test/directory/");
+        assertEquals("test/directory", result);
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_WithLeadingSlash() {
+        String result = PathValidationUtils.validateAndCleanDirectory("/test/directory");
+        assertEquals("test/directory", result);
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_WithMultipleSlashes() {
+        String result = PathValidationUtils.validateAndCleanDirectory("test///directory");
+        assertEquals("test/directory", result);
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_PathTraversalAttack() {
+        // 测试路径遍历攻击
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("../../etc/passwd");
+        });
+
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("..\\..\\windows\\system32");
+        });
+
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("....//etc/passwd");
+        });
+
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("....\\\\windows\\system32");
+        });
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_UrlEncodedPathTraversal() {
+        // 测试URL编码的路径遍历攻击
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("..%2f..%2fetc%2fpasswd");
+        });
+
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("..%5c..%5cwindows%5csystem32");
+        });
+
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("%2e%2e%2f%2e%2e%2fetc%2fpasswd");
+        });
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_AbsolutePath() {
+        // 测试绝对路径
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("/etc/passwd");
+        });
+
+        assertThrows(ServiceException.class, () -> {
+            PathValidationUtils.validateAndCleanDirectory("C:\\windows\\system32");
+        });
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_ValidComplexPath() {
+        String result = PathValidationUtils.validateAndCleanDirectory("uploads/2024/01/images");
+        assertEquals("uploads/2024/01/images", result);
+    }
+
+    @Test
+    void testValidateAndCleanDirectory_WithDots() {
+        // 测试包含点的路径（但不是路径遍历）
+        String result = PathValidationUtils.validateAndCleanDirectory("my.file.txt");
+        assertEquals("my.file.txt", result);
+    }
+}
\ No newline at end of file