Compare commits
4 Commits
master
...
cursor/fix
| Author | SHA1 | Date | |
|---|---|---|---|
|
0b6e9f7ee4 | ||
|
|
a7247419ba | ||
|
|
c853410f2b | ||
|
|
fc0a9ddaf1 |
BIN
test_assert_true.class
Normal file
BIN
test_assert_true.class
Normal file
Binary file not shown.
BIN
test_path_validation.class
Normal file
BIN
test_path_validation.class
Normal file
Binary file not shown.
@@ -43,7 +43,7 @@ public class FileController {
|
||||
|
||||
@PostMapping("/upload")
|
||||
@Operation(summary = "上传文件", description = "模式一:后端上传文件")
|
||||
public CommonResult<String> uploadFile(FileUploadReqVO uploadReqVO) throws Exception {
|
||||
public CommonResult<String> uploadFile(@Valid FileUploadReqVO uploadReqVO) throws Exception {
|
||||
MultipartFile file = uploadReqVO.getFile();
|
||||
byte[] content = IoUtil.readBytes(file.getInputStream());
|
||||
return success(fileService.createFile(content, file.getOriginalFilename(),
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file;
|
||||
|
||||
import cn.hutool.core.util.StrUtil;
|
||||
import io.swagger.v3.oas.annotations.media.Schema;
|
||||
import jakarta.validation.constraints.AssertTrue;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
import lombok.Data;
|
||||
import org.springframework.web.multipart.MultipartFile;
|
||||
@@ -16,4 +18,34 @@ public class FileUploadReqVO {
|
||||
@Schema(description = "文件目录", example = "XXX/YYY")
|
||||
private String directory;
|
||||
|
||||
@AssertTrue(message = "目录路径无效,包含非法字符")
|
||||
public boolean isDirectoryValid() {
|
||||
if (StrUtil.isEmpty(directory)) {
|
||||
return true; // 空值认为是有效的
|
||||
}
|
||||
|
||||
// 统一使用正斜杠
|
||||
String normalizedPath = directory.replace('\\', '/');
|
||||
|
||||
// 检查绝对路径
|
||||
if (normalizedPath.startsWith("/") || normalizedPath.matches("^[A-Za-z]:.*")) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// 检查路径遍历攻击
|
||||
String[] dangerousPatterns = {
|
||||
"..", "..\\", "../", "..%2f", "..%5c", "..%2F", "..%5C",
|
||||
"%2e%2e", "%2E%2E", "%2e%2e%2f", "%2E%2E%2F",
|
||||
"....//", "....\\\\", "....%2f", "....%5c"
|
||||
};
|
||||
|
||||
String lowerPath = normalizedPath.toLowerCase();
|
||||
for (String pattern : dangerousPatterns) {
|
||||
if (lowerPath.contains(pattern)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -33,7 +33,7 @@ public class AppFileController {
|
||||
@PostMapping("/upload")
|
||||
@Operation(summary = "上传文件")
|
||||
@PermitAll
|
||||
public CommonResult<String> uploadFile(AppFileUploadReqVO uploadReqVO) throws Exception {
|
||||
public CommonResult<String> uploadFile(@Valid AppFileUploadReqVO uploadReqVO) throws Exception {
|
||||
MultipartFile file = uploadReqVO.getFile();
|
||||
byte[] content = IoUtil.readBytes(file.getInputStream());
|
||||
return success(fileService.createFile(content, file.getOriginalFilename(),
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
package cn.iocoder.yudao.module.infra.controller.app.file.vo;
|
||||
|
||||
import cn.hutool.core.util.StrUtil;
|
||||
import io.swagger.v3.oas.annotations.media.Schema;
|
||||
import jakarta.validation.constraints.AssertTrue;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
import lombok.Data;
|
||||
import org.springframework.web.multipart.MultipartFile;
|
||||
@@ -16,4 +18,34 @@ public class AppFileUploadReqVO {
|
||||
@Schema(description = "文件目录", example = "XXX/YYY")
|
||||
private String directory;
|
||||
|
||||
@AssertTrue(message = "目录路径无效,包含非法字符")
|
||||
public boolean isDirectoryValid() {
|
||||
if (StrUtil.isEmpty(directory)) {
|
||||
return true; // 空值认为是有效的
|
||||
}
|
||||
|
||||
// 统一使用正斜杠
|
||||
String normalizedPath = directory.replace('\\', '/');
|
||||
|
||||
// 检查绝对路径
|
||||
if (normalizedPath.startsWith("/") || normalizedPath.matches("^[A-Za-z]:.*")) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// 检查路径遍历攻击
|
||||
String[] dangerousPatterns = {
|
||||
"..", "..\\", "../", "..%2f", "..%5c", "..%2F", "..%5C",
|
||||
"%2e%2e", "%2E%2E", "%2e%2e%2f", "%2E%2E%2F",
|
||||
"....//", "....\\\\", "....%2f", "....%5c"
|
||||
};
|
||||
|
||||
String lowerPath = normalizedPath.toLowerCase();
|
||||
for (String pattern : dangerousPatterns) {
|
||||
if (lowerPath.contains(pattern)) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -33,6 +33,7 @@ public interface ErrorCodeConstants {
|
||||
ErrorCode FILE_PATH_EXISTS = new ErrorCode(1_001_003_000, "文件路径已存在");
|
||||
ErrorCode FILE_NOT_EXISTS = new ErrorCode(1_001_003_001, "文件不存在");
|
||||
ErrorCode FILE_IS_EMPTY = new ErrorCode(1_001_003_002, "文件为空");
|
||||
ErrorCode FILE_PATH_INVALID = new ErrorCode(1_001_003_003, "文件路径无效,包含非法字符");
|
||||
|
||||
// ========== 代码生成器 1-001-004-000 ==========
|
||||
ErrorCode CODEGEN_TABLE_EXISTS = new ErrorCode(1_001_004_002, "表定义已经存在");
|
||||
|
||||
@@ -0,0 +1,92 @@
|
||||
package cn.iocoder.yudao.module.infra.controller.admin.file.vo.file;
|
||||
|
||||
import jakarta.validation.Validation;
|
||||
import jakarta.validation.Validator;
|
||||
import jakarta.validation.ValidatorFactory;
|
||||
import org.junit.jupiter.api.BeforeAll;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.springframework.mock.web.MockMultipartFile;
|
||||
|
||||
import static org.junit.jupiter.api.Assertions.*;
|
||||
|
||||
/**
|
||||
* FileUploadReqVO 测试类
|
||||
*
|
||||
* @author 芋道源码
|
||||
*/
|
||||
class FileUploadReqVOTest {
|
||||
|
||||
private static Validator validator;
|
||||
|
||||
@BeforeAll
|
||||
static void setUp() {
|
||||
ValidatorFactory factory = Validation.buildDefaultValidatorFactory();
|
||||
validator = factory.getValidator();
|
||||
}
|
||||
|
||||
@Test
|
||||
void testValidDirectory() {
|
||||
// 测试有效目录
|
||||
FileUploadReqVO vo = new FileUploadReqVO();
|
||||
vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
|
||||
vo.setDirectory("uploads/2024/01");
|
||||
|
||||
var violations = validator.validate(vo);
|
||||
assertTrue(violations.isEmpty(), "有效目录应该通过验证");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testNullDirectory() {
|
||||
// 测试空目录
|
||||
FileUploadReqVO vo = new FileUploadReqVO();
|
||||
vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
|
||||
vo.setDirectory(null);
|
||||
|
||||
var violations = validator.validate(vo);
|
||||
assertTrue(violations.isEmpty(), "空目录应该通过验证");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testEmptyDirectory() {
|
||||
// 测试空字符串目录
|
||||
FileUploadReqVO vo = new FileUploadReqVO();
|
||||
vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
|
||||
vo.setDirectory("");
|
||||
|
||||
var violations = validator.validate(vo);
|
||||
assertTrue(violations.isEmpty(), "空字符串目录应该通过验证");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testPathTraversalAttack() {
|
||||
// 测试路径遍历攻击
|
||||
FileUploadReqVO vo = new FileUploadReqVO();
|
||||
vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
|
||||
vo.setDirectory("../../etc/passwd");
|
||||
|
||||
var violations = validator.validate(vo);
|
||||
assertFalse(violations.isEmpty(), "路径遍历攻击应该被拒绝");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testAbsolutePath() {
|
||||
// 测试绝对路径
|
||||
FileUploadReqVO vo = new FileUploadReqVO();
|
||||
vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
|
||||
vo.setDirectory("/etc/passwd");
|
||||
|
||||
var violations = validator.validate(vo);
|
||||
assertFalse(violations.isEmpty(), "绝对路径应该被拒绝");
|
||||
}
|
||||
|
||||
@Test
|
||||
void testWindowsAbsolutePath() {
|
||||
// 测试Windows绝对路径
|
||||
FileUploadReqVO vo = new FileUploadReqVO();
|
||||
vo.setFile(new MockMultipartFile("test.txt", "test.txt", "text/plain", "test".getBytes()));
|
||||
vo.setDirectory("C:\\windows\\system32");
|
||||
|
||||
var violations = validator.validate(vo);
|
||||
assertFalse(violations.isEmpty(), "Windows绝对路径应该被拒绝");
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user