product-inventory-management-after.git

RuoYi

2020-11-17 deb3594b40146777b749cc3b420ed632ae13959c

阻止任意文件下载漏洞

已修改2个文件

已添加1个文件

	src/main/java/com/ruoyi/common/utils/file/FileTypeUtils.java	47 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	src/main/java/com/ruoyi/common/utils/file/FileUtils.java	65 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	src/main/java/com/ruoyi/project/common/CommonController.java	43 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史

 src/main/java/com/ruoyi/common/utils/file/FileTypeUtils.java

¶Ô±ÈÐÂÎÄ¼þ
@@ -0,0 +1,47 @@
package com.ruoyi.common.utils.file;



import java.io.File;

import org.apache.commons.lang3.StringUtils;



/**

 * æä»¶ç±»åå·¥å·ç±»

 *

 * @author ruoyi

 */

public class FileTypeUtils

{

    /**

     * è·åæä»¶ç±»å

     * <p>

     * ä¾å¦: ruoyi.txt, è¿å: txt

     * 
     * @param file æä»¶å

     * @return åç¼ï¼ä¸å«".")

     */

    public static String getFileType(File file)

    {

        if (null == file)

        {

            return StringUtils.EMPTY;

        }

        return getFileType(file.getName());

    }



    /**

     * è·åæä»¶ç±»å

     * <p>

     * ä¾å¦: ruoyi.txt, è¿å: txt

     *

     * @param fileName æä»¶å

     * @return åç¼ï¼ä¸å«".")

     */

    public static String getFileType(String fileName)

    {

        int separatorIndex = fileName.lastIndexOf(".");

        if (separatorIndex < 0)

        {

            return "";

        }

        return fileName.substring(separatorIndex + 1).toLowerCase();

    }

}

 src/main/java/com/ruoyi/common/utils/file/FileUtils.java

@@ -7,7 +7,11 @@
import java.io.OutputStream;

import java.io.UnsupportedEncodingException;

import java.net.URLEncoder;

import java.nio.charset.StandardCharsets;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang3.ArrayUtils;

import com.ruoyi.common.utils.StringUtils;



/**

 * æä»¶å¤çå·¥å·ç±»

@@ -105,14 +109,37 @@
    }



    /**

     * æ£æ¥æä»¶æ¯å¦å¯ä¸è½½

     * 
     * @param resource éè¦ä¸è½½çæä»¶

     * @return true æ£å¸¸ false éæ³

     */

    public static boolean checkAllowDownload(String resource)

    {

        // ç¦æ¢ç®å½ä¸è·³çº§å«

        if (StringUtils.contains(resource, ".."))

        {

            return false;

        }



        // æ£æ¥åè®¸ä¸è½½çæä»¶è§å

        if (ArrayUtils.contains(MimeTypeUtils.DEFAULT_ALLOWED_EXTENSION, FileTypeUtils.getFileType(resource)))

        {

            return true;

        }



        // ä¸å¨åè®¸ä¸è½½çæä»¶è§å

        return false;

    }



    /**

     * ä¸è½½æä»¶åéæ°ç¼ç 

     * 

     * @param request è¯·æ±å¯¹è±¡

     * @param fileName æä»¶å

     * @return ç¼ç åçæä»¶å

     */

    public static String setFileDownloadHeader(HttpServletRequest request, String fileName)

            throws UnsupportedEncodingException

    public static String setFileDownloadHeader(HttpServletRequest request, String fileName) throws UnsupportedEncodingException

    {

        final String agent = request.getHeader("USER-AGENT");

        String filename = fileName;

@@ -139,4 +166,38 @@
        }

        return filename;

    }



    /**

     * ä¸è½½æä»¶åéæ°ç¼ç 

     *

     * @param response ååºå¯¹è±¡

     * @param realFileName çå®æä»¶å

     * @return

     */

    public static void setAttachmentResponseHeader(HttpServletResponse response, String realFileName) throws UnsupportedEncodingException

    {

        String percentEncodedFileName = percentEncode(realFileName);



        StringBuilder contentDispositionValue = new StringBuilder();

        contentDispositionValue.append("attachment; filename=")

                .append(percentEncodedFileName)

                .append(";")

                .append("filename*=")

                .append("utf-8''")

                .append(percentEncodedFileName);



        response.setHeader("Content-disposition", contentDispositionValue.toString());

    }



    /**

     * ç¾åå·ç¼ç å·¥å·æ¹æ³

     *

     * @param s éè¦ç¾åå·ç¼ç çåç¬¦ä¸²

     * @return ç¾åå·ç¼ç åçåç¬¦ä¸²

     */

    public static String percentEncode(String s) throws UnsupportedEncodingException

    {

        String encode = URLEncoder.encode(s, StandardCharsets.UTF_8.toString());

        return encode.replaceAll("\\+", "%20");

    }

}


 src/main/java/com/ruoyi/project/common/CommonController.java

@@ -5,6 +5,7 @@
import org.slf4j.Logger;

import org.slf4j.LoggerFactory;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.http.MediaType;

import org.springframework.web.bind.annotation.GetMapping;

import org.springframework.web.bind.annotation.PostMapping;

import org.springframework.web.bind.annotation.RestController;

@@ -41,17 +42,15 @@
    {

        try

        {

            if (!FileUtils.isValidFilename(fileName))

            if (!FileUtils.checkAllowDownload(fileName))

            {

                throw new Exception(StringUtils.format("æä»¶åç§°({})éæ³ï¼ä¸åè®¸ä¸è½½ã ", fileName));

            }

            String realFileName = System.currentTimeMillis() + fileName.substring(fileName.indexOf("_") + 1);

            String filePath = RuoYiConfig.getDownloadPath() + fileName;



            response.setCharacterEncoding("utf-8");

            response.setContentType("multipart/form-data");

            response.setHeader("Content-Disposition",

                    "attachment;fileName=" + FileUtils.setFileDownloadHeader(request, realFileName));

            response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);

            FileUtils.setAttachmentResponseHeader(response, realFileName);

            FileUtils.writeBytes(filePath, response.getOutputStream());

            if (delete)

            {

@@ -92,18 +91,28 @@
     * æ¬å°èµæºéç¨ä¸è½½

     */

    @GetMapping("/common/download/resource")

    public void resourceDownload(String name, HttpServletRequest request, HttpServletResponse response) throws Exception

    public void resourceDownload(String resource, HttpServletRequest request, HttpServletResponse response)

            throws Exception

    {

        // æ¬å°èµæºè·¯å¾

        String localPath = RuoYiConfig.getProfile();

        // æ°æ®åºèµæºå°å

        String downloadPath = localPath + StringUtils.substringAfter(name, Constants.RESOURCE_PREFIX);

        // ä¸è½½åç§°

        String downloadName = StringUtils.substringAfterLast(downloadPath, "/");

        response.setCharacterEncoding("utf-8");

        response.setContentType("multipart/form-data");

        response.setHeader("Content-Disposition",

                "attachment;fileName=" + FileUtils.setFileDownloadHeader(request, downloadName));

        FileUtils.writeBytes(downloadPath, response.getOutputStream());

        try

        {

            if (!FileUtils.checkAllowDownload(resource))

            {

                throw new Exception(StringUtils.format("èµæºæä»¶({})éæ³ï¼ä¸åè®¸ä¸è½½ã ", resource));

            }

            // æ¬å°èµæºè·¯å¾

            String localPath = RuoYiConfig.getProfile();

            // æ°æ®åºèµæºå°å

            String downloadPath = localPath + StringUtils.substringAfter(resource, Constants.RESOURCE_PREFIX);

            // ä¸è½½åç§°

            String downloadName = StringUtils.substringAfterLast(downloadPath, "/");

            response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);

            FileUtils.setAttachmentResponseHeader(response, downloadName);

            FileUtils.writeBytes(downloadPath, response.getOutputStream());

        }

        catch (Exception e)

        {

            log.error("ä¸è½½æä»¶å¤±è´¥", e);

        }

    }

}

¶Ô±ÈÐÂÎÄ¼þ
			@@ -0,0 +1,47 @@
			package com.ruoyi.common.utils.file;

			import java.io.File;
			import org.apache.commons.lang3.StringUtils;

			/**
			* æä»¶ç±»åå·¥å·ç±»
			*
			* @author ruoyi
			*/
			public class FileTypeUtils
			{
			/**
			* è·åæä»¶ç±»å
			* <p>
			* ä¾å¦: ruoyi.txt, è¿å: txt
			*
			* @param file æä»¶å
			* @return åç¼ï¼ä¸å«".")
			*/
			public static String getFileType(File file)
			{
			if (null == file)
			{
			return StringUtils.EMPTY;
			}
			return getFileType(file.getName());
			}

			/**
			* è·åæä»¶ç±»å
			* <p>
			* ä¾å¦: ruoyi.txt, è¿å: txt
			*
			* @param fileName æä»¶å
			* @return åç¼ï¼ä¸å«".")
			*/
			public static String getFileType(String fileName)
			{
			int separatorIndex = fileName.lastIndexOf(".");
			if (separatorIndex < 0)
			{
			return "";
			}
			return fileName.substring(separatorIndex + 1).toLowerCase();
			}
			}

			@@ -7,7 +7,11 @@
			import java.io.OutputStream;
			import java.io.UnsupportedEncodingException;
			import java.net.URLEncoder;
			import java.nio.charset.StandardCharsets;
			import javax.servlet.http.HttpServletRequest;
			import javax.servlet.http.HttpServletResponse;
			import org.apache.commons.lang3.ArrayUtils;
			import com.ruoyi.common.utils.StringUtils;

			/**
			* æä»¶å¤çå·¥å·ç±»
			@@ -105,14 +109,37 @@
			}

			/**
			* æ£æ¥æä»¶æ¯å¦å¯ä¸è½½
			*
			* @param resource éè¦ä¸è½½çæä»¶
			* @return true æ£å¸¸ false éæ³
			*/
			public static boolean checkAllowDownload(String resource)
			{
			// ç¦æ¢ç®å½ä¸è·³çº§å«
			if (StringUtils.contains(resource, ".."))
			{
			return false;
			}

			// æ£æ¥åè®¸ä¸è½½çæä»¶è§å
			if (ArrayUtils.contains(MimeTypeUtils.DEFAULT_ALLOWED_EXTENSION, FileTypeUtils.getFileType(resource)))
			{
			return true;
			}

			// ä¸å¨åè®¸ä¸è½½çæä»¶è§å
			return false;
			}

			/**
			* ä¸è½½æä»¶åéæ°ç¼ç
			*
			* @param request è¯·æ±å¯¹è±¡
			* @param fileName æä»¶å
			* @return ç¼ç åçæä»¶å
			*/
			public static String setFileDownloadHeader(HttpServletRequest request, String fileName)
			throws UnsupportedEncodingException
			public static String setFileDownloadHeader(HttpServletRequest request, String fileName) throws UnsupportedEncodingException
			{
			final String agent = request.getHeader("USER-AGENT");
			String filename = fileName;
			@@ -139,4 +166,38 @@
			}
			return filename;
			}

			/**
			* ä¸è½½æä»¶åéæ°ç¼ç
			*
			* @param response ååºå¯¹è±¡
			* @param realFileName çå®æä»¶å
			* @return
			*/
			public static void setAttachmentResponseHeader(HttpServletResponse response, String realFileName) throws UnsupportedEncodingException
			{
			String percentEncodedFileName = percentEncode(realFileName);

			StringBuilder contentDispositionValue = new StringBuilder();
			contentDispositionValue.append("attachment; filename=")
			.append(percentEncodedFileName)
			.append(";")
			.append("filename*=")
			.append("utf-8''")
			.append(percentEncodedFileName);

			response.setHeader("Content-disposition", contentDispositionValue.toString());
			}

			/**
			* ç¾åå·ç¼ç å·¥å·æ¹æ³
			*
			* @param s éè¦ç¾åå·ç¼ç çåç¬¦ä¸²
			* @return ç¾åå·ç¼ç åçåç¬¦ä¸²
			*/
			public static String percentEncode(String s) throws UnsupportedEncodingException
			{
			String encode = URLEncoder.encode(s, StandardCharsets.UTF_8.toString());
			return encode.replaceAll("\\+", "%20");
			}
			}

			@@ -5,6 +5,7 @@
			import org.slf4j.Logger;
			import org.slf4j.LoggerFactory;
			import org.springframework.beans.factory.annotation.Autowired;
			import org.springframework.http.MediaType;
			import org.springframework.web.bind.annotation.GetMapping;
			import org.springframework.web.bind.annotation.PostMapping;
			import org.springframework.web.bind.annotation.RestController;
			@@ -41,17 +42,15 @@
			{
			try
			{
			if (!FileUtils.isValidFilename(fileName))
			if (!FileUtils.checkAllowDownload(fileName))
			{
			throw new Exception(StringUtils.format("æä»¶åç§°({})éæ³ï¼ä¸åè®¸ä¸è½½ã ", fileName));
			}
			String realFileName = System.currentTimeMillis() + fileName.substring(fileName.indexOf("_") + 1);
			String filePath = RuoYiConfig.getDownloadPath() + fileName;

			response.setCharacterEncoding("utf-8");
			response.setContentType("multipart/form-data");
			response.setHeader("Content-Disposition",
			"attachment;fileName=" + FileUtils.setFileDownloadHeader(request, realFileName));
			response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);
			FileUtils.setAttachmentResponseHeader(response, realFileName);
			FileUtils.writeBytes(filePath, response.getOutputStream());
			if (delete)
			{
			@@ -92,18 +91,28 @@
			* æ¬å°èµæºéç¨ä¸è½½
			*/
			@GetMapping("/common/download/resource")
			public void resourceDownload(String name, HttpServletRequest request, HttpServletResponse response) throws Exception
			public void resourceDownload(String resource, HttpServletRequest request, HttpServletResponse response)
			throws Exception
			{
			// æ¬å°èµæºè·¯å¾
			String localPath = RuoYiConfig.getProfile();
			// æ°æ®åºèµæºå°å
			String downloadPath = localPath + StringUtils.substringAfter(name, Constants.RESOURCE_PREFIX);
			// ä¸è½½åç§°
			String downloadName = StringUtils.substringAfterLast(downloadPath, "/");
			response.setCharacterEncoding("utf-8");
			response.setContentType("multipart/form-data");
			response.setHeader("Content-Disposition",
			"attachment;fileName=" + FileUtils.setFileDownloadHeader(request, downloadName));
			FileUtils.writeBytes(downloadPath, response.getOutputStream());
			try
			{
			if (!FileUtils.checkAllowDownload(resource))
			{
			throw new Exception(StringUtils.format("èµæºæä»¶({})éæ³ï¼ä¸åè®¸ä¸è½½ã ", resource));
			}
			// æ¬å°èµæºè·¯å¾
			String localPath = RuoYiConfig.getProfile();
			// æ°æ®åºèµæºå°å
			String downloadPath = localPath + StringUtils.substringAfter(resource, Constants.RESOURCE_PREFIX);
			// ä¸è½½åç§°
			String downloadName = StringUtils.substringAfterLast(downloadPath, "/");
			response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);
			FileUtils.setAttachmentResponseHeader(response, downloadName);
			FileUtils.writeBytes(downloadPath, response.getOutputStream());
			}
			catch (Exception e)
			{
			log.error("ä¸è½½æä»¶å¤±è´¥", e);
			}
			}
			}