From f8ca27209594d67dd766c8a58d7842364147d6bf Mon Sep 17 00:00:00 2001
From: Pu Zhibing <393733352@qq.com>
Date: 星期四, 18 九月 2025 17:18:45 +0800
Subject: [PATCH] 修改安全漏洞
---
management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java | 144 ++++++++++++++++++++++++++++++++++--------------
1 files changed, 102 insertions(+), 42 deletions(-)
diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
index f83729a..ccc8887 100644
--- a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
@@ -1,12 +1,17 @@
package com.stylefeng.guns.modular.system.controller.util;
+import com.heredata.hos.model.bucket.Bucket;
import com.stylefeng.guns.config.properties.GunsProperties;
import com.stylefeng.guns.core.base.controller.BaseController;
import com.stylefeng.guns.core.common.exception.BizExceptionEnum;
import com.stylefeng.guns.core.exception.GunsException;
import com.stylefeng.guns.core.util.ObsUploadUtil;
+import com.stylefeng.guns.core.util.ToolUtil;
import com.stylefeng.guns.modular.system.util.OssUploadUtil;
+import com.stylefeng.guns.modular.system.util.ResultUtil;
import com.stylefeng.guns.modular.system.util.huawei.OBSUtil;
+import com.stylefeng.guns.modular.system.util.qianyuntong.NCOSSUtil;
+import com.stylefeng.guns.modular.system.util.qianyuntong.QianYunTongConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -35,6 +40,9 @@
@Autowired
private GunsProperties gunsProperties;
+
+ @Autowired
+ private QianYunTongConfig qianYunTongConfig;
/**
* 上传图片(上传到项目的webapp/static/img)
@@ -63,15 +71,42 @@
public Map<String, Object> saveimg(HttpServletRequest request) {
Map<String, Object> m = new HashMap<>();
try {
-
+
String ossUpload = null;
MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
MultipartFile file = (MultipartFile) multipartRequest.getFile("myfile");
+ QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
if (file.getSize() != 0) {
- InputStream inputStream = file.getInputStream();
- String name = file.getOriginalFilename();
- name = UUIDUtil.getRandomCode() + name.substring(name.lastIndexOf("."));
- ossUpload = OBSUtil.putObjectToBucket(inputStream, name);
+ String fileSuffix = ToolUtil.getFileSuffix(file.getOriginalFilename());
+ if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+ throw new RuntimeException("请上传png/jpg的图片文件");
+ }
+ String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
+ String bucketName = qianYunTongConfig1.getBucketName();
+ Bucket grjyTest = NCOSSUtil.getBucketInfo(bucketName);
+ if (null == grjyTest) {
+ //创建桶
+ Boolean bucket = NCOSSUtil.createBucket(bucketName);
+ if (!bucket) {
+ throw new RuntimeException("创建存储桶失败");
+ }
+ //设置桶策略
+ String policyText = "{\"Version\":\"2025-06-23\",\"Statement\":[{\"Sid\":\"Stmt20250623\",\"Action\":[\"GetObject\"],\"Effect\":\"Allow\",\"Resource\":\"" + bucketName + "/*\",\"Principal\":\"*\"}]}";
+ Boolean bucketPolicy = NCOSSUtil.setBucketPolicy(bucketName, policyText);
+ if (!bucketPolicy) {
+ throw new RuntimeException("设置桶策略失败");
+ }
+ }
+ //上传对象
+ String key = "imgs/management/" + pictureName;
+ String object = NCOSSUtil.putObject(bucketName, key, file.getInputStream());
+ if (null == object) {
+ throw new RuntimeException("上传图片失败");
+ }
+
+ ossUpload = "https://traffic.qytzt.cn/v1/AUTH_" + qianYunTongConfig1.getAccount() + "/" + bucketName + "/" + key;
+
+
// ossUpload = OssUploadUtil.ossUpload(request, file);
// ossUpload = ObsUploadUtil.obsUpload(super.getHttpServletRequest(), file);
m.put("imgUrl", ossUpload);
@@ -86,25 +121,41 @@
@ResponseBody
public String image(@RequestPart("file") MultipartFile picture, HttpServletRequest request) {
try {
- MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
- MultipartFile file = (MultipartFile) picture;
- String name = file.getOriginalFilename();
- String s = name.substring(name.lastIndexOf(".") + 1).toLowerCase();
- if(!s.equals("jpg") && !s.equals("png") && !s.equals("jpeg")){
+ String fileSuffix = ToolUtil.getFileSuffix(picture.getOriginalFilename());
+ if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+ return "请上传png/jpg的图片文件";
+ }
+ String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
+ QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
+ String bucketName = qianYunTongConfig1.getBucketName();
+ System.err.println("bucketName:"+bucketName);
+ Bucket grjyTest = NCOSSUtil.getBucketInfo(bucketName);
+ if (null == grjyTest) {
+ //创建桶
+ Boolean bucket = NCOSSUtil.createBucket(bucketName);
+ if (!bucket) {
+ return null;
+ }
+ //设置桶策略
+ String policyText = "{\"Version\":\"2025-06-23\",\"Statement\":[{\"Sid\":\"Stmt20250623\",\"Action\":[\"GetObject\"],\"Effect\":\"Allow\",\"Resource\":\"" + bucketName + "/*\",\"Principal\":\"*\"}]}";
+ Boolean bucketPolicy = NCOSSUtil.setBucketPolicy(bucketName, policyText);
+ if (!bucketPolicy) {
+ return null;
+ }
+ }
+ //上传对象
+ String key = "imgs/management/" + pictureName;
+ String object = NCOSSUtil.putObject(bucketName, key, picture.getInputStream());
+ if (null == object) {
return null;
}
- long size = file.getSize();
- if(size > 524288000L){//500M限制
- return "请上传500M以内的文件";
- }
- InputStream inputStream = file.getInputStream();
- String name1 = file.getOriginalFilename();
- name1 = UUIDUtil.getRandomCode() + name1.substring(name1.lastIndexOf("."));
-// String pictureName = OBSUtil.putObjectToBucket(inputStream, name1);
- String pictureName = OssUploadUtil.ossUpload(request, file);
-// String pictureName = ObsUploadUtil.obsUpload(super.getHttpServletRequest(), picture);
+
+ pictureName = "https://traffic.qytzt.cn/v1/AUTH_" + qianYunTongConfig1.getAccount() + "/" + bucketName + "/" + key;
+
+ System.out.println("mediaResp");
return pictureName;
- } catch (IOException e1) {
+ } catch (Exception e1) {
+ e1.printStackTrace();
return null;
}
}
@@ -138,31 +189,40 @@
*/
@RequestMapping("/imageUp")
public String imageUp(@RequestPart("upfile") MultipartFile picture, HttpServletRequest request) {
- long size = picture.getSize();
- if(size > 524288000L){//500M限制
- return "请上传500M以内的文件";
- }
String callback = request.getParameter("callback");
- String pictureName = UUID.randomUUID().toString() + ".jpg";
try {
- // 上传文件目录
- //String fileSavePath = gunsProperties.getFileUploadPath();
- //picture.transferTo(new File(fileSavePath + pictureName));
- // 文件全路径
- //pictureName = gunsProperties.getPictureServerAddress() + pictureName;
-// pictureName = ObsUploadUtil.obsUpload(super.getHttpServletRequest(), picture);
-
- String name = picture.getOriginalFilename();
- String s = name.substring(name.lastIndexOf(".") + 1).toLowerCase();
- if(!s.equals("jpg") && !s.equals("png") && !s.equals("jpeg")){
- return null;
+ String fileSuffix = ToolUtil.getFileSuffix(picture.getOriginalFilename());
+ if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+ throw new RuntimeException("请上传png/jpg的图片文件");
}
- InputStream inputStream = picture.getInputStream();
- String name1 = picture.getOriginalFilename();
- name1 = UUIDUtil.getRandomCode() + name1.substring(name1.lastIndexOf("."));
- pictureName = OBSUtil.putObjectToBucket(inputStream, name1);
+ // 上传文件目录
+ String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
+ QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
+ String bucketName = qianYunTongConfig1.getBucketName();
+ Bucket grjyTest = NCOSSUtil.getBucketInfo(bucketName);
+ if (null == grjyTest) {
+ //创建桶
+ Boolean bucket = NCOSSUtil.createBucket(bucketName);
+ if (!bucket) {
+ throw new RuntimeException("创建存储桶失败");
+ }
+ //设置桶策略
+ String policyText = "{\"Version\":\"2025-06-23\",\"Statement\":[{\"Sid\":\"Stmt20250623\",\"Action\":[\"GetObject\"],\"Effect\":\"Allow\",\"Resource\":\"" + bucketName + "/*\",\"Principal\":\"*\"}]}";
+ Boolean bucketPolicy = NCOSSUtil.setBucketPolicy(bucketName, policyText);
+ if (!bucketPolicy) {
+ throw new RuntimeException("设置桶策略失败");
+ }
+ }
+ //上传对象
+ String key = "imgs/management/" + pictureName;
+ String object = NCOSSUtil.putObject(bucketName, key, picture.getInputStream());
+ if (null == object) {
+ throw new RuntimeException("上传图片失败");
+ }
+
+ pictureName = "https://traffic.qytzt.cn/v1/AUTH_" + qianYunTongConfig1.getAccount() + "/" + bucketName + "/" + key;
// pictureName = OssUploadUtil.ossUpload(super.getHttpServletRequest(), picture);
-
+
String result = "{'original': '" + picture.getOriginalFilename() + "', 'state': 'SUCCESS', 'url': '" + pictureName + "'}";
if (callback == null) {
return result;
--
Gitblit v1.7.1