From 628450ded3b738f62f68bc2f7cb90804331eb201 Mon Sep 17 00:00:00 2001
From: Pu Zhibing <393733352@qq.com>
Date: 星期二, 18 二月 2025 15:10:59 +0800
Subject: [PATCH] 修复上传文件漏洞
---
ruoyi-gateway/src/main/java/com/ruoyi/gateway/config/properties/SignProperties.java | 12 ++++++
ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/FileController.java | 23 +++++++++++
ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java | 11 +++++
ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/iotda/utils/tools/MessageUtil.java | 10 ++++
ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/rocket/produce/ChargingMessageListener.java | 5 ++
5 files changed, 58 insertions(+), 3 deletions(-)
diff --git a/ruoyi-gateway/src/main/java/com/ruoyi/gateway/config/properties/SignProperties.java b/ruoyi-gateway/src/main/java/com/ruoyi/gateway/config/properties/SignProperties.java
index bcb77e1..10d2272 100644
--- a/ruoyi-gateway/src/main/java/com/ruoyi/gateway/config/properties/SignProperties.java
+++ b/ruoyi-gateway/src/main/java/com/ruoyi/gateway/config/properties/SignProperties.java
@@ -16,6 +16,10 @@
public class SignProperties {
private Boolean enable;
+ /**
+ * 放行白名单配置,网关不校验此处的白名单
+ */
+ private List<String> whites = new ArrayList<>();
public Boolean getEnable() {
return enable;
@@ -24,4 +28,12 @@
public void setEnable(Boolean enable) {
this.enable = enable;
}
+
+ public List<String> getWhites() {
+ return whites;
+ }
+
+ public void setWhites(List<String> whites) {
+ this.whites = whites;
+ }
}
diff --git a/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/FileController.java b/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/FileController.java
index 9c04233..4f6954b 100644
--- a/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/FileController.java
+++ b/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/FileController.java
@@ -1,17 +1,23 @@
package com.ruoyi.account.controller;
+import com.alibaba.fastjson2.util.UUIDUtils;
import com.ruoyi.account.config.FileUploadConfig;
import com.ruoyi.common.core.web.domain.AjaxResult;
+import com.ruoyi.common.security.service.TokenService;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
+import javax.annotation.Resource;
import java.io.File;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Date;
+import java.util.UUID;
+import java.util.concurrent.TimeUnit;
/**
* 文件上传控制类
@@ -26,12 +32,22 @@
@Autowired
private FileUploadConfig fileUploadConfig;
+
+ @Resource
+ private TokenService tokenService;
+
+ @Resource
+ private RedisTemplate redisTemplate;
@ApiOperation(value = "单文件上传", notes = "单文件上传,rename 默认不重命名")
@PostMapping(value = "upload", headers = "content-type=multipart/form-data")
public AjaxResult uploadImageMany(@RequestParam(value = "file") MultipartFile mf) throws IOException {
+ Long userId = tokenService.getLoginUserApplet().getUserId();
+ if(null == userId){
+ return AjaxResult.error("请先登录");
+ }
if (mf.isEmpty()) {
return AjaxResult.error("请传入文件!");
}
@@ -44,18 +60,23 @@
}
// 获取文件名称
String filename = mf.getOriginalFilename();
+ if(filename.contains("../")){
+ filename = filename.replaceAll("\\.\\./", "");
+ }
// 获取文件后缀
- String ext = filename.substring(filename.lastIndexOf(".") + 1, filename.length());
+ String ext = filename.substring(filename.lastIndexOf(".") + 1);
// 检查文件类型
if (!fileUploadConfig.getAllowExt().contains(ext)) {
return AjaxResult.error("上传文件格式不正确,仅支持" + fileUploadConfig.getAllowExt());
}
+ filename = UUID.randomUUID() + "." + ext;
File targetFile = new File(realPath, filename);//目标文件
//开始从源文件拷贝到目标文件
//传图片一步到位
mf.transferTo(targetFile);
//拼接数据
String imgstr = fileUploadConfig.getAccessPath() + TimeDir +"/"+ filename;
+ redisTemplate.opsForValue().set("file:" + userId, filename, 1, TimeUnit.HOURS);
return AjaxResult.success(imgstr);
}
diff --git a/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java b/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
index 5ad844e..5178dc2 100644
--- a/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
+++ b/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
@@ -52,6 +52,7 @@
import io.swagger.annotations.ApiOperation;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.client.RestTemplate;
@@ -63,6 +64,7 @@
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.util.*;
+import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
/**
@@ -120,6 +122,9 @@
private TAppUserCarService carService;
@Resource
private IntegralRuleClient integralRuleClient;
+
+ @Resource
+ private RedisTemplate redisTemplate;
@Resource
@@ -715,6 +720,12 @@
@GetMapping(value = "/user/set/avatar")
public R avatar(String url) {
Long userId = tokenService.getLoginUserApplet().getUserId();
+ String fileName = redisTemplate.opsForValue().get("file:" + userId).toString();
+ String substring = url.substring(url.lastIndexOf("/") + 1);
+ if(StringUtils.isEmpty(fileName) || fileName.equals(substring)){
+ return R.fail("请重新上传头像");
+ }
+
TAppUser byId = appUserService.getById(userId);
byId.setAvatar(url);
appUserService.updateById(byId);
diff --git a/ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/iotda/utils/tools/MessageUtil.java b/ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/iotda/utils/tools/MessageUtil.java
index 267029d..caab60d 100644
--- a/ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/iotda/utils/tools/MessageUtil.java
+++ b/ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/iotda/utils/tools/MessageUtil.java
@@ -7,7 +7,11 @@
import com.ruoyi.integration.mongodb.service.*;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.stereotype.Component;
+
+import javax.annotation.Resource;
+import java.util.concurrent.TimeUnit;
@Slf4j
@Component
@@ -57,6 +61,8 @@
private PlatformRemoteUpdateService platformRemoteUpdateService;
@Autowired
private QrCodeDeliveryService qrCodeDeliveryService;
+ @Resource
+ private RedisTemplate redisTemplate;
/**
* 登录认证应答
@@ -76,7 +82,9 @@
*/
public JSONObject pong(Pong pong){
log.info("心跳包应答:{}", pong);
- pongService.create(pong);
+// pongService.create(pong);
+ //存储缓存中,5分钟有效
+ redisTemplate.opsForValue().set("pong:" + pong.getCharging_pile_code() + pong.getCharging_gun_code(), pong, 5, TimeUnit.MINUTES);
return getMessageJsonString(pong, ServiceIdMenu.PONG.getValue());
}
diff --git a/ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/rocket/produce/ChargingMessageListener.java b/ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/rocket/produce/ChargingMessageListener.java
index 4124ed6..045faca 100644
--- a/ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/rocket/produce/ChargingMessageListener.java
+++ b/ruoyi-service/ruoyi-integration/src/main/java/com/ruoyi/integration/rocket/produce/ChargingMessageListener.java
@@ -44,6 +44,7 @@
import java.util.Date;
import java.util.Objects;
import java.util.Set;
+import java.util.concurrent.TimeUnit;
@Slf4j
@Component
@@ -151,7 +152,9 @@
// 持久化消息
Ping ping = new Ping();
BeanUtils.copyProperties(pingMessage,ping);
- pingService.create(ping);
+// pingService.create(ping);
+ //存储缓存中,5分钟有效
+ redisTemplate.opsForValue().set("ping:" + ping.getCharging_pile_code() + ping.getCharging_gun_code(), ping, 5, TimeUnit.MINUTES);
UpdateChargingPileStatusVo vo1 = new UpdateChargingPileStatusVo();
vo1.setGun_code(pingMessage.getCharging_gun_code());
--
Gitblit v1.7.1