base/file-online-preview
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #370

Browse Source
This commit is contained in:
kl
2022-07-25 18:33:22 +08:00
committed by kl
parent b099d52520
commit 86960e3813
2 changed files with 45 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
server/src/main/java/cn/keking/utils/KkFileUtils.java
View File

@ -7,6 +7,8 @@ import org.slf4j.LoggerFactory;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.net.URL; import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects; import java.util.Objects;
public class KkFileUtils { public class KkFileUtils {
@ -15,6 +17,33 @@ public class KkFileUtils {
public static final String DEFAULT_FILE_ENCODING = "UTF-8"; public static final String DEFAULT_FILE_ENCODING = "UTF-8";
private static final List<String> illegalFileStrList = new ArrayList<>();
static {
illegalFileStrList.add("../");
illegalFileStrList.add("./");
illegalFileStrList.add("..\\");
illegalFileStrList.add(".\\");
illegalFileStrList.add("\\..");
illegalFileStrList.add("\\.");
illegalFileStrList.add("..");
illegalFileStrList.add("...");
}
/**
* 检查文件名是否合规
* @param fileName 文件名
* @return 合规结果,true:不合规false:合规
*/
public static boolean isIllegalFileName(String fileName){
for (String str: illegalFileStrList){
if(fileName.contains(str)){
return true;
}
}
return false;
}
/** /**
* 判断url是否是http资源 * 判断url是否是http资源
* *

27
server/src/main/java/cn/keking/web/controller/FileController.java
View File

@ -2,8 +2,8 @@ package cn.keking.web.controller;
import cn.keking.config.ConfigConstants; import cn.keking.config.ConfigConstants;
import cn.keking.model.ReturnResponse; import cn.keking.model.ReturnResponse;
import cn.keking.utils.KkFileUtils;
import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.util.StreamUtils; import org.springframework.util.StreamUtils;
@ -41,9 +41,9 @@ public class FileController {
private final String demoPath = demoDir + File.separator; private final String demoPath = demoDir + File.separator;
@PostMapping("/fileUpload") @PostMapping("/fileUpload")
public String fileUpload(@RequestParam("file") MultipartFile file) throws JsonProcessingException { public ReturnResponse<Object> fileUpload(@RequestParam("file") MultipartFile file) throws JsonProcessingException {
if (ConfigConstants.getFileUploadDisable()) { if (ConfigConstants.getFileUploadDisable()) {
return new ObjectMapper().writeValueAsString(ReturnResponse.failure("文件传接口已禁用")); return ReturnResponse.failure("文件传接口已禁用");
} }
// 获取文件名 // 获取文件名
String fileName = file.getOriginalFilename(); String fileName = file.getOriginalFilename();
@ -64,7 +64,7 @@ public class FileController {
} }
// 判断是否存在同名文件 // 判断是否存在同名文件
if (existsFile(fileName)) { if (existsFile(fileName)) {
return new ObjectMapper().writeValueAsString(ReturnResponse.failure("存在同名文件,请先删除原有文件再次上传")); return ReturnResponse.failure("存在同名文件,请先删除原有文件再次上传");
} }
File outFile = new File(fileDir + demoPath); File outFile = new File(fileDir + demoPath);
if (!outFile.exists() && !outFile.mkdirs()) { if (!outFile.exists() && !outFile.mkdirs()) {
@ -73,28 +73,33 @@ public class FileController {
logger.info("上传文件:{}", fileDir + demoPath + fileName); logger.info("上传文件:{}", fileDir + demoPath + fileName);
try (InputStream in = file.getInputStream(); OutputStream out = new FileOutputStream(fileDir + demoPath + fileName)) { try (InputStream in = file.getInputStream(); OutputStream out = new FileOutputStream(fileDir + demoPath + fileName)) {
StreamUtils.copy(in, out); StreamUtils.copy(in, out);
return new ObjectMapper().writeValueAsString(ReturnResponse.success(null)); return ReturnResponse.success(null);
} catch (IOException e) { } catch (IOException e) {
logger.error("文件上传失败", e); logger.error("文件上传失败", e);
return new ObjectMapper().writeValueAsString(ReturnResponse.failure()); return ReturnResponse.failure();
} }
} }
@GetMapping("/deleteFile") @GetMapping("/deleteFile")
public String deleteFile(String fileName) throws JsonProcessingException { public ReturnResponse<Object> deleteFile(String fileName) throws JsonProcessingException {
if (fileName.contains("/")) { if (fileName.contains("/")) {
fileName = fileName.substring(fileName.lastIndexOf("/") + 1); fileName = fileName.substring(fileName.lastIndexOf("/") + 1);
} }
if (KkFileUtils.isIllegalFileName(fileName)) {
return ReturnResponse.failure("非法文件名,删除失败!");
}
File file = new File(fileDir + demoPath + fileName); File file = new File(fileDir + demoPath + fileName);
logger.info("删除文件:{}", file.getAbsolutePath()); logger.info("删除文件:{}", file.getAbsolutePath());
if (file.exists() && !file.delete()) { if (file.exists() && !file.delete()) {
logger.error("删除文件【{}】失败,请检查目录权限!", file.getPath()); String msg = String.format("删除文件【%s】失败,请检查目录权限!", file.getPath());
logger.error(msg);
return ReturnResponse.failure(msg);
} }
return new ObjectMapper().writeValueAsString(ReturnResponse.success()); return ReturnResponse.success();
} }
@GetMapping("/listFiles") @GetMapping("/listFiles")
public String getFiles() throws JsonProcessingException { public List<Map<String, String>> getFiles() throws JsonProcessingException {
List<Map<String, String>> list = new ArrayList<>(); List<Map<String, String>> list = new ArrayList<>();
File file = new File(fileDir + demoPath); File file = new File(fileDir + demoPath);
if (file.exists()) { if (file.exists()) {
@ -104,7 +109,7 @@ public class FileController {
list.add(fileName); list.add(fileName);
}); });
} }
return new ObjectMapper().writeValueAsString(list); return list;
} }
private boolean existsFile(String fileName) { private boolean existsFile(String fileName) {