[fix] 修复安全问题

apps/system/api/upload.go

@@ -2,6 +2,7 @@ package api
 
 import (
 	"fmt"
+	"github.com/kakuilan/kgo"
 	"net/http"
 	"os"
 	"pandax/kit/biz"
@@ -22,6 +23,9 @@ const filePath = "uploads/file"
 func (up *UploadApi) UploadImage(rc *restfulx.ReqCtx) {
 	_, fileHeader, err := rc.Request.Request.FormFile("file")
 	biz.ErrIsNil(err, "请传入文件")
+	// 判断上传文件类型，不支持返回
+	biz.IsTrue(kgo.KFile.IsImg(fileHeader.Filename), "请传入图片文件")
+
 	local := &tool.Local{Path: filePath}
 	link, fileName, err := local.UploadFile(fileHeader)
 	biz.ErrIsNil(err, "文件上传失败")

apps/system/api/user.go

@@ -1,17 +1,16 @@
 package api
 
 import (
+	"github.com/dgrijalva/jwt-go"
+	"github.com/emicklei/go-restful/v3"
+	"github.com/kakuilan/kgo"
+	"github.com/mssola/user_agent"
 	"pandax/apps/system/api/form"
 	"pandax/apps/system/api/vo"
 	"pandax/apps/system/entity"
 	"pandax/kit/model"
 	"pandax/kit/token"
 
-	"github.com/dgrijalva/jwt-go"
-	"github.com/emicklei/go-restful/v3"
-	"github.com/kakuilan/kgo"
-	"github.com/mssola/user_agent"
-
 	logEntity "pandax/apps/log/entity"
 	logServices "pandax/apps/log/services"
 
@@ -336,6 +335,7 @@ func (u *UserApi) ExportUser(rc *restfulx.ReqCtx) {
 	user.Phone = phone
 
 	list := u.UserApp.FindList(user)
+	// 对设置的文件名进行处理
 	fileName := utils.GetFileName(global.Conf.Server.ExcelDir, filename)
 	utils.InterfaceToExcel(*list, fileName)
 	rc.Download(fileName)

apps/system/services/role_menu.go

@@ -1,7 +1,6 @@
 package services
 
 import (
-	"fmt"
 	"pandax/apps/system/entity"
 	"pandax/kit/biz"
 	"pandax/pkg/global"
@@ -36,18 +35,11 @@ func (m *sysRoleMenuImpl) Insert(roleId int64, menuId []int64) bool {
 	var menu []entity.SysMenu
 	biz.ErrIsNil(global.Db.Table("sys_menus").Where("menu_id in (?)", menuId).Find(&menu).Error, "查询菜单失败")
 
-	//拼接 sql 串
-	sql := "INSERT INTO sys_role_menus (role_id,menu_id,role_name) VALUES "
-
+	menus := make([]entity.SysRoleMenu, 0)
 	for i := 0; i < len(menu); i++ {
-		if len(menu)-1 == i {
-			//最后一条数据 以分号结尾
-			sql += fmt.Sprintf("(%d,%d,'%s');", role.RoleId, menu[i].MenuId, role.RoleKey)
-		} else {
-			sql += fmt.Sprintf("(%d,%d,'%s'),", role.RoleId, menu[i].MenuId, role.RoleKey)
-		}
+		menus = append(menus, entity.SysRoleMenu{RoleId: role.RoleId, MenuId: menu[i].MenuId, RoleName: role.RoleKey})
 	}
-	biz.ErrIsNil(global.Db.Exec(sql).Error, "新增角色菜单失败")
+	biz.ErrIsNil(global.Db.CreateInBatches(&menus, len(menus)).Error, "新增角色菜单失败")
 
 	return true
 }

kit/file/file.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"os"
 	"pandax/kit/biz"
+	"path/filepath"
 	"strconv"
 	"sync"
 )
@@ -130,3 +131,13 @@ func SaveUploadedFile(file *multipart.FileHeader, dst string) error {
 	_, err = io.Copy(out, src)
 	return err
 }
+
+func IsExcl(fpath string) bool {
+	ext := filepath.Ext(fpath)
+	switch ext {
+	case "xls", "xlsx":
+		return true
+	default:
+		return false
+	}
+}

kit/utils/excel.go

@@ -3,6 +3,7 @@ package utils
 import (
 	"fmt"
 	"github.com/xuri/excelize/v2"
+	"path/filepath"
 	"reflect"
 )
 
@@ -18,7 +19,13 @@ func ExportExcel(head []string, datas [][]any, filePath string) error {
 }
 
 func GetFileName(path, filename string) string {
-	return path + filename
+	fn := filepath.Base(filename)
+	ext := filepath.Ext(fn)
+	if ext == "" {
+		fn += ".xlsx"
+	}
+
+	return path + fn
 }
 
 func InterfaceToExcel(data any, fileName string) {

kit/utils/excel_test.go

@@ -13,7 +13,7 @@ func TestExportExcel(t *testing.T) {
 	us := make([]User, 0)
 	us = append(us, User{Name: "张三", Age: 12})
 	us = append(us, User{Name: "李四", Age: 23})
-	name := GetFileName("./", "字典")
+	name := GetFileName("./", "字典.xlsx")
 	t.Log(name)
 	InterfaceToExcel(us, name)
 }