[fix] 修复安全问题

apps/system/api/upload.go

@@ -2,6 +2,7 @@ package api
 
 import (
 	"fmt"
+	"github.com/kakuilan/kgo"
 	"net/http"
 	"os"
 	"pandax/kit/biz"
@@ -22,6 +23,9 @@ const filePath = "uploads/file"
 func (up *UploadApi) UploadImage(rc *restfulx.ReqCtx) {
 	_, fileHeader, err := rc.Request.Request.FormFile("file")
 	biz.ErrIsNil(err, "请传入文件")
+	// 判断上传文件类型，不支持返回
+	biz.IsTrue(kgo.KFile.IsImg(fileHeader.Filename), "请传入图片文件")
+
 	local := &tool.Local{Path: filePath}
 	link, fileName, err := local.UploadFile(fileHeader)
 	biz.ErrIsNil(err, "文件上传失败")

apps/system/api/user.go

@@ -1,17 +1,16 @@
 package api
 
 import (
+	"github.com/dgrijalva/jwt-go"
+	"github.com/emicklei/go-restful/v3"
+	"github.com/kakuilan/kgo"
+	"github.com/mssola/user_agent"
 	"pandax/apps/system/api/form"
 	"pandax/apps/system/api/vo"
 	"pandax/apps/system/entity"
 	"pandax/kit/model"
 	"pandax/kit/token"
 
-	"github.com/dgrijalva/jwt-go"
-	"github.com/emicklei/go-restful/v3"
-	"github.com/kakuilan/kgo"
-	"github.com/mssola/user_agent"
-
 	logEntity "pandax/apps/log/entity"
 	logServices "pandax/apps/log/services"
 
@@ -336,6 +335,7 @@ func (u *UserApi) ExportUser(rc *restfulx.ReqCtx) {
 	user.Phone = phone
 
 	list := u.UserApp.FindList(user)
+	// 对设置的文件名进行处理
 	fileName := utils.GetFileName(global.Conf.Server.ExcelDir, filename)
 	utils.InterfaceToExcel(*list, fileName)
 	rc.Download(fileName)