From 41db2005d5c47d12d6b46003de4eda0c82d2f272 Mon Sep 17 00:00:00 2001
From: wangjiahao <1522128093@qq.com>
Date: Mon, 8 Jun 2026 18:04:59 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=20=E3=80=90=E6=BC=8F=E6=B4=9E=E3=80=91D?=
 =?UTF-8?q?ataEase=20=E9=9D=99=E6=80=81=E8=B5=84=E6=BA=90=20Base64=20?=
 =?UTF-8?q?=E6=8E=A5=E5=8F=A3=E4=BB=BB=E6=84=8F=E6=96=87=E4=BB=B6=E8=AF=BB?=
 =?UTF-8?q?=E5=8F=96=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../dataease/utils/StaticResourceUtils.java   | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/sdk/common/src/main/java/io/dataease/utils/StaticResourceUtils.java b/sdk/common/src/main/java/io/dataease/utils/StaticResourceUtils.java
index 76c514daa4..62801e86ee 100644
--- a/sdk/common/src/main/java/io/dataease/utils/StaticResourceUtils.java
+++ b/sdk/common/src/main/java/io/dataease/utils/StaticResourceUtils.java
@@ -10,6 +10,8 @@ import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Base64;
+import java.util.Locale;
+import java.util.Set;
 import java.util.regex.Pattern;
 
 import static io.dataease.constant.StaticResourceConstants.*;
@@ -20,6 +22,10 @@ public class StaticResourceUtils {
 
     private static final Pattern SAFE_RESOURCE_FILE_NAME = Pattern.compile("^[A-Za-z0-9._-]+$");
 
+    private static final Set<String> ALLOWED_RESOURCE_EXTENSIONS = Set.of(
+            ".gif", ".svg", ".png", ".jpeg", ".jpg"
+    );
+
     public static String ensureBoth(@NonNull String string, @NonNull String bothfix) {
         return ensureBoth(string, bothfix, bothfix);
     }
@@ -67,10 +73,18 @@ public class StaticResourceUtils {
             LogUtil.warn("Reject illegal static resource file name: " + imgFile);
             return null;
         }
+        if (!hasAllowedExtension(imgFile)) {
+            LogUtil.warn("Reject static resource with disallowed extension: " + imgFile);
+            return null;
+        }
         Path targetPath = resolveSafeResourcePath(imgFile);
         if (targetPath == null) {
             return null;
         }
+        if (!Files.isRegularFile(targetPath)) {
+            LogUtil.warn("Reject static resource that is not a regular file: " + imgFile);
+            return null;
+        }
         //Convert the picture file into byte array  and encode it with Base64
         InputStream inputStream = null;
         byte[] buffer = null;
@@ -120,4 +134,14 @@ public class StaticResourceUtils {
         }
     }
 
+    private static boolean hasAllowedExtension(String fileName) {
+        String lower = fileName.toLowerCase(Locale.ROOT);
+        for (String ext : ALLOWED_RESOURCE_EXTENSIONS) {
+            if (lower.endsWith(ext)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
 }