refactor: 优化静态图片上传，防止伪装文件上传到服务器 (#17060)

2026-05-15 05:22:13 +08:00 · 2025-09-22 22:22:02 +08:00
parent b442e9ed39
commit 6ce18b5b2b
1 changed files with 41 additions and 1 deletions
--- a/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
+++ b/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
@@ -18,9 +18,11 @@ import org.springframework.web.multipart.MultipartFile;
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;

+import javax.imageio.ImageIO;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import java.awt.image.BufferedImage;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Files;
@@ -29,6 +31,7 @@ import java.nio.file.Paths;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;

@RestController
@RequestMapping("/staticResource")
@@ -69,8 +72,45 @@ public class StaticResourceServer implements StaticResourceApi {
        if (StringUtils.isEmpty(mimeType)) {
            return false;
        }
+        if (!hasValidImageExtension(file.getOriginalFilename())) {
+            return false;
+        }
        // 判断是否为图片或SVG
-        return (isImageCheckType(file)) || isValidSVG(file);
+        return (isImageOther(file)) || isValidSVG(file);
+    }
+
+    private boolean hasValidImageExtension(String filename) {
+        if (StringUtils.isEmpty(filename)) {
+            return false;
+        }
+        // 转换为小写进行比较
+        String lowerFilename = filename.toLowerCase();
+        // 允许的图片后缀名列表
+        Set<String> allowedExtensions = Set.of(
+                ".gif", ".svg", ".png", ".jpeg", ".jpg"
+        );
+
+        for (String ext : allowedExtensions) {
+            if (lowerFilename.endsWith(ext)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private boolean isImageOther(MultipartFile file) {
+        BufferedImage image = null;
+        try (InputStream input = file.getInputStream()) {
+            image = ImageIO.read(input);
+        } catch (IOException e) {
+            LogUtil.error(e.getMessage(), e);
+            return false;
+        }
+        if (image == null || image.getWidth() <= 0 || image.getHeight() <= 0) {
+            return false;
+        }
+        return true;
    }

    public void saveFilesToServe(String staticResource) {