From 6ce18b5b2bb4cc9533cf3ed55461d0c77e82664c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=8E=8B=E5=98=89=E8=B1=AA?=
 <42510293+ziyujiahao@users.noreply.github.com>
Date: Mon, 22 Sep 2025 22:22:02 +0800
Subject: [PATCH] =?UTF-8?q?refactor:=20=E4=BC=98=E5=8C=96=E9=9D=99?=
 =?UTF-8?q?=E6=80=81=E5=9B=BE=E7=89=87=E4=B8=8A=E4=BC=A0=EF=BC=8C=E9=98=B2?=
 =?UTF-8?q?=E6=AD=A2=E4=BC=AA=E8=A3=85=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?=E5=88=B0=E6=9C=8D=E5=8A=A1=E5=99=A8=20(#17060)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../server/StaticResourceServer.java          | 42 ++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

diff --git a/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java b/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
index 0ed241e83b..3deeb12a45 100644
--- a/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
+++ b/core/core-backend/src/main/java/io/dataease/visualization/server/StaticResourceServer.java
@@ -18,9 +18,11 @@ import org.springframework.web.multipart.MultipartFile;
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
 
+import javax.imageio.ImageIO;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import java.awt.image.BufferedImage;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Files;
@@ -29,6 +31,7 @@ import java.nio.file.Paths;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 
 @RestController
 @RequestMapping("/staticResource")
@@ -69,8 +72,45 @@ public class StaticResourceServer implements StaticResourceApi {
         if (StringUtils.isEmpty(mimeType)) {
             return false;
         }
+        if (!hasValidImageExtension(file.getOriginalFilename())) {
+            return false;
+        }
         // 判断是否为图片或SVG
-        return (isImageCheckType(file)) || isValidSVG(file);
+        return (isImageOther(file)) || isValidSVG(file);
+    }
+
+    private boolean hasValidImageExtension(String filename) {
+        if (StringUtils.isEmpty(filename)) {
+            return false;
+        }
+        // 转换为小写进行比较
+        String lowerFilename = filename.toLowerCase();
+        // 允许的图片后缀名列表
+        Set<String> allowedExtensions = Set.of(
+                ".gif", ".svg", ".png", ".jpeg", ".jpg"
+        );
+
+        for (String ext : allowedExtensions) {
+            if (lowerFilename.endsWith(ext)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private boolean isImageOther(MultipartFile file) {
+        BufferedImage image = null;
+        try (InputStream input = file.getInputStream()) {
+            image = ImageIO.read(input);
+        } catch (IOException e) {
+            LogUtil.error(e.getMessage(), e);
+            return false;
+        }
+        if (image == null || image.getWidth() <= 0 || image.getHeight() <= 0) {
+            return false;
+        }
+        return true;
     }
 
     public void saveFilesToServe(String staticResource) {