From 9f75f2b97e6aee6d15709eb54634a22a55e8cbbf Mon Sep 17 00:00:00 2001
From: tjlygdx <tjlygdx@163.com>
Date: Wed, 10 Jun 2026 10:33:10 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=B7=AF=E5=BE=84?=
 =?UTF-8?q?=E7=AF=A1=E6=94=B9=EF=BC=88ZIP=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../plugin/DataEaseDatasourcePlugin.java      | 48 ++++++++++++++++---
 1 file changed, 42 insertions(+), 6 deletions(-)

diff --git a/sdk/extensions/extensions-datasource/src/main/java/io/dataease/extensions/datasource/plugin/DataEaseDatasourcePlugin.java b/sdk/extensions/extensions-datasource/src/main/java/io/dataease/extensions/datasource/plugin/DataEaseDatasourcePlugin.java
index 43dd7c97fb..3ccecfafd5 100644
--- a/sdk/extensions/extensions-datasource/src/main/java/io/dataease/extensions/datasource/plugin/DataEaseDatasourcePlugin.java
+++ b/sdk/extensions/extensions-datasource/src/main/java/io/dataease/extensions/datasource/plugin/DataEaseDatasourcePlugin.java
@@ -12,21 +12,23 @@ import org.apache.commons.lang3.StringUtils;
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
-import java.nio.file.Paths;
 import java.security.ProtectionDomain;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
+import java.util.regex.Pattern;
 
 /**
  * @Author Junjun
  */
 public abstract class DataEaseDatasourcePlugin extends Provider implements DataEasePlugin {
     private final String DEFAULT_FILE_PATH = "/opt/dataease2.0/drivers/plugin";
+    private static final Pattern SAFE_DRIVER_FILE_NAME = Pattern.compile("[A-Za-z0-9._-]+\\.jar");
 
 
     @Override
@@ -56,10 +58,13 @@ public abstract class DataEaseDatasourcePlugin extends Provider implements DataE
             while (entries.hasMoreElements()) {
                 JarEntry entry = entries.nextElement();
                 String name = entry.getName();
-                if (StringUtils.endsWith(name, ".jar")) {
-                    File file = new File(localPath, Paths.get(name).getFileName().toString());
+                if (!entry.isDirectory() && StringUtils.endsWith(name, ".jar")) {
+                    String fileName = extractSafeDriverFileName(name);
+                    File file = resolveDriverFile(localPath, fileName);
                     if (!file.getParentFile().exists()) {
-                        file.getParentFile().mkdirs();
+                        if (!file.getParentFile().mkdirs()) {
+                            DEException.throwException("Failed to create driver directory");
+                        }
                     }
 
                     try (InputStream inputStream = jarFile.getInputStream(entry);
@@ -97,8 +102,9 @@ public abstract class DataEaseDatasourcePlugin extends Provider implements DataE
                 while (entries.hasMoreElements()) {
                     JarEntry entry = entries.nextElement();
                     String name = entry.getName();
-                    if (StringUtils.endsWith(name, ".jar")) {
-                        File file = new File(DEFAULT_FILE_PATH, Paths.get(name).getFileName().toString());
+                    if (!entry.isDirectory() && StringUtils.endsWith(name, ".jar")) {
+                        String fileName = extractSafeDriverFileName(name);
+                        File file = resolveDriverFile(DEFAULT_FILE_PATH, fileName);
                         file.delete();
                     }
                 }
@@ -107,4 +113,34 @@ public abstract class DataEaseDatasourcePlugin extends Provider implements DataE
             DEException.throwException(e);
         }
     }
+
+    private String extractSafeDriverFileName(String entryName) {
+        if (StringUtils.isBlank(entryName)
+                || StringUtils.contains(entryName, "..")
+                || StringUtils.startsWith(entryName, "/")
+                || StringUtils.startsWith(entryName, "\\")
+                || StringUtils.contains(entryName, ":")) {
+            DEException.throwException("Invalid driver entry path");
+        }
+        String normalizedEntryName = entryName.replace('\\', '/');
+        int lastSeparatorIndex = normalizedEntryName.lastIndexOf('/');
+        String fileName = lastSeparatorIndex >= 0 ? normalizedEntryName.substring(lastSeparatorIndex + 1) : normalizedEntryName;
+        if (!SAFE_DRIVER_FILE_NAME.matcher(fileName).matches()) {
+            DEException.throwException("Invalid driver file name");
+        }
+        return fileName;
+    }
+
+    private File resolveDriverFile(String localPath, String fileName) {
+        File dirFile = new File(localPath);
+        File file = new File(dirFile, fileName);
+        try {
+            if (!file.getCanonicalPath().startsWith(dirFile.getCanonicalPath() + File.separator)) {
+                DEException.throwException("Invalid driver file path");
+            }
+        } catch (IOException e) {
+            DEException.throwException(e);
+        }
+        return file;
+    }
 }