From a7bffa795cb0ca041dce0effe68479cf3bf13db1 Mon Sep 17 00:00:00 2001
From: tjlygdx <tjlygdx@163.com>
Date: Tue, 12 May 2026 17:16:45 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E3=80=90=E6=BC=8F=E6=B4=9E=E3=80=91Remo?=
 =?UTF-8?q?te=20Code=20Execution=20(RCE)=20via=20Zip=20Protocol=20&=20File?=
 =?UTF-8?q?=20Dropper?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../io/dataease/datasource/server/DatasourceServer.java     | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java b/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
index cf9ab5f742..a119f6c676 100644
--- a/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
+++ b/core/core-backend/src/main/java/io/dataease/datasource/server/DatasourceServer.java
@@ -907,8 +907,14 @@ public class DatasourceServer implements DatasourceApi {
 
     private static final Integer replace = 0;
     private static final Integer append = 1;
+    private static final List<String> EXCEL_UPLOAD_SUFFIXES = List.of("xlsx", "xls", "csv");
 
     public ExcelFileData uploadFile(@RequestParam("file") MultipartFile file, @RequestParam("id") long datasourceId, @RequestParam("editType") Integer editType) throws DEException {
+        String fileName = file == null ? null : file.getOriginalFilename();
+        String suffix = StringUtils.substringAfterLast(StringUtils.defaultString(fileName), ".").toLowerCase(Locale.ROOT);
+        if (!EXCEL_UPLOAD_SUFFIXES.contains(suffix)) {
+            DEException.throwException(Translator.get("i18n_unsupported_file_format"));
+        }
         CoreDatasource coreDatasource = null;
         if (ObjectUtils.isNotEmpty(datasourceId) && 0L != datasourceId) {
             coreDatasource = dataSourceManage.getCoreDatasource(datasourceId);