Revert "fix(安全): 修复静态资源接口路径穿越、任意文件读取及资源注入漏洞"

This reverts commit 5febc7eb9b.

core/core-backend/src/main/java/io/dataease/commons/utils/ExcelWatermarkUtils.java

@@ -16,17 +16,10 @@ import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
-import java.util.regex.Pattern;
 
 public class ExcelWatermarkUtils {
     private static SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
 
-    private static final int MAX_TEXT_LENGTH = 100;
-    private static final int MAX_IMAGE_WIDTH = 4096;
-    private static final int MAX_IMAGE_HEIGHT = 4096;
-    private static final Pattern IP_PATTERN = Pattern.compile(
-            "^([0-9]{1,3}\\.){3}[0-9]{1,3}$|^([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}$");
-
 
     public static String transContent(WatermarkContentDTO watermarkContent, UserFormVO userInfo) {
         String content = "";
@@ -38,11 +31,7 @@ public class ExcelWatermarkUtils {
             default -> content = "${username}";
         }
         String nickName = userInfo.getName().contains("i18n_") ?Translator.get(userInfo.getName()):userInfo.getName();
-        String ip = IPUtils.get();
-        if (ip == null || !IP_PATTERN.matcher(ip.trim()).matches()) {
-            ip = "127.0.0.1";
-        }
-        content = content.replaceAll("\\$\\{ip}", ip);
+        content = content.replaceAll("\\$\\{ip}", IPUtils.get() == null ? "127.0.0.1" : IPUtils.get());
         content = content.replaceAll("\\$\\{username}", userInfo.getAccount());
         content = content.replaceAll("\\$\\{nickName}", nickName);
         content = content.replaceAll("\\$\\{time}", sdf.format(new Date()));
@@ -100,14 +89,9 @@ public class ExcelWatermarkUtils {
     }
 
     public static byte[] createTextImage(String text, WatermarkContentDTO watermarkContent) {
-        if (text.length() > MAX_TEXT_LENGTH) {
-            text = text.substring(0, MAX_TEXT_LENGTH);
-        }
         double radians = Math.toRadians(15);// 15度偏转
         int width = watermarkContent.getWatermark_fontsize() * text.length();
         int height = (int) Math.round(watermarkContent.getWatermark_fontsize() + width * Math.sin(radians));
-        width = Math.min(width, MAX_IMAGE_WIDTH);
-        height = Math.min(height, MAX_IMAGE_HEIGHT);
         int fontSize = watermarkContent.getWatermark_fontsize();
         Color baseColor = Color.decode(watermarkContent.getWatermark_color());
 

sdk/common/src/main/java/io/dataease/utils/StaticResourceUtils.java

@@ -4,15 +4,10 @@ import org.apache.commons.lang3.StringUtils;
 import org.springframework.lang.NonNull;
 import org.springframework.util.Assert;
 
+import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
 import java.util.Base64;
-import java.util.Locale;
-import java.util.Set;
-import java.util.regex.Pattern;
 
 import static io.dataease.constant.StaticResourceConstants.*;
 
@@ -20,12 +15,6 @@ public class StaticResourceUtils {
 
     private final static String FILE_BASE_PATH = USER_HOME + FILE_SEPARATOR + UPLOAD_URL_PREFIX;
 
-    private static final Pattern SAFE_RESOURCE_FILE_NAME = Pattern.compile("^[A-Za-z0-9._-]+$");
-
-    private static final Set<String> ALLOWED_RESOURCE_EXTENSIONS = Set.of(
-            ".gif", ".svg", ".png", ".jpeg", ".jpg"
-    );
-
     public static String ensureBoth(@NonNull String string, @NonNull String bothfix) {
         return ensureBoth(string, bothfix, bothfix);
     }
@@ -69,28 +58,12 @@ public class StaticResourceUtils {
      * @return
      */
     public static String getImgFileToBase64(String imgFile) {
-        if (StringUtils.isBlank(imgFile) || !SAFE_RESOURCE_FILE_NAME.matcher(imgFile).matches()) {
-            LogUtil.warn("Reject illegal static resource file name: " + imgFile);
-            return null;
-        }
-        if (!hasAllowedExtension(imgFile)) {
-            LogUtil.warn("Reject static resource with disallowed extension: " + imgFile);
-            return null;
-        }
-        Path targetPath = resolveSafeResourcePath(imgFile);
-        if (targetPath == null) {
-            return null;
-        }
-        if (!Files.isRegularFile(targetPath)) {
-            LogUtil.warn("Reject static resource that is not a regular file: " + imgFile);
-            return null;
-        }
         //Convert the picture file into byte array  and encode it with Base64
         InputStream inputStream = null;
         byte[] buffer = null;
         //Read picture byte array
         try {
-            inputStream = Files.newInputStream(targetPath);
+            inputStream = new FileInputStream(FILE_BASE_PATH + FILE_SEPARATOR + imgFile);
             int count = 0;
             while (count == 0) {
                 count = inputStream.available();
@@ -119,29 +92,4 @@ public class StaticResourceUtils {
         }
     }
 
-    private static Path resolveSafeResourcePath(String fileName) {
-        try {
-            Path basePath = Paths.get(FILE_BASE_PATH).toAbsolutePath().normalize();
-            Path targetPath = basePath.resolve(fileName).normalize();
-            if (!targetPath.startsWith(basePath)) {
-                LogUtil.warn("Reject static resource path outside base directory: " + fileName);
-                return null;
-            }
-            return targetPath;
-        } catch (Exception e) {
-            LogUtil.error(e);
-            return null;
-        }
-    }
-
-    private static boolean hasAllowedExtension(String fileName) {
-        String lower = fileName.toLowerCase(Locale.ROOT);
-        for (String ext : ALLOWED_RESOURCE_EXTENSIONS) {
-            if (lower.endsWith(ext)) {
-                return true;
-            }
-        }
-        return false;
-    }
-
 }