文件上传,白名单待定

servers/boe-server-all/src/main/java/com/xboe/module/boecase/api/CasesRecommendApi.java

@@ -26,6 +26,7 @@ import com.xboe.module.boecase.vo.BrowseDurationVo;
 import com.xboe.module.boecase.vo.CasesRecommendLaunchVo;
 import com.xboe.module.boecase.vo.CasesRecommendPushVo;
 import com.xboe.module.boecase.vo.CasesRecommendVo;
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.poi.xssf.streaming.SXSSFSheet;
@@ -117,6 +118,7 @@ public class CasesRecommendApi extends ApiBaseController {
      * @return
      * @throws Exception
      */
+    @FileFormatVerification(whites = {"xlsx", "xls"})
     @PostMapping("/import")
     public JsonResponse<ImportData> excelImport(@RequestParam("file") MultipartFile file) throws Exception {
         ExcelReader reader = ExcelUtil.getReader(file.getInputStream());

servers/boe-server-all/src/main/java/com/xboe/module/exam/api/ExamQuestionApi.java

@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.annotation.Resource;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.apache.poi.ss.usermodel.Cell;
@@ -148,6 +149,7 @@ public class ExamQuestionApi extends ApiBaseController {
     /**
      * 导入
      * */
+    @FileFormatVerification(whites = {"xls","xlsx"})
     @PostMapping("/import")
     public JsonResponse<QuestionDto> importQuestion(@RequestParam MultipartFile file){
         //获取输入流

servers/boe-server-all/src/main/java/com/xboe/module/filecloud/api/XFileBaseApi.java

@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -281,6 +282,7 @@ public class XFileBaseApi extends ApiBaseController{
 		return wrap(list);
 	}
 
+	@FileFormatVerification(whites = {"zip","png","jpg","jpeg","gif","svg","bmp"})
 	@ApiAccess(path="xfile.file.upload")
 	@RequestMapping(value="/file/upload", method={RequestMethod.POST})
 	public JsonResponse<ListViewItem> fileUpload(HttpServletRequest request,String folderId) {

servers/boe-server-all/src/main/java/com/xboe/module/usergroup/api/UserGroupApi.java

@@ -11,6 +11,7 @@ import java.util.Set;
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -198,6 +199,7 @@ public class UserGroupApi extends ApiBaseController {
      * 不直接导入到数据库，而是解析文件并查询相应数据返回
      * @return
      */
+    @FileFormatVerification(whites = {"xlsx","xls"})
     @PostMapping("/import")
     public JsonResponse<Iterable<UserImportDto>> importUserGroup(@RequestParam MultipartFile file) {
 

servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java

@@ -14,6 +14,7 @@ import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -66,6 +67,7 @@ public class SysUploaderApi  extends ApiBaseController{
 		fileTypeSet.add("zip");
 	}
 
+	@FileFormatVerification(whites = {"mp3","wmv","mp4","jpg","png","gif","doc","docx","xls","xlsx","ppt","pptx","pdf","zip"})
 	@RequestMapping(value = "/file/upload", method = RequestMethod.POST)
 	public JsonResponse<XUploadResult> save(HttpServletRequest request, String name,String dir) throws IOException {
 		//以下三项用于回调

servers/boe-server-all/src/main/java/com/xboe/system/aspectj/UploadAspect.java

@@ -0,0 +1,91 @@
+package com.xboe.system.aspectj;
+
+import com.xboe.system.aspectj.anno.FileFormatVerification;
+import lombok.extern.slf4j.Slf4j;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.annotation.Pointcut;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.stereotype.Component;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.multipart.MultipartHttpServletRequest;
+
+import javax.servlet.http.HttpServletRequest;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.List;
+
+
+/**
+ * @author admin
+ */
+@Aspect
+@Slf4j
+@Component
+public class UploadAspect {
+
+
+    @Pointcut("@annotation(com.xboe.system.aspectj.anno.FileFormatVerification)")
+    private void fileUpload() {
+    }
+
+    @Before("fileUpload()")
+    public void fileFormatVerifies(JoinPoint joinPoint) {
+        List<String> whiteList = getWhiteList(joinPoint);
+
+
+        String[] FILE_UPLOAD_BLACKLIST = {"exe", "sh", "py", "html", "xhtml", "php", "php5", "dat", "dbf", "dev", "asp", "aspx", "asa", "aspx", "ashx", "asmx", "asax", "ascx", "jsp", "jspx", "jspf", "cgi", "war", "ini", "js"};
+        List<String> blackList = Arrays.asList(FILE_UPLOAD_BLACKLIST);
+
+        // 在目标方法执行前执行的代码
+        Object[] args = joinPoint.getArgs(); // 获取被调用方法的参数
+
+        // 处理MultipartFile
+        Arrays.stream(args)
+                .filter(arg -> arg instanceof MultipartFile)
+                .map(arg -> (MultipartFile) arg)
+                .forEach(file -> {
+                    String name = file.getOriginalFilename();
+                    String fileSuffix = name.substring(name.lastIndexOf(".") + 1);
+                    if (blackList.contains(fileSuffix) || !whiteList.contains(fileSuffix)) {
+                        throw new RuntimeException("文件格式不支持");
+                    }
+                });
+
+        // 处理HttpServletRequest中的文件名
+        Arrays.stream(args)
+                .filter(arg -> arg instanceof HttpServletRequest)
+                .map(arg -> (HttpServletRequest) arg)
+                .filter(req -> req instanceof MultipartHttpServletRequest)
+                .map(req -> (MultipartHttpServletRequest) req)
+                .forEach(req -> {
+                    req.getFileMap().forEach((k, v) -> {
+                        String fileSuffix = v.getOriginalFilename().substring(v.getOriginalFilename().lastIndexOf(".") + 1);
+                        if (blackList.contains(fileSuffix) || !whiteList.contains(fileSuffix)) {
+                            throw new RuntimeException("文件格式不支持");
+                        }
+                    });
+                });
+
+
+        int i = 1 / 0;
+
+
+    }
+
+    private static List<String> getWhiteList(JoinPoint joinPoint) {
+        MethodSignature methodSignature = (MethodSignature) joinPoint.getSignature();
+        Method method = methodSignature.getMethod();
+
+        // 获取FileFormatVerification注解
+        FileFormatVerification annotation = method.getAnnotation(FileFormatVerification.class);
+
+        // 获取whiteList属性
+        String[] whites = annotation.whites();
+        List<String> whiteList = Arrays.asList(whites);
+        return whiteList;
+    }
+
+
+}

servers/boe-server-all/src/main/java/com/xboe/system/aspectj/anno/FileFormatVerification.java

@@ -0,0 +1,15 @@
+package com.xboe.system.aspectj.anno;
+
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+
+@Target(ElementType.METHOD) // 注解目标为方法
+@Retention(RetentionPolicy.RUNTIME) // 注解在运行时有效
+public @interface FileFormatVerification {
+    String[] whites() default {};
+
+}