From 17925215d37dd97d744c9296b185aeb16d3e44fb Mon Sep 17 00:00:00 2001
From: Ludc <2870569285@qq.com>
Date: 星期二, 18 十一月 2025 20:06:12 +0800
Subject: [PATCH] URL请求路径安全校验
---
Source/UBCS/ubcs-ops/ubcs-flow/src/main/java/com/vci/ubcs/flow/engine/controller/FlowManagerController.java | 31 ++++++++++++++++++++++++-------
1 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/Source/UBCS/ubcs-ops/ubcs-flow/src/main/java/com/vci/ubcs/flow/engine/controller/FlowManagerController.java b/Source/UBCS/ubcs-ops/ubcs-flow/src/main/java/com/vci/ubcs/flow/engine/controller/FlowManagerController.java
index 6c41ebc..e435680 100644
--- a/Source/UBCS/ubcs-ops/ubcs-flow/src/main/java/com/vci/ubcs/flow/engine/controller/FlowManagerController.java
+++ b/Source/UBCS/ubcs-ops/ubcs-flow/src/main/java/com/vci/ubcs/flow/engine/controller/FlowManagerController.java
@@ -18,6 +18,7 @@
import com.baomidou.mybatisplus.core.metadata.IPage;
import com.github.xiaoymin.knife4j.annotations.ApiOperationSupport;
+import com.vci.ubcs.common.validator.ComprehensiveFileValidator;
import com.vci.ubcs.flow.engine.entity.FlowProcess;
import com.vci.ubcs.flow.engine.service.FlowEngineService;
import io.swagger.annotations.Api;
@@ -31,6 +32,7 @@
import org.springblade.core.tool.support.Kv;
import org.springblade.core.tool.utils.Func;
import com.vci.ubcs.flow.engine.constant.FlowEngineConstant;
+import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
@@ -44,18 +46,23 @@
*/
@NonDS
@RestController
-@RequestMapping("manager")
+@RequestMapping("/manager")
@AllArgsConstructor
@Api(value = "娴佺▼绠$悊鎺ュ彛", tags = "娴佺▼绠$悊鎺ュ彛")
-//@PreAuth(RoleConstant.HAS_ROLE_ADMINISTRATOR)
public class FlowManagerController {
private final FlowEngineService flowEngineService;
/**
+ * 鏂囦欢瀹夊叏妫�鏌�
+ */
+ @Autowired
+ private ComprehensiveFileValidator fileValidator;
+
+ /**
* 鍒嗛〉
*/
- @GetMapping("list")
+ @GetMapping("/list")
@ApiOperationSupport(order = 1)
@ApiOperation(value = "鍒嗛〉", notes = "浼犲叆娴佺▼绫诲瀷")
public R<IPage<FlowProcess>> list(@ApiParam("娴佺▼绫诲瀷") String category, Query query, @RequestParam(required = false, defaultValue = "1") Integer mode) {
@@ -69,7 +76,7 @@
* @param state 鐘舵��
* @param processId 娴佺▼id
*/
- @PostMapping("change-state")
+ @PostMapping("/change-state")
@ApiOperationSupport(order = 2)
@ApiOperation(value = "鍙樻洿娴佺▼鐘舵��", notes = "浼犲叆state,processId")
public R changeState(@RequestParam String state, @RequestParam String processId) {
@@ -82,7 +89,7 @@
*
* @param deploymentIds 閮ㄧ讲娴佺▼id闆嗗悎
*/
- @PostMapping("delete-deployment")
+ @PostMapping("/delete-deployment")
@ApiOperationSupport(order = 3)
@ApiOperation(value = "鍒犻櫎閮ㄧ讲娴佺▼", notes = "閮ㄧ讲娴佺▼id闆嗗悎")
public R deleteDeployment(String deploymentIds) {
@@ -94,10 +101,15 @@
*
* @param file 娴佺▼鏂囦欢
*/
- @PostMapping("check-upload")
+ @PostMapping("/check-upload")
@ApiOperationSupport(order = 4)
@ApiOperation(value = "涓婁紶閮ㄧ讲娴佺▼鏂囦欢", notes = "浼犲叆鏂囦欢")
public R checkUpload(@RequestParam MultipartFile file) {
+ // 浣跨敤鏂囦欢瀹夊叏楠岃瘉鍣�
+ ComprehensiveFileValidator.UploadValidationResult result = fileValidator.validateFile(file);
+ if (!result.isValid()) {
+ return R.fail(result.getMessage());
+ }
boolean temp = Objects.requireNonNull(file.getOriginalFilename()).endsWith(FlowEngineConstant.SUFFIX);
return R.data(Kv.create().set("name", file.getOriginalFilename()).set("success", temp));
}
@@ -108,12 +120,17 @@
* @param files 娴佺▼鏂囦欢
* @param category 绫诲瀷
*/
- @PostMapping("deploy-upload")
+ @PostMapping("/deploy-upload")
@ApiOperationSupport(order = 5)
@ApiOperation(value = "涓婁紶閮ㄧ讲娴佺▼鏂囦欢", notes = "浼犲叆鏂囦欢")
public R deployUpload(@RequestParam List<MultipartFile> files,
@RequestParam String category,
@RequestParam(required = false, defaultValue = "") String tenantIds) {
+ // 浣跨敤鏂囦欢瀹夊叏楠岃瘉鍣�
+ ComprehensiveFileValidator.MultiUploadValidationResult result = fileValidator.validateFiles(files,true);
+ if (!result.isValid()) {
+ return R.fail(result.getMessage());
+ }
return R.status(flowEngineService.deployUpload(files, category, Func.toStrList(tenantIds)));
}
--
Gitblit v1.9.3