From 4470052c3b6bdeb18e45987f8aa293d1e93d0552 Mon Sep 17 00:00:00 2001
From: Ludc <2870569285@qq.com>
Date: 星期二, 18 十一月 2025 11:59:12 +0800
Subject: [PATCH] 所有文件上传接口增加文件安全校验逻辑。
---
Source/UBCS/ubcs-service/ubcs-code/src/main/java/com/vci/ubcs/code/controller/MdmEngineController.java | 80 +++++++++++++++++++++++++++------------
1 files changed, 55 insertions(+), 25 deletions(-)
diff --git a/Source/UBCS/ubcs-service/ubcs-code/src/main/java/com/vci/ubcs/code/controller/MdmEngineController.java b/Source/UBCS/ubcs-service/ubcs-code/src/main/java/com/vci/ubcs/code/controller/MdmEngineController.java
index 3e681d6..623570c 100644
--- a/Source/UBCS/ubcs-service/ubcs-code/src/main/java/com/vci/ubcs/code/controller/MdmEngineController.java
+++ b/Source/UBCS/ubcs-service/ubcs-code/src/main/java/com/vci/ubcs/code/controller/MdmEngineController.java
@@ -1,6 +1,5 @@
package com.vci.ubcs.code.controller;
-
import com.alibaba.fastjson.JSONObject;
import com.alibaba.nacos.common.utils.StringUtils;
import com.baomidou.mybatisplus.core.metadata.IPage;
@@ -11,6 +10,7 @@
import com.vci.ubcs.code.service.MdmEngineService;
import com.vci.ubcs.code.service.MdmIOService;
import com.vci.ubcs.code.vo.pagemodel.*;
+import com.vci.ubcs.common.validator.ComprehensiveFileValidator;
import com.vci.ubcs.flow.core.dto.FlowStatusDTO;
import com.vci.ubcs.starter.annotation.VciBusinessLog;
import com.vci.ubcs.starter.revision.model.BaseModel;
@@ -33,11 +33,9 @@
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
-import java.rmi.ServerException;
import java.util.*;
@RestController
-//@AllArgsConstructor
@RequestMapping("/mdmEngineController")
@Api(value = "缂栫爜鏁版嵁绠$悊", tags = "缂栫爜鏁版嵁绠$悊")
public class MdmEngineController {
@@ -46,21 +44,31 @@
* 鏃ュ織
*/
private Logger logger = LoggerFactory.getLogger(getClass());
+
/**
* 涓绘暟鎹紩鎿庢湇鍔�
*/
@Autowired
private MdmEngineService engineService;
+
/**
* 涓绘暟鎹鍏ュ鍑烘湇鍔�
*/
@Autowired
private MdmIOService mdmIOService;
+
/**
* 鏃ュ織淇濆瓨宸ュ叿绫�
*/
@Autowired
private SaveLogUtil saveLogUtil;
+
+ /**
+ * 鏂囦欢瀹夊叏妫�鏌�
+ */
+ @Autowired
+ private ComprehensiveFileValidator fileValidator;
+
/**
* 涓嬭浇鎵归噺鐢宠鐨勫鍏ユā鏉�
@@ -106,7 +114,6 @@
}
}
-
/**
* 瀵煎叆鎵归噺缂栬緫鏁版嵁
* @param codeClassifyOid 鍒嗙被鐨勪富閿�
@@ -116,6 +123,12 @@
@VciBusinessLog(operateName = "瀵煎叆鎵归噺缂栬緫鏁版嵁")
@PostMapping("/batchImportEdit")
public R batchImportEdit(String codeClassifyOid, String classifyAttr,MultipartFile file,HttpServletResponse response) throws Throwable {
+ // 浣跨敤鏂囦欢瀹夊叏楠岃瘉鍣�
+ ComprehensiveFileValidator.UploadValidationResult validationResult = fileValidator.validateFile(file);
+ if (!validationResult.isValid()) {
+ return R.fail(validationResult.getMessage());
+ }
+
String excelFileName = LocalFileUtil.getDefaultTempFolder() + File.separator + file.getOriginalFilename();
File file1 = new File(excelFileName);
try {
@@ -222,6 +235,12 @@
@VciBusinessLog(operateName = "鎵归噺鐢宠缂栫爜鐨勪俊鎭�")
@PostMapping("/batchImportCode")
public R batchImportCode(String secDTOList, String codeClassifyOid, MultipartFile file, HttpServletResponse response) throws Throwable {
+ // 浣跨敤鏂囦欢瀹夊叏楠岃瘉鍣�
+ ComprehensiveFileValidator.UploadValidationResult validationResult = fileValidator.validateFile(file);
+ if (!validationResult.isValid()) {
+ return R.fail(validationResult.getMessage());
+ }
+
CodeOrderDTO orderDTO = new CodeOrderDTO();
orderDTO.setCodeClassifyOid(codeClassifyOid);
if(StringUtils.isNotBlank(secDTOList)){
@@ -273,6 +292,12 @@
@VciBusinessLog(operateName = "瀵煎叆缂栫爜鐨勫巻鍙叉暟鎹�")
@PostMapping("/batchImportHistoryData")
public R batchImportHistoryData(String codeClassifyOid, String classifyAttr,MultipartFile file,HttpServletResponse response) throws Throwable {
+ // 浣跨敤鏂囦欢瀹夊叏楠岃瘉鍣�
+ ComprehensiveFileValidator.UploadValidationResult validationResult = fileValidator.validateFile(file);
+ if (!validationResult.isValid()) {
+ return R.fail(validationResult.getMessage());
+ }
+
String excelFileName = LocalFileUtil.getDefaultTempFolder() + File.separator + file.getOriginalFilename();
File file1 = new File(excelFileName);
try {
@@ -316,6 +341,12 @@
@VciBusinessLog(operateName = "鎵归噺鐢宠缂栫爜鐨勪俊鎭�")
@PostMapping("/batchTopImportCode")
public R batchTopImportCode(String codeClassifyOid, String classifyAttr,MultipartFile file,HttpServletResponse response) throws Throwable {
+ // 浣跨敤鏂囦欢瀹夊叏楠岃瘉鍣�
+ ComprehensiveFileValidator.UploadValidationResult result = fileValidator.validateFile(file);
+ if (!result.isValid()) {
+ return R.fail(result.getMessage());
+ }
+
String excelFileName = LocalFileUtil.getDefaultTempFolder() + File.separator + file.getOriginalFilename();
File file1 = new File(excelFileName);
try {
@@ -359,7 +390,7 @@
* @param baseModelDTO 鏁版嵁浼犺緭瀵硅薄
* @return 鎵ц缁撴灉
*/
- @PostMapping("changeStatus")
+ @PostMapping("/changeStatus")
public R changeStatus(@RequestBody BaseModelDTO baseModelDTO) {
engineService.changeStatus(baseModelDTO);
return R.success("鎿嶄綔鎴愬姛锛�");
@@ -465,7 +496,7 @@
return engineService.gridTableDataByClassifyOid(codeClassifyOid,templateOid,queryObject.getConditionMap(),queryObject.getPageHelper());
}
- /***
+ /**
* 鑾峰彇鍒嗙被瀵硅薄
* @param redisOid
* @return
@@ -476,7 +507,7 @@
return R.data(codeImportTemplateVOs);
}
- /***
+ /**
* 浠巖edis缂撳瓨閲岃幏鍙栧埌瀵煎叆姝g‘鐨勬暟鎹�
* @param codeClassifyOid
* @param redisOid
@@ -487,7 +518,7 @@
return mdmIOService.gridDatas(codeClassifyOid,redisOid);
}
- /***
+ /**
* 浠巖edis缂撳瓨閲岃幏鍙栧埌瀵煎叆琛岀浉浼奸」鐨勬暟鎹�
* @param dataOid
* @param redisOid
@@ -498,7 +529,7 @@
return mdmIOService.gridRowResemble(dataOid,redisOid);
}
- /***
+ /**
* 浠巖edis缂撳瓨閲岃幏鍙栧埌瀵煎叆鍏锋湁鐩镐技椤圭殑鏁版嵁
* @param codeClassifyOid
* @param redisOid
@@ -509,7 +540,7 @@
return mdmIOService.gridDatas(codeClassifyOid,redisOid);
}
- /***
+ /**
* 瀵煎叆鏁版嵁
* @param codeImprotSaveDatVO//鏁版嵁瀵硅薄
* @return
@@ -519,7 +550,7 @@
return mdmIOService.batchImportData(codeImprotSaveDatVO.getCodeImprotSaveDatVOList(),codeImprotSaveDatVO.getClassifyAttr(),codeImprotSaveDatVO.getImprot());
}
- /***
+ /**
* 鏍规嵁鏁版嵁oid浠庣紦瀛樹腑绉婚櫎鏁版嵁
* @param redisOid redisid
* @param codeClassifyOid 瀛樺偍瑙勫垯鐨刼id
@@ -674,7 +705,7 @@
* @param idPath 缂栧彿鐨勮矾寰�
* @return UI鐩稿叧鐨勪俊鎭紙浠呭寘鍚〃鍗�)
*/
-// @VciUnCheckRight
+ // @VciUnCheckRight
@GetMapping("/getFormDefineByClassifyIdPath")
public MdmUIInfoVO getFormDefineByClassifyIdPath(String idPath){
return engineService.getFormDefineByClassifyIdPath(idPath);
@@ -729,7 +760,7 @@
* @return UI鐩稿叧鐨勪俊鎭紙浠呭寘鍚〃鏍硷級
*/
@GetMapping("/getFlowdUIInfoByClassifyOid")
- public MdmUIInfoVO getUIInfoByClassifyOid(String codeClassifyOid,String functionId,String templateId,String taskId,String modelKey){
+ public MdmUIInfoVO getFlowUIInfoByClassifyOid(String codeClassifyOid,String functionId,String templateId,String taskId,String modelKey){
return engineService.getFlowUIInfoByClassifyOid(codeClassifyOid,functionId,templateId,taskId,modelKey);
}
@@ -844,7 +875,7 @@
*/
@GetMapping("/exportGroupCodeExcel")
@VciBusinessLog(operateName = "瀵煎嚭闆嗗洟鐮�")
- public R exportGroupCodeExcel(String codeClassifyOid, HttpServletResponse response){
+ public void exportGroupCodeExcel(String codeClassifyOid, HttpServletResponse response) throws IOException {
try {
String excelName = mdmIOService.exportGroupCodeExcel(codeClassifyOid);
ControllerUtil.writeFileToResponse(response,excelName);
@@ -855,20 +886,14 @@
msg = "鏈煡閿欒";
}
String errorFile = LocalFileUtil.getDefaultTempFolder() + File.separator + "閿欒.txt";
- LocalFileUtil.writeContentToFile(LangBaseUtil.getErrorMsg(e),errorFile);
- try {
- ControllerUtil.writeFileToResponse(response,errorFile);
- } catch (IOException ex) {
- ex.printStackTrace();
- }
- String uuid=ControllerUtil.putErrorFile(errorFile);
- return R.fail(msg);
- // ControllerUtil.writeDataToResponse(response,msg.getBytes(StandardCharsets.UTF_8),null);
+ LocalFileUtil.writeContentToFile(msg,errorFile);
+ ControllerUtil.writeFileToResponse(response,errorFile);
+ // return R.fail(msg);
}
- return R.status(true);
+ // return R.status(true);
}
- /***
+ /**
* 闆嗗洟鐮佸鍏�
* @param codeClassifyOid
* @param file
@@ -877,6 +902,11 @@
*/
@PostMapping("/importGroupCode")
public R importGroupCode(String codeClassifyOid,MultipartFile file,HttpServletResponse response){
+ // 浣跨敤鏂囦欢瀹夊叏楠岃瘉鍣�
+ ComprehensiveFileValidator.UploadValidationResult result = fileValidator.validateFile(file);
+ if (!result.isValid()) {
+ return R.fail(result.getMessage());
+ }
String excelFileName = LocalFileUtil.getDefaultTempFolder() + File.separator + file.getOriginalFilename();
File file1 = new File(excelFileName);
--
Gitblit v1.9.3