尝试修复存储型XSS

0442250b · 黎配弘 · 05b2a97a · 0442250b · 0442250b · 0442250b
Commit 0442250b authored Oct 19, 2020 by 黎配弘
3 changed files
--- a/service-manager/src/main/java/com/winsun/controller/ExportExcelController.java
+++ b/service-manager/src/main/java/com/winsun/controller/ExportExcelController.java
@@ -10,6 +10,8 @@ import com.winsun.auth.core.common.model.ResponseData;
 import com.winsun.auth.core.shiro.ShiroUser;
 import com.winsun.bean.ExportExcel;
 import com.winsun.mapper.ExportExcelMapper;
+import com.winsun.service.ExportExcelService;
+import com.winsun.service.impl.ExportExcelServiceImpl;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -18,15 +20,13 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;

-import javax.servlet.ServletOutputStream;
 import javax.servlet.http.HttpServletResponse;
-import java.io.DataInputStream;
 import java.io.File;
-import java.io.FileInputStream;
 import java.util.List;

 /**
 * 智能平台账号实名管理
+ *
 * @Author: chancy
 * @Date:
 */
@@ -36,60 +36,29 @@ import java.util.List;
 public class ExportExcelController extends BaseController {

    private static ExportExcelMapper exportExcelMapper;
+    private static ExportExcelService exportExcelService;

    @Autowired
-    public ExportExcelController(ExportExcelMapper exportExcelMapper) {
+    public ExportExcelController(ExportExcelMapper exportExcelMapper, ExportExcelServiceImpl exportExcelService) {
        ExportExcelController.exportExcelMapper = exportExcelMapper;
+        ExportExcelController.exportExcelService = exportExcelService;
    }


-
    @Permission(menuname = "订单excel文件下载", value = "uploadExcel", method = RequestMethod.POST)
    public void uploadExcel(String exportId) {
-        ServletOutputStream os = null;
-        DataInputStream in = null;
-        FileInputStream fileInputStream = null;
-        try {
-            HttpServletResponse response = getHttpServletResponse();
-            response.reset();
-            response.setCharacterEncoding("UTF-8");
-            response.setContentType("application/octet-stream");
-            os = response.getOutputStream();
-            ExportExcel exportExcel = exportExcelMapper.selectById(exportId);
-            //输入流：本地文件路径
-            fileInputStream = new FileInputStream(new File(exportExcel.getExportUrl()));
-            in = new DataInputStream(fileInputStream);
-            //输出文件
-            int bytes = 0;
-            byte[] bufferOut = new byte[1024];
-            while ((bytes = in.read(bufferOut)) != -1) {
-                os.write(bufferOut, 0, bytes);
-            }
-
-            os.flush();
-        }catch (Exception e) {
-            log.error("下载excel文件异常", e.getMessage());
-        }finally {
-            if (fileInputStream != null) {
-                try{
-                    fileInputStream.close();
-                }catch (Exception e){}
-            }
-            if (in != null) {
-                try{
-                    in.close();
-                }catch (Exception e) {}
-            }
-        }
+        ExportExcel exportExcel = exportExcelMapper.selectById(exportId);
+        HttpServletResponse response = getHttpServletResponse();
+        exportExcelService.uploadExcel(exportExcel, response);
    }


    @Permission(menuname = "查询下载列表", value = "listExportExcel", method = RequestMethod.POST)
-    public ResponseData<Page<ExportExcel>> listExportExcel(@RequestParam(value = "fileName",required = false) String fileName,@RequestParam(name = "pageNo") int pageIndex, @RequestParam(name = "pageSize") int pageSize) {
+    public ResponseData<Page<ExportExcel>> listExportExcel(@RequestParam(value = "fileName", required = false) String fileName, @RequestParam(name = "pageNo") int pageIndex, @RequestParam(name = "pageSize") int pageSize) {
        ShiroUser user = getShiroUser();
        Wrapper<ExportExcel> wrapper = new EntityWrapper();
        if (!user.getRoleNames().stream().anyMatch(roleName -> StringUtils.equalsAny(roleName, "超级管理员"))) {
-            wrapper.like("create_user",user.getId().toString() , SqlLike.DEFAULT);
+            wrapper.like("create_user", user.getId().toString(), SqlLike.DEFAULT);
        }
        wrapper.like(StringUtils.isNotBlank(fileName), "file_name", fileName, SqlLike.DEFAULT);
        Page<ExportExcel> page = new Page<>(pageIndex, pageSize);
@@ -104,18 +73,18 @@ public class ExportExcelController extends BaseController {
        File file = new File(exportExcel.getExportUrl());
        Boolean flag = false;
        //判断文件是否存在
-        if (file.exists() == true){
+        if (file.exists() == true) {
            flag = file.delete();
-            if (flag){
+            if (flag) {
                exportExcelMapper.deleteById(Integer.parseInt(exportId));
-                log.info("成功删除"+file.getName());
-                return ResponseData.success("成功删除"+file.getName()+"！");
-            }else {
-                log.error("删除失败"+file.getName());
+                log.info("成功删除" + file.getName());
+                return ResponseData.success("成功删除" + file.getName() + "！");
+            } else {
+                log.error("删除失败" + file.getName());
                return ResponseData.error("删除失败！");
            }
-        }else {
-            log.info(file.getName()+"不存在，终止操作");
+        } else {
+            log.info(file.getName() + "不存在，终止操作");
        }
        return ResponseData.error("删除失败！");
    }

--- a/service-manager/src/main/java/com/winsun/service/ExportExcelService.java
+++ b/service-manager/src/main/java/com/winsun/service/ExportExcelService.java
+package com.winsun.service;
+
+import com.winsun.bean.ExportExcel;
+
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * @author liph
+ * @date 2020/10/19 09:36
+ */
+public interface ExportExcelService {
+    void uploadExcel(ExportExcel exportExcel, HttpServletResponse response);
+}
--- a/service-manager/src/main/java/com/winsun/service/impl/ExportExcelServiceImpl.java
+++ b/service-manager/src/main/java/com/winsun/service/impl/ExportExcelServiceImpl.java
+package com.winsun.service.impl;
+
+import com.winsun.auth.core.util.IOUtils;
+import com.winsun.bean.ExportExcel;
+import com.winsun.service.ExportExcelService;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.stereotype.Service;
+
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletResponse;
+import java.io.DataInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+
+/**
+ * @author liph
+ * @date 2020/10/19 09:36
+ */
+@Service
+@Slf4j
+public class ExportExcelServiceImpl implements ExportExcelService {
+    @Override
+    public void uploadExcel(ExportExcel exportExcel, HttpServletResponse response) {
+        FileInputStream fileInputStream = null;
+        DataInputStream in = null;
+        ServletOutputStream os = null;
+        try {
+            os = response.getOutputStream();
+            fileInputStream = new FileInputStream(new File(exportExcel.getExportUrl()));
+            in = new DataInputStream(fileInputStream);
+            int bytes = 0;
+            byte[] bufferOut = new byte[1024];
+            while ((bytes = in.read(bufferOut)) != -1) {
+                os.write(bufferOut, 0, bytes);
+            }
+            os.flush();
+        } catch (Exception e) {
+            log.error("下载excel文件异常" + e.getMessage(), e);
+        } finally {
+            IOUtils.closeQuite(fileInputStream, in);
+        }
+    }
+}