修改部分代码审计问题，添加文件上传大小限制，不超过100m

6b2c737d · 罗承锋 · f6edeb38 · 6b2c737d · 6b2c737d · 6b2c737d
Commit 6b2c737d authored Oct 20, 2020 by 罗承锋
11 changed files
--- a/service-manager/src/main/java/com/winsun/controller/BillController.java
+++ b/service-manager/src/main/java/com/winsun/controller/BillController.java
@@ -200,6 +200,9 @@ public class BillController extends BaseController{
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+		if ( (double)file.getSize()/1048576 > 100) {
+			return ResponseData.error("文件过大，无法上传");
+		}
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));

--- a/service-manager/src/main/java/com/winsun/controller/LzKpiController.java
+++ b/service-manager/src/main/java/com/winsun/controller/LzKpiController.java
@@ -523,6 +523,9 @@ public class LzKpiController extends BaseController {
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
+        }
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));

--- a/service-manager/src/main/java/com/winsun/controller/LzSalaryController.java
+++ b/service-manager/src/main/java/com/winsun/controller/LzSalaryController.java
@@ -607,6 +607,9 @@ public class LzSalaryController extends BaseController {
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
+        }
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));

--- a/service-manager/src/main/java/com/winsun/controller/ManagerKpiController.java
+++ b/service-manager/src/main/java/com/winsun/controller/ManagerKpiController.java
@@ -351,6 +351,9 @@ public class ManagerKpiController extends BaseController {
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
+        }
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));

--- a/service-manager/src/main/java/com/winsun/controller/OrderController.java
+++ b/service-manager/src/main/java/com/winsun/controller/OrderController.java
@@ -429,6 +429,9 @@ public class OrderController extends BaseController {
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
+        }
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));
@@ -559,6 +562,9 @@ public class OrderController extends BaseController {
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
+        }
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));

--- a/service-manager/src/main/java/com/winsun/controller/PackageController.java
+++ b/service-manager/src/main/java/com/winsun/controller/PackageController.java
@@ -190,10 +190,10 @@ public class PackageController extends BaseController {
    @Permission(menuname = "上传背景图", value = "backgroundUpload", method = RequestMethod.POST)
    public ResponseData<String> backgroundUpload(@RequestParam(value = "file") MultipartFile file, @RequestParam(value = "id", required = false) String id) {
        if(!StringUtils.endsWithAny(file.getOriginalFilename(), "jpg", "jpeg", "png", "gif")) {
-            return ResponseData.error("上传失败，不允许的文件格式");
+            return ResponseData.error("上传失败，仅支持jpg、jpeg、png");
        }
-        if (StringUtils.containsAny(id, "../", "./", "..", ".", "/")) {
-            return ResponseData.error("上传失败，非法路径");
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
        }
        StringBuilder basePath = new StringBuilder();
        basePath.append("enclosure").append(File.separator).append(DEFAULTPATH).append(File.separator);
@@ -233,7 +233,12 @@ public class PackageController extends BaseController {
    //xiaotudUpload
    @Permission(menuname = "上传小图", value = "xiaotuUpload", method = RequestMethod.POST)
    public ResponseData<String> xiaotuUpload(@RequestParam(value = "file") MultipartFile file, @RequestParam(value = "id", required = false) String id) {
-
+        if(!StringUtils.endsWithAny(file.getOriginalFilename(), "jpg", "jpeg", "png", "gif")) {
+            return ResponseData.error("上传失败，仅支持jpg、jpeg、png");
+        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
+        }
        String backgroundpath = FilePath.BACKGROUNDIMG.getValue() + "/" + DEFAULTPATH + "/";
        if (StringUtils.isBlank(id)) {
            EntityWrapper<Package> packagewrapper = new EntityWrapper<>();

--- a/service-manager/src/main/java/com/winsun/controller/SalesListController.java
+++ b/service-manager/src/main/java/com/winsun/controller/SalesListController.java
@@ -204,6 +204,9 @@ public class SalesListController extends BaseController{
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+        if ( (double)file.getSize()/1048576 > 100) {
+			return ResponseData.error("文件过大，无法上传");
+		}
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));
@@ -408,6 +411,9 @@ public class SalesListController extends BaseController{
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+		if ( (double)file.getSize()/1048576 > 100) {
+			return ResponseData.error("文件过大，无法上传");
+		}
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));

--- a/service-manager/src/main/java/com/winsun/controller/SalesOrderController.java
+++ b/service-manager/src/main/java/com/winsun/controller/SalesOrderController.java
@@ -501,6 +501,9 @@ public class SalesOrderController extends BaseController{
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+		if ( (double)file.getSize()/1048576 > 100) {
+			return ResponseData.error("文件过大，无法上传");
+		}
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));
@@ -706,6 +709,9 @@ public class SalesOrderController extends BaseController{
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+		if ( (double)file.getSize()/1048576 > 100) {
+			return ResponseData.error("文件过大，无法上传");
+		}
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));

--- a/service-manager/src/main/java/com/winsun/controller/SchoolManagementController.java
+++ b/service-manager/src/main/java/com/winsun/controller/SchoolManagementController.java
@@ -251,6 +251,13 @@ public class SchoolManagementController extends BaseController {
        if (!dir.exists()) {
            dir.mkdirs();
        }
+        if(!StringUtils.endsWithAny(file.getOriginalFilename(), "jpg", "jpeg", "png", "gif")) {
+            return ResponseData.error("上传失败，仅支持jpg、jpeg、png");
+        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("图片过大，无法上传");
+        }
+
        File savePath = new File(backgroundpath, id + FILENAME);
        OutputStream os = null;
        try {

--- a/service-manager/src/main/java/com/winsun/controller/YxtCouponController.java
+++ b/service-manager/src/main/java/com/winsun/controller/YxtCouponController.java
@@ -325,6 +325,9 @@ public class YxtCouponController extends BaseController {
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
+        }
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));

--- a/service-manager/src/main/java/com/winsun/controller/zjlSalaryController.java
+++ b/service-manager/src/main/java/com/winsun/controller/zjlSalaryController.java
@@ -497,6 +497,9 @@ public class zjlSalaryController extends BaseController {
        if (!StringUtils.endsWithAny(file.getOriginalFilename(), "xlsx", "xls")) {
            return ResponseData.error("手工上传数据仅支持Excel文件，其他格式不支持！");
        }
+        if ( (double)file.getSize()/1048576 > 100) {
+            return ResponseData.error("文件过大，无法上传");
+        }
        ShiroUser user = getShiroUser();
        // 当前是否有数据权限
        boolean hasDataPermission = user.getRoleNames().stream().anyMatch(data -> StringUtils.equalsAny(data, "活动上单员", "数据管理员", "超级管理员"));