pengjunjie/JeecgBoot
1
0
Fork 1
mirror of https://github.com/jeecgboot/JeecgBoot.git synced 2026-01-01 01:25:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

严重安全漏洞修复

Browse Source 
1.SQL注入检测存在绕过风险
2./upload接口存在任意文件上传漏洞
This commit is contained in:
zhangdaiscott
2022-02-26 22:46:52 +08:00
parent 912369181d
commit 6f3f2b90c8
3 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/CommonController.java
View File

@ -5,6 +5,7 @@ import com.alibaba.fastjson.JSONObject;
import lombok.extern.slf4j.Slf4j;
import org.jeecg.common.api.vo.Result;
import org.jeecg.common.constant.CommonConstant;
import org.jeecg.common.exception.JeecgBootException;
import org.jeecg.common.system.api.ISysBaseAPI;
import org.jeecg.common.util.CommonUtils;
import org.jeecg.common.util.RestUtil;
@ -73,6 +74,12 @@ public class CommonController {
Result<?> result = new Result<>();
String savePath = "";
String bizPath = request.getParameter("biz");
//LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
if(bizPath.contains("../") || bizPath.contains("..\\")){
throw new JeecgBootException("上传目录bizPath格式非法");
}
MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
MultipartFile file = multipartRequest.getFile("file");// 获取上传文件对象
if(oConvertUtils.isEmpty(bizPath)){

7
jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java
View File

@ -2,6 +2,7 @@ package org.jeecg.modules.system.controller;
import lombok.extern.slf4j.Slf4j;
import org.jeecg.common.api.vo.Result;
import org.jeecg.common.exception.JeecgBootException;
import org.jeecg.common.util.CommonUtils;
import org.jeecg.common.util.MinioUtil;
import org.jeecg.common.util.oConvertUtils;
@ -34,6 +35,12 @@ public class SysUploadController {
public Result<?> uploadMinio(HttpServletRequest request) {
Result<?> result = new Result<>();
String bizPath = request.getParameter("biz");
//LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
if(bizPath.contains("../") || bizPath.contains("..\\")){
throw new JeecgBootException("上传目录bizPath格式非法");
}
if(oConvertUtils.isEmpty(bizPath)){
bizPath = "";
}