Path Traversal Vulnerability /sys/comment/addFile /sys/upload/uploadMinio endpoint (notice the uploadlocal function is different from the /sys/common/upload ) #8827

README-EN.md

@@ -7,12 +7,12 @@
 JEECG BOOT AI Low Code Platform
 ===============
 
-Current version: 3.8.2 (Release date: 2025-08-04)
+Current version: 3.8.3 (Release date: 2025-10-09)
 
 
 [![AUR](https://img.shields.io/badge/license-Apache%20License%202.0-blue.svg)](https://github.com/zhangdaiscott/jeecg-boot/blob/master/LICENSE)
 [![](https://img.shields.io/badge/Author-guojusoft-orange.svg)](http://www.jeecg.com)
-[![](https://img.shields.io/badge/version-3.8.2-brightgreen.svg)](https://github.com/zhangdaiscott/jeecg-boot)
+[![](https://img.shields.io/badge/version-3.8.3-brightgreen.svg)](https://github.com/zhangdaiscott/jeecg-boot)
 [![GitHub stars](https://img.shields.io/github/stars/zhangdaiscott/jeecg-boot.svg?style=social&label=Stars)](https://github.com/zhangdaiscott/jeecg-boot)
 [![GitHub forks](https://img.shields.io/github/forks/zhangdaiscott/jeecg-boot.svg?style=social&label=Fork)](https://github.com/zhangdaiscott/jeecg-boot)
 

README.md

@@ -2,7 +2,7 @@
 JeecgBoot AI低代码平台
 ===============
 
-当前最新版本： 3.8.3（发布日期：2025-09-22） 
+当前最新版本： 3.8.3（发布日期：2025-10-09） 
 
 
 [![AUR](https://img.shields.io/badge/license-Apache%20License%202.0-blue.svg)](https://github.com/jeecgboot/JeecgBoot/blob/master/LICENSE)

docker-compose-cloud.yml

@@ -109,28 +109,33 @@ services:
 #    environment:
 #      RABBITMQ_DEFAULT_USER: guest
 #      RABBITMQ_DEFAULT_PASS: guest
-#  jeecg-boot-sentinel:
-#    restart: on-failure
-#    build:
-#      context: ./jeecg-visual/jeecg-cloud-sentinel
-#    ports:
-#      - 9000:9000
-#    depends_on:
-#      - jeecg-boot-nacos
-#      - jeecg-boot-demo
-#      - jeecg-boot-system
-#      - jeecg-boot-gateway
-#    container_name: jeecg-boot-sentinel
-#    hostname: jeecg-boot-sentinel
-#
-#  jeecg-boot-xxljob:
-#    build:
-#      context: ./jeecg-visual/jeecg-cloud-xxljob
-#    ports:
-#      - 9080:9080
-#    container_name: jeecg-boot-xxljob
-#    hostname: jeecg-boot-xxljob
 
+  jeecg-boot-sentinel:
+     restart: on-failure
+     build:
+       context: ./jeecg-boot/jeecg-server-cloud/jeecg-visual/jeecg-cloud-sentinel
+     ports:
+       - 9000:9000
+     depends_on:
+       - jeecg-boot-nacos
+       - jeecg-boot-demo
+       - jeecg-boot-system
+       - jeecg-boot-gateway
+     container_name: jeecg-boot-sentinel
+     hostname: jeecg-boot-sentinel
+     networks:
+       - jeecg-boot
+  
+  jeecg-boot-xxljob:
+     build:
+       context: ./jeecg-boot/jeecg-server-cloud/jeecg-visual/jeecg-cloud-xxljob
+     ports:
+       - 9080:9080
+     container_name: jeecg-boot-xxljob
+     hostname: jeecg-boot-xxljob
+     networks:
+       - jeecg-boot
+  
   jeecg-vue:
     build:
       context: ./jeecgboot-vue3

jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/CommonUtils.java

@@ -153,9 +153,9 @@ public class CommonUtils {
      */
     public static String uploadLocal(MultipartFile mf,String bizPath,String uploadpath){
         try {
-            //update-begin-author:liusq date:20210809 for: 过滤上传文件类型
-            SsrfFileTypeFilter.checkUploadFileType(mf);
-            //update-end-author:liusq date:20210809 for: 过滤上传文件类型
+            // 文件安全校验，防止上传漏洞文件
+            SsrfFileTypeFilter.checkUploadFileType(mf, bizPath);
+            
             String fileName = null;
             File file = new File(uploadpath + File.separator + bizPath + File.separator );
             if (!file.exists()) {

jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/MinioUtil.java

@@ -55,13 +55,11 @@ public class MinioUtil {
      */
     public static String upload(MultipartFile file, String bizPath, String customBucket) throws Exception {
         String fileUrl = "";
-        //update-begin-author:wangshuai date:20201012 for: 过滤上传文件夹名特殊字符，防止攻击
+        // 业务路径过滤，防止攻击
         bizPath = StrAttackFilter.filter(bizPath);
-        //update-end-author:wangshuai date:20201012 for: 过滤上传文件夹名特殊字符，防止攻击
 
-        //update-begin-author:liusq date:20210809 for: 过滤上传文件类型
-        SsrfFileTypeFilter.checkUploadFileType(file);
-        //update-end-author:liusq date:20210809 for: 过滤上传文件类型
+        // 文件安全校验，防止上传漏洞文件
+        SsrfFileTypeFilter.checkUploadFileType(file, bizPath);
 
         String newBucket = bucketName;
         if(oConvertUtils.isNotEmpty(customBucket)){

jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/filter/SsrfFileTypeFilter.java

@@ -2,6 +2,7 @@ package org.jeecg.common.util.filter;
 
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
+import org.jeecg.common.exception.JeecgBootException;
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.IOException;
@@ -149,29 +150,38 @@ public class SsrfFileTypeFilter {
     public static void checkDownloadFileType(String filePath) throws IOException {
         //文件后缀
         String suffix = getFileTypeBySuffix(filePath);
-        log.info("suffix:{}", suffix);
+        log.debug(" 【文件下载校验】文件后缀 suffix: {}", suffix);
         boolean isAllowExtension = FILE_TYPE_WHITE_LIST.contains(suffix.toLowerCase());
         //是否允许下载的文件
         if (!isAllowExtension) {
-            throw new IOException("下载失败，存在非法文件类型：" + suffix);
+            throw new JeecgBootException("下载失败，存在非法文件类型：" + suffix);
         }
     }
 
-
     /**
      * 上传文件类型过滤
      *
      * @param file
      */
     public static void checkUploadFileType(MultipartFile file) throws Exception {
-        //获取文件真是后缀
-        String suffix = getFileType(file);
-
-        log.info("suffix:{}", suffix);
+        checkUploadFileType(file, null);
+    }
+    
+    /**
+     * 上传文件类型过滤
+     *
+     * @param file
+     */
+    public static void checkUploadFileType(MultipartFile file, String customPath) throws Exception {
+        //1. 路径安全校验
+        validatePathSecurity(customPath);
+        //2. 校验文件后缀和头
+        String suffix = getFileType(file, customPath);
+        log.info("【文件上传校验】文件后缀 suffix: {}，customPath：{}", suffix, customPath);
         boolean isAllowExtension = FILE_TYPE_WHITE_LIST.contains(suffix.toLowerCase());
         //是否允许下载的文件
         if (!isAllowExtension) {
-            throw new Exception("上传失败，存在非法文件类型：" + suffix);
+            throw new JeecgBootException("上传失败，存在非法文件类型：" + suffix);
         }
     }
 
@@ -183,7 +193,7 @@ public class SsrfFileTypeFilter {
      * @throws Exception
      */
 
-    private static String getFileType(MultipartFile file) throws Exception {
+    private static String getFileType(MultipartFile file, String customPath) throws Exception {
         //update-begin-author:liusq date:20230404 for: [issue/4672]方法造成的文件被占用，注释掉此方法tomcat就能自动清理掉临时文件
         String fileExtendName = null;
         InputStream is = null;
@@ -203,7 +213,7 @@ public class SsrfFileTypeFilter {
                     break;
                 }
             }
-            log.info("-----获取到的指定文件类型------"+fileExtendName);
+            log.debug("-----获取到的指定文件类型------"+fileExtendName);
             // 如果不是上述类型，则判断扩展名
             if (StringUtils.isBlank(fileExtendName)) {
                 String fileName = file.getOriginalFilename();
@@ -214,7 +224,6 @@ public class SsrfFileTypeFilter {
                 // 如果有扩展名，则返回扩展名
                 return getFileTypeBySuffix(fileName);
             }
-            log.info("-----最終的文件类型------"+fileExtendName);
             is.close();
             return fileExtendName;
         } catch (Exception e) {
@@ -249,4 +258,34 @@ public class SsrfFileTypeFilter {
         }
         return stringBuilder.toString();
     }
+
+    /**
+     * 路径安全校验
+     */
+    private static void validatePathSecurity(String customPath) throws JeecgBootException {
+        if (customPath == null || customPath.trim().isEmpty()) {
+            return;
+        }
+
+        // 统一分隔符为 /
+        String normalized = customPath.replace("\\", "/");
+
+        // 1. 防止路径遍历攻击
+        if (normalized.contains("..") || normalized.contains("~")) {
+            throw new JeecgBootException("上传业务路径包含非法字符！");
+        }
+
+        // 2. 限制路径深度
+        int depth = normalized.split("/").length;
+        if (depth > 5) {
+            throw new JeecgBootException("上传业务路径深度超出限制！");
+        }
+
+        // 3. 限制字符集（只允许字母、数字、下划线、横线、斜杠）
+        if (!normalized.matches("^[a-zA-Z0-9/_-]+$")) {
+            throw new JeecgBootException("上传业务路径包含非法字符！");
+        }
+    }
+
+    
 }

jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/oss/OssBootUtil.java

@@ -97,9 +97,8 @@ public class OssBootUtil {
      * @return oss 中的相对文件路径
      */
     public static String upload(MultipartFile file, String fileDir,String customBucket) throws Exception {
-        //update-begin-author:liusq date:20210809 for: 过滤上传文件类型
+        // 文件安全校验，防止上传漏洞文件
         SsrfFileTypeFilter.checkUploadFileType(file);
-        //update-end-author:liusq date:20210809 for: 过滤上传文件类型
 
         String filePath = null;
         initOss(endPoint, accessKeyId, accessKeySecret);

jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/config/shiro/ShiroConfig.java

@@ -158,7 +158,7 @@ public class ShiroConfig {
         filterChainDefinitionMap.put("/drag/onlDragDatasetHead/getTotalDataByCompId", "anon");
         filterChainDefinitionMap.put("/drag/mock/json/**", "anon");
         filterChainDefinitionMap.put("/drag/onlDragDatasetHead/getDictByCodes", "anon");
-
+        filterChainDefinitionMap.put("/drag/onlDragDatasetHead/queryAllById", "anon");
         filterChainDefinitionMap.put("/jimubi/view", "anon");
         filterChainDefinitionMap.put("/jimubi/share/view/**", "anon");
 

jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java

@@ -68,50 +68,19 @@ public class CommonController {
         Result<?> result = new Result<>();
         String savePath = "";
         String bizPath = request.getParameter("biz");
-
-        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
-        if (oConvertUtils.isNotEmpty(bizPath)) {
-            if(bizPath.contains(SymbolConstant.SPOT_SINGLE_SLASH) || bizPath.contains(SymbolConstant.SPOT_DOUBLE_BACKSLASH)){
-                throw new JeecgBootException("上传目录bizPath，格式非法！");
-            }
-        }
-
         MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
-        // 获取上传文件对象
         MultipartFile file = multipartRequest.getFile("file");
-        if(oConvertUtils.isEmpty(bizPath)){
-            if(CommonConstant.UPLOAD_TYPE_OSS.equals(uploadType)){
-                //未指定目录，则用阿里云默认目录 upload
-                bizPath = "upload";
-                //result.setMessage("使用阿里云文件上传时，必须添加目录！");
-                //result.setSuccess(false);
-                //return result;
-            }else{
-                bizPath = "";
-            }
+        
+        // 文件安全校验，防止上传漏洞文件
+        SsrfFileTypeFilter.checkUploadFileType(file, bizPath);
+  
+        if (oConvertUtils.isEmpty(bizPath)) {
+            bizPath = CommonConstant.UPLOAD_TYPE_OSS.equals(uploadType) ? "upload" : "";
         }
         if(CommonConstant.UPLOAD_TYPE_LOCAL.equals(uploadType)){
-            //update-begin-author:liusq date:20221102 for: 过滤上传文件类型
-            SsrfFileTypeFilter.checkUploadFileType(file);
-            //update-end-author:liusq date:20221102 for: 过滤上传文件类型
-            //update-begin-author:lvdandan date:20200928 for:修改JEditor编辑器本地上传
             savePath = this.uploadLocal(file,bizPath);
-            //update-begin-author:lvdandan date:20200928 for:修改JEditor编辑器本地上传
-            /**  富文本编辑器及markdown本地上传时，采用返回链接方式
-            //针对jeditor编辑器如何使 lcaol模式，采用 base64格式存储
-            String jeditor = request.getParameter("jeditor");
-            if(oConvertUtils.isNotEmpty(jeditor)){
-                result.setMessage(CommonConstant.UPLOAD_TYPE_LOCAL);
-                result.setSuccess(true);
-                return result;
-            }else{
-                savePath = this.uploadLocal(file,bizPath);
-            }
-            */
         }else{
-            //update-begin-author:taoyan date:20200814 for:文件上传改造
             savePath = CommonUtils.upload(file, bizPath, uploadType);
-            //update-end-author:taoyan date:20200814 for:文件上传改造
         }
         if(oConvertUtils.isNotEmpty(savePath)){
             result.setMessage(savePath);

jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java

@@ -133,7 +133,7 @@ public class SysTenantController {
     @RequestMapping(value = "/add", method = RequestMethod.POST)
     public Result<SysTenant> add(@RequestBody SysTenant sysTenant) {
         Result<SysTenant> result = new Result();
-        if(sysTenantService.getById(sysTenant.getId())!=null){
+        if(sysTenant!=null && oConvertUtils.isNotEmpty(sysTenant.getId()) && sysTenantService.getById(sysTenant.getId())!=null){
             return result.error500("该编号已存在!");
         }
         try {

jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUploadController.java

@@ -2,9 +2,9 @@ package org.jeecg.modules.system.controller;
 
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.vo.Result;
-import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.MinioUtil;
+import org.jeecg.common.util.filter.SsrfFileTypeFilter;
 import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.modules.oss.entity.OssFile;
 import org.jeecg.modules.oss.service.IOssFileService;
@@ -35,20 +35,18 @@ public class SysUploadController {
     @PostMapping(value = "/uploadMinio")
     public Result<?> uploadMinio(HttpServletRequest request) throws Exception {
         Result<?> result = new Result<>();
+        // 获取业务路径
         String bizPath = request.getParameter("biz");
-
-        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
-        boolean flag = oConvertUtils.isNotEmpty(bizPath) && (bizPath.contains("../") || bizPath.contains("..\\"));
-        if (flag) {
-            throw new JeecgBootException("上传目录bizPath，格式非法！");
-        }
+        // 获取上传文件对象
+        MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
+        MultipartFile file = multipartRequest.getFile("file");
+        
+        // 文件安全校验，防止上传漏洞文件
+        SsrfFileTypeFilter.checkUploadFileType(file, bizPath);
 
         if(oConvertUtils.isEmpty(bizPath)){
             bizPath = "";
         }
-        MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
-        // 获取上传文件对象
-        MultipartFile file = multipartRequest.getFile("file");
         // 获取文件名
         String orgName = file.getOriginalFilename();
         orgName = CommonUtils.getFileName(orgName);

jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysCommentServiceImpl.java

@@ -15,6 +15,7 @@ import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.system.vo.SysFilesModel;
 import org.jeecg.common.util.CommonUtils;
 import org.jeecg.common.util.RedisUtil;
+import org.jeecg.common.util.filter.SsrfFileTypeFilter;
 import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.modules.system.entity.SysComment;
 import org.jeecg.modules.system.entity.SysFormFile;
@@ -119,28 +120,24 @@ public class SysCommentServiceImpl extends ServiceImpl<SysCommentMapper, SysComm
     @Transactional(rollbackFor = Exception.class)
     @Override
     public void saveOneFileComment(HttpServletRequest request) {
-        
-        //update-begin-author:taoyan date:2023-6-12 for: QQYUN-4310【文件】从文件库选择文件功能未做
         String existFileId = request.getParameter("fileId");
         if(oConvertUtils.isEmpty(existFileId)){
             String savePath = "";
+            // 获取业务路径
             String bizPath = request.getParameter("biz");
-            //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
-            if (oConvertUtils.isNotEmpty(bizPath)) {
-                if (bizPath.contains(SymbolConstant.SPOT_SINGLE_SLASH) || bizPath.contains(SymbolConstant.SPOT_DOUBLE_BACKSLASH)) {
-                    throw new JeecgBootException("上传目录bizPath，格式非法！");
-                }
-            }
-            MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
             // 获取上传文件对象
+            MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
             MultipartFile file = multipartRequest.getFile("file");
+
+            // 文件安全校验，防止上传漏洞文件
+            try {
+                SsrfFileTypeFilter.checkUploadFileType(file, bizPath);
+            } catch (Exception e) {
+                throw new JeecgBootException(e);
+            }
+
             if (oConvertUtils.isEmpty(bizPath)) {
-                if (CommonConstant.UPLOAD_TYPE_OSS.equals(uploadType)) {
-                    //未指定目录，则用阿里云默认目录 upload
-                    bizPath = "upload";
-                } else {
-                    bizPath = "";
-                }
+                bizPath = CommonConstant.UPLOAD_TYPE_OSS.equals(uploadType) ? "upload" : "";
             }
             if (CommonConstant.UPLOAD_TYPE_LOCAL.equals(uploadType)) {
                 savePath = this.uploadLocal(file, bizPath);
@@ -348,10 +345,13 @@ public class SysCommentServiceImpl extends ServiceImpl<SysCommentMapper, SysComm
      * @return
      */
     private String uploadLocal(MultipartFile mf, String bizPath) {
-        //LOWCOD-2580 sys/common/upload接口存在任意文件上传漏洞
-        if (oConvertUtils.isNotEmpty(bizPath) && (bizPath.contains("../") || bizPath.contains("..\\"))) {
-            throw new JeecgBootException("上传目录bizPath，格式非法！");
+        try {
+            // 文件安全校验，防止上传漏洞文件
+            SsrfFileTypeFilter.checkUploadFileType(mf, bizPath);
+        } catch (Exception e) {
+            throw new JeecgBootException(e);
         }
+        
         try {
             String ctxPath = uploadpath;
             String fileName = null;

jeecg-boot/jeecg-module-system/jeecg-system-start/src/main/resources/application-docker.yml

@@ -266,11 +266,11 @@ jeecg:
   #xxl-job配置
   xxljob:
     enabled: false
-    adminAddresses: http://127.0.0.1:9080/xxl-job-admin
+    adminAddresses: http://jeecg-boot-xxljob:9080/xxl-job-admin
     appname: ${spring.application.name}
     accessToken: ''
-    address: 127.0.0.1:30007
-    ip: 127.0.0.1
+    address: jeecg-boot-xxljob:30007
+    ip: jeecg-boot-xxljob
     port: 30007
     logPath: logs/jeecg/job/jobhandler/
     logRetentionDays: 30

jeecg-boot/jeecg-server-cloud/jeecg-visual/jeecg-cloud-xxljob/Dockerfile

@@ -12,5 +12,5 @@ EXPOSE 9080
 
 ADD ./target/jeecg-cloud-xxljob-3.8.3.jar ./
 
-CMD java -Dfile.encoding=utf-8 -Djava.security.egd=file:/dev/./urandom -jar jeecg-cloud-xxljob-3.8.3.jar
+CMD sleep 60;java -Dfile.encoding=utf-8 -Djava.security.egd=file:/dev/./urandom -jar jeecg-cloud-xxljob-3.8.3.jar
 

jeecg-boot/pom.xml

@@ -61,7 +61,7 @@
 		
 		<!-- 积木报表-->
 		<jimureport-spring-boot-starter.version>2.1.3</jimureport-spring-boot-starter.version>
-		<jimubi-spring-boot-starter.version>2.1.3</jimubi-spring-boot-starter.version>
+		<jimubi-spring-boot-starter.version>2.1.4</jimubi-spring-boot-starter.version>
 		<minidao.version>1.10.14</minidao.version>
 		<autopoi-web.version>1.4.18</autopoi-web.version>