fix: 路径操作资源保护

Links https://docs.qq.com/sheet/DTkRSaWhSZXBlaldN?tab=000008&_t=1711087563249 (No.15)

fix: 路径操作资源保护
478d6450 · 李秀明 · 0b5beb36 · 478d6450
Commit 478d6450 authored Mar 25, 2024 by 李秀明
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 10 deletions

CheckController.java ...join/amos/patrol/business/controller/CheckController.java +14 -10

No files found.
--- a/amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/controller/CheckController.java
+++ b/amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/controller/CheckController.java
@@ -31,6 +31,7 @@ import com.yeejoin.amos.patrol.mqtt.WebMqttComponent;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
+import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.IOUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -51,10 +52,10 @@ import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 import java.io.*;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.*;
 import java.util.concurrent.CompletableFuture;
 import java.util.stream.Collectors;

@@ -848,16 +849,19 @@ public class CheckController extends AbstractBaseController {
            return CommonResponseUtil.failure();
        }
        InputStream inputStream = new ByteArrayInputStream(xml.getBytes());
-        ;
        Source source = new StreamSource(inputStream);
        try {
-            FileInputStream fis1 = new FileInputStream(
-                    this.getClass().getResource("/").getPath() + "temp/checkTemplate.xsl");
+            String filePath = Objects.requireNonNull(this.getClass().getResource("/")).getPath() + "temp" + File.separator + "checkTemplate.xsl";
+            if (Files.notExists(Paths.get(filePath))) {
+                throw new RuntimeException("模板文件不存在");
+            }
+            FileInputStream fis1 = new FileInputStream(FilenameUtils.normalize(filePath));
            Source template = new StreamSource(fis1);
            Date date = new Date();
            String path = request.getSession().getServletContext().getRealPath("/");
-            String dir = path.substring(0, path.indexOf(File.separator) + 1) + "check";
-            String html = path.substring(0, path.indexOf(File.separator) + 1) + "check" + File.separator + "task_"
+            String subPath = path.substring(0, path.indexOf(File.separator) + 1);
+            String dir = subPath + "check";
+            String html = subPath + "check" + File.separator + "task_"
                    + date.getTime() + ".html";
            File dirFile = new File(dir);
            if (!dirFile.exists()) {
@@ -871,7 +875,7 @@ public class CheckController extends AbstractBaseController {

            File htmlFile = new File(html);
            FileInputStream fis = new FileInputStream(htmlFile);
-            String data = IOUtils.toString(fis, "utf-8");
+            String data = IOUtils.toString(fis, StandardCharsets.UTF_8);
            fis.close();
            if (htmlFile.exists()) {
                htmlFile.delete();