任意文件上传漏洞修复

zd-modules/zd-base/src/main/java/com/zd/base/files/file/controller/SysFileController.java

@@ -31,12 +31,24 @@ public class SysFileController {
     @PostMapping("upload")
     public R<SysFile> upload(MultipartFile file) {
         try {
-            // 上传并返回访问地址
-            String url = sysFileService.uploadFile(file);
-            SysFile sysFile = new SysFile();
-            sysFile.setName(FileUtils.getName(url));
-            sysFile.setUrl(url);
-            return R.ok(sysFile);
+            String fileSuffix = file.getOriginalFilename().substring(file.getOriginalFilename().lastIndexOf("."));
+            String[] picSuffixList = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico",".pdf",".doc",".docx",".ppt",".pptx",".mp3",".mp4",".xls",".xlsx",".csv",".txt"};
+            boolean suffixFlag = false;
+            for (String white_suffix : picSuffixList) {
+                if (fileSuffix.toLowerCase().equals(white_suffix)) {
+                    suffixFlag = true;
+                    break;
+                }
+            }
+            if (suffixFlag) {
+                // 上传并返回访问地址
+                String url = sysFileService.uploadFile(file);
+                SysFile sysFile = new SysFile();
+                sysFile.setName(FileUtils.getName(url));
+                sysFile.setUrl(url);
+                return R.ok(sysFile);
+            }
+            return R.fail("文件上传类型不正确！");
         } catch (Exception e) {
             log.error("上传文件失败", e);
             return R.fail(e.getMessage());