From 4e93ac86d4891c59ecfcd27c051de9b3c5379315 Mon Sep 17 00:00:00 2001
From: Grimm <luojian@allinpay.com>
Date: 星期五, 14 三月 2025 22:19:02 +0800
Subject: [PATCH] add file extention check for upload
---
ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/FileUtils.java | 40 ++++++++++++++++++++
ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/MimeTypeUtils.java | 26 ++++++++-----
ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/service/impl/SseServiceImpl.java | 11 +++++
3 files changed, 67 insertions(+), 10 deletions(-)
diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/FileUtils.java b/ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/FileUtils.java
index 9c6f265..c8cc119 100644
--- a/ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/FileUtils.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/FileUtils.java
@@ -4,9 +4,13 @@
import jakarta.servlet.http.HttpServletResponse;
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.web.multipart.MultipartFile;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.UUID;
/**
* 鏂囦欢澶勭悊宸ュ叿绫�
@@ -15,6 +19,8 @@
*/
@NoArgsConstructor(access = AccessLevel.PRIVATE)
public class FileUtils extends FileUtil {
+
+ private static final String FILE_EXTENTION_SPLIT = ".";
/**
* 涓嬭浇鏂囦欢鍚嶉噸鏂扮紪鐮�
@@ -40,4 +46,38 @@
String encode = URLEncoder.encode(s, StandardCharsets.UTF_8);
return encode.replaceAll("\\+", "%20");
}
+
+ /**
+ * 妫�鏌ユ枃浠舵墿灞曞悕鏄惁绗﹀悎瑕佹眰
+ *
+ * @param file
+ * @return
+ */
+ public static boolean isValidFileExtention(MultipartFile file, String[] ALLOWED_EXTENSIONS) {
+ if (file == null || file.isEmpty()) {
+ return false;
+ }
+ final String filename = file.getOriginalFilename();
+ if (StringUtils.isBlank(filename) || !filename.contains(FILE_EXTENTION_SPLIT)) {
+ return false;
+ }
+ // 鑾峰彇鏂囦欢鍚庣紑
+ String fileExtension = filename.substring(filename.lastIndexOf('.') + 1).toLowerCase();
+
+ return Arrays.asList(ALLOWED_EXTENSIONS).contains(fileExtension);
+ }
+
+ /**
+ * 鑾峰彇瀹夊叏鐨勬枃浠惰矾寰�
+ *
+ * @param originalFilename 鍘熷鏂囦欢鍚�
+ * @param secureFilePath 瀹夊叏璺緞
+ * @return 瀹夊叏鏂囦欢璺緞
+ */
+ public static String getSecureFilePathForUpload(final String originalFilename, final String secureFilePath) {
+ String extension = originalFilename.substring(originalFilename.lastIndexOf(FILE_EXTENTION_SPLIT));
+ String newFileName = UUID.randomUUID() + extension;
+
+ return secureFilePath + newFileName; // 棰勫畾涔夊畨鍏ㄨ矾寰�
+ }
}
diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/MimeTypeUtils.java b/ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/MimeTypeUtils.java
index 9e39699..c82aebe 100644
--- a/ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/MimeTypeUtils.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/org/ruoyi/common/core/utils/file/MimeTypeUtils.java
@@ -24,17 +24,23 @@
"asf", "rm", "rmvb"};
public static final String[] VIDEO_EXTENSION = {"mp4", "avi", "rmvb"};
+ /**
+ * 闊抽鎵╁睍鍚�
+ */
+ public static final String[] AUDIO__EXTENSION = {"mp3", "mp4", "mpeg", "mpga", "m4a", "wav", "webm"};
public static final String[] DEFAULT_ALLOWED_EXTENSION = {
- // 鍥剧墖
- "bmp", "gif", "jpg", "jpeg", "png",
- // word excel powerpoint
- "doc", "docx", "xls", "xlsx", "ppt", "pptx", "html", "htm", "txt",
- // 鍘嬬缉鏂囦欢
- "rar", "zip", "gz", "bz2",
- // 瑙嗛鏍煎紡
- "mp4", "avi", "rmvb",
- // pdf
- "pdf"};
+ // 鍥剧墖
+ "bmp", "gif", "jpg", "jpeg", "png",
+ // word excel powerpoint
+ "doc", "docx", "xls", "xlsx", "ppt", "pptx", "html", "htm", "txt",
+ // 鍘嬬缉鏂囦欢
+ "rar", "zip", "gz", "bz2",
+ // 瑙嗛鏍煎紡
+ "mp4", "avi", "rmvb",
+ // 闊抽鏍煎紡
+ "mp3", "mp4", "mpeg", "mpga", "m4a", "wav", "webm",
+ // pdf
+ "pdf"};
}
diff --git a/ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/service/impl/SseServiceImpl.java b/ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/service/impl/SseServiceImpl.java
index d7cc3e3..40d598d 100644
--- a/ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/service/impl/SseServiceImpl.java
+++ b/ruoyi-modules/ruoyi-system/src/main/java/org/ruoyi/system/service/impl/SseServiceImpl.java
@@ -37,6 +37,8 @@
import org.ruoyi.common.core.exception.base.BaseException;
import org.ruoyi.common.core.service.ConfigService;
import org.ruoyi.common.core.utils.StringUtils;
+import org.ruoyi.common.core.utils.file.FileUtils;
+import org.ruoyi.common.core.utils.file.MimeTypeUtils;
import org.ruoyi.common.satoken.utils.LoginHelper;
import org.ruoyi.system.domain.SysModel;
import org.ruoyi.system.domain.bo.ChatMessageBo;
@@ -333,6 +335,9 @@
if (file.isEmpty()) {
throw new IllegalStateException("Cannot convert an empty MultipartFile");
}
+ if (!FileUtils.isValidFileExtention(file, MimeTypeUtils.AUDIO__EXTENSION)) {
+ throw new IllegalStateException("File Extention not supported");
+ }
// 鍒涘缓涓�涓枃浠跺璞�
File fileA = new File(System.getProperty("java.io.tmpdir") + File.separator + file.getOriginalFilename());
try {
@@ -422,6 +427,12 @@
@Override
public UploadFileResponse upload(MultipartFile file) {
+ if (file.isEmpty()) {
+ throw new IllegalStateException("Cannot upload an empty MultipartFile");
+ }
+ if (!FileUtils.isValidFileExtention(file, MimeTypeUtils.DEFAULT_ALLOWED_EXTENSION)) {
+ throw new IllegalStateException("File Extention not supported");
+ }
openAiStreamClient = chatConfig.getOpenAiStreamClient();
return openAiStreamClient.uploadFile("fine-tune", convertMultiPartToFile(file));
}
--
Gitblit v1.9.3