fix: 增加应用名称特殊字符校验与命令执行安全性优化，避免潜在恶意攻击风险，关联 #873

close https://github.com/elunez/eladmin/issues/873
2025-06-20 11:29:39 +08:00 · 2025-06-20 11:29:39 +08:00 · e602b759bb
parent caa7c6698f
commit e602b759bb
2 changed files with 18 additions and 4 deletions
--- a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java
+++ b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java
@ -56,7 +56,7 @@ public class AppServiceImpl implements AppService {

    @Override
    public AppDto findById(Long id) {
-		App app = appRepository.findById(id).orElseGet(App::new);
+        App app = appRepository.findById(id).orElseGet(App::new);
        ValidationUtil.isNull(app.getId(),"App","id",id);
        return appMapper.toDto(app);
    }
@ -64,6 +64,11 @@ public class AppServiceImpl implements AppService {
    @Override
    @Transactional(rollbackFor = Exception.class)
    public void create(App resources) {
+        // 验证应用名称是否存在恶意攻击payload，https://github.com/elunez/eladmin/issues/873
+        String appName = resources.getName();
+        if (appName.contains(";") || appName.contains("|") || appName.contains("&")) {
+            throw new IllegalArgumentException("非法的应用名称，请勿包含[; | &]等特殊字符");
+        }
        verification(resources);
        appRepository.save(resources);
    }
@ -71,6 +76,11 @@ public class AppServiceImpl implements AppService {
    @Override
    @Transactional(rollbackFor = Exception.class)
    public void update(App resources) {
+        // 验证应用名称是否存在恶意攻击payload，https://github.com/elunez/eladmin/issues/873
+        String appName = resources.getName();
+        if (appName.contains(";") || appName.contains("|") || appName.contains("&")) {
+            throw new IllegalArgumentException("非法的应用名称，请勿包含[; | &]等特殊字符");
+        }
        verification(resources);
        App app = appRepository.findById(resources.getId()).orElseGet(App::new);
        ValidationUtil.isNull(app.getId(),"App","id",resources.getId());
--- a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java
+++ b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java
@ -263,9 +263,13 @@ public class DeployServiceImpl implements DeployService {
 		return "执行完毕";
 	}

-	private boolean checkFile(ExecuteShellUtil executeShellUtil, AppDto appDTO) {
-		String result = executeShellUtil.executeForResult("find " + appDTO.getDeployPath() + " -name " + appDTO.getName());
-		return result.indexOf(appDTO.getName())>0;
+	private boolean checkFile(ExecuteShellUtil executeShellUtil, AppDto app) {
+		String deployPath = app.getDeployPath();
+		String appName = app.getName();
+		// 使用安全的命令执行方式，避免直接拼接字符串，https://github.com/elunez/eladmin/issues/873
+		String[] command = {"find", deployPath, "-name", appName};
+		String result = executeShellUtil.executeForResult(Arrays.toString(command));
+		return result.contains(appName);
 	}

 	/**