From e602b759bbdc4e89aeb327fd40048a32a4de1e5e Mon Sep 17 00:00:00 2001 From: Jie Zheng <201507802@qq.com> Date: Fri, 20 Jun 2025 11:29:39 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E5=A2=9E=E5=8A=A0=E5=BA=94=E7=94=A8?= =?UTF-8?q?=E5=90=8D=E7=A7=B0=E7=89=B9=E6=AE=8A=E5=AD=97=E7=AC=A6=E6=A0=A1?= =?UTF-8?q?=E9=AA=8C=E4=B8=8E=E5=91=BD=E4=BB=A4=E6=89=A7=E8=A1=8C=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E6=80=A7=E4=BC=98=E5=8C=96=EF=BC=8C=E9=81=BF=E5=85=8D?= =?UTF-8?q?=E6=BD=9C=E5=9C=A8=E6=81=B6=E6=84=8F=E6=94=BB=E5=87=BB=E9=A3=8E?= =?UTF-8?q?=E9=99=A9=EF=BC=8C=E5=85=B3=E8=81=94=20#873?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit close https://github.com/elunez/eladmin/issues/873 --- .../modules/maint/service/impl/AppServiceImpl.java | 12 +++++++++++- .../maint/service/impl/DeployServiceImpl.java | 10 +++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java index d7aeb296..9fee6182 100644 --- a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java +++ b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java @@ -56,7 +56,7 @@ public class AppServiceImpl implements AppService { @Override public AppDto findById(Long id) { - App app = appRepository.findById(id).orElseGet(App::new); + App app = appRepository.findById(id).orElseGet(App::new); ValidationUtil.isNull(app.getId(),"App","id",id); return appMapper.toDto(app); } @@ -64,6 +64,11 @@ public class AppServiceImpl implements AppService { @Override @Transactional(rollbackFor = Exception.class) public void create(App resources) { + // 验证应用名称是否存在恶意攻击payload,https://github.com/elunez/eladmin/issues/873 + String appName = resources.getName(); + if (appName.contains(";") || appName.contains("|") || appName.contains("&")) { + throw new IllegalArgumentException("非法的应用名称,请勿包含[; | &]等特殊字符"); + } verification(resources); appRepository.save(resources); } @@ -71,6 +76,11 @@ public class AppServiceImpl implements AppService { @Override @Transactional(rollbackFor = Exception.class) public void update(App resources) { + // 验证应用名称是否存在恶意攻击payload,https://github.com/elunez/eladmin/issues/873 + String appName = resources.getName(); + if (appName.contains(";") || appName.contains("|") || appName.contains("&")) { + throw new IllegalArgumentException("非法的应用名称,请勿包含[; | &]等特殊字符"); + } verification(resources); App app = appRepository.findById(resources.getId()).orElseGet(App::new); ValidationUtil.isNull(app.getId(),"App","id",resources.getId()); diff --git a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java index 41a25988..350cff2e 100644 --- a/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java +++ b/eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java @@ -263,9 +263,13 @@ public class DeployServiceImpl implements DeployService { return "执行完毕"; } - private boolean checkFile(ExecuteShellUtil executeShellUtil, AppDto appDTO) { - String result = executeShellUtil.executeForResult("find " + appDTO.getDeployPath() + " -name " + appDTO.getName()); - return result.indexOf(appDTO.getName())>0; + private boolean checkFile(ExecuteShellUtil executeShellUtil, AppDto app) { + String deployPath = app.getDeployPath(); + String appName = app.getName(); + // 使用安全的命令执行方式,避免直接拼接字符串,https://github.com/elunez/eladmin/issues/873 + String[] command = {"find", deployPath, "-name", appName}; + String result = executeShellUtil.executeForResult(Arrays.toString(command)); + return result.contains(appName); } /**