fix: 增加应用名称特殊字符校验与命令执行安全性优化，避免潜在恶意攻击风险，关联 #873

close https://github.com/elunez/eladmin/issues/873

eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/AppServiceImpl.java

@@ -56,7 +56,7 @@ public class AppServiceImpl implements AppService {
 
     @Override
     public AppDto findById(Long id) {
-		App app = appRepository.findById(id).orElseGet(App::new);
+        App app = appRepository.findById(id).orElseGet(App::new);
         ValidationUtil.isNull(app.getId(),"App","id",id);
         return appMapper.toDto(app);
     }
@@ -64,6 +64,11 @@ public class AppServiceImpl implements AppService {
     @Override
     @Transactional(rollbackFor = Exception.class)
     public void create(App resources) {
+        // 验证应用名称是否存在恶意攻击payload，https://github.com/elunez/eladmin/issues/873
+        String appName = resources.getName();
+        if (appName.contains(";") || appName.contains("|") || appName.contains("&")) {
+            throw new IllegalArgumentException("非法的应用名称，请勿包含[; | &]等特殊字符");
+        }
         verification(resources);
         appRepository.save(resources);
     }
@@ -71,6 +76,11 @@ public class AppServiceImpl implements AppService {
     @Override
     @Transactional(rollbackFor = Exception.class)
     public void update(App resources) {
+        // 验证应用名称是否存在恶意攻击payload，https://github.com/elunez/eladmin/issues/873
+        String appName = resources.getName();
+        if (appName.contains(";") || appName.contains("|") || appName.contains("&")) {
+            throw new IllegalArgumentException("非法的应用名称，请勿包含[; | &]等特殊字符");
+        }
         verification(resources);
         App app = appRepository.findById(resources.getId()).orElseGet(App::new);
         ValidationUtil.isNull(app.getId(),"App","id",resources.getId());

eladmin-system/src/main/java/me/zhengjie/modules/maint/service/impl/DeployServiceImpl.java

@@ -263,9 +263,13 @@ public class DeployServiceImpl implements DeployService {
 		return "执行完毕";
 	}
 
-	private boolean checkFile(ExecuteShellUtil executeShellUtil, AppDto appDTO) {
+	private boolean checkFile(ExecuteShellUtil executeShellUtil, AppDto app) {
-		String result = executeShellUtil.executeForResult("find " + appDTO.getDeployPath() + " -name " + appDTO.getName());
+		String deployPath = app.getDeployPath();
-		return result.indexOf(appDTO.getName())>0;
+		String appName = app.getName();
+		// 使用安全的命令执行方式，避免直接拼接字符串，https://github.com/elunez/eladmin/issues/873
+		String[] command = {"find", deployPath, "-name", appName};
+		String result = executeShellUtil.executeForResult(Arrays.toString(command));
+		return result.contains(appName);
 	}
 
 	/**