fix(infra): 文件上传时，放宽 directory 校验，可支持类似 XXX/YYY 目录

2026-03-22 05:07:17 +08:00 · 2025-12-13 09:39:30 +08:00
parent 04e59b0561
commit be27ba3aa6
2 changed files with 10 additions and 3 deletions
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/admin/file/vo/file/FileUploadReqVO.java
@@ -22,7 +22,14 @@ public class FileUploadReqVO {
    @AssertTrue(message = "文件目录不正确")
    @JsonIgnore
    public boolean isDirectoryValid() {
-        return !StrUtil.containsAny(directory, "..", "/", "\\");
+        return isDirectoryValid(directory);
+    }
+
+    public static boolean isDirectoryValid(String directory) {
+        // 1. 不能包含 .. 防止目录穿越
+        // 2. 不能以 / 或 \ 开头，防止上传到根目录
+        return !StrUtil.contains(directory, "..")
+                && !StrUtil.startWithAny(directory, "/", "\\");
    }

 }
--- a/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
+++ b/yudao-module-infra/src/main/java/cn/iocoder/yudao/module/infra/controller/app/file/vo/AppFileUploadReqVO.java
@@ -1,6 +1,6 @@
 package cn.iocoder.yudao.module.infra.controller.app.file.vo;

-import cn.hutool.core.util.StrUtil;
+import cn.iocoder.yudao.module.infra.controller.admin.file.vo.file.FileUploadReqVO;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.validation.constraints.AssertTrue;
@@ -22,7 +22,7 @@ public class AppFileUploadReqVO {
    @AssertTrue(message = "文件目录不正确")
    @JsonIgnore
    public boolean isDirectoryValid() {
-        return !StrUtil.containsAny(directory, "..", "/", "\\");
+        return FileUploadReqVO.isDirectoryValid(directory);
    }

 }