From 1396c8a0dc2e617c6cb3b7b119e327423de7eec7 Mon Sep 17 00:00:00 2001
From: RB <getrebuild@sina.com>
Date: Mon, 4 Mar 2024 22:38:15 +0800
Subject: [PATCH] fix: 1020-1098-1099

---
 .../core/support/RebuildConfiguration.java    |  9 +++-----
 .../core/support/integration/QiniuCloud.java  | 22 +++++++++----------
 .../java/com/rebuild/utils/CommonsUtils.java  | 12 ++++++++++
 .../com/rebuild/web/RebuildWebConfigurer.java |  5 +++--
 .../rebuild/web/commons/FileDownloader.java   |  4 ++--
 5 files changed, 31 insertions(+), 21 deletions(-)

diff --git a/src/main/java/com/rebuild/core/support/RebuildConfiguration.java b/src/main/java/com/rebuild/core/support/RebuildConfiguration.java
index f38aea801..977dc7540 100644
--- a/src/main/java/com/rebuild/core/support/RebuildConfiguration.java
+++ b/src/main/java/com/rebuild/core/support/RebuildConfiguration.java
@@ -11,6 +11,7 @@ import com.rebuild.core.Application;
 import com.rebuild.core.BootEnvironmentPostProcessor;
 import com.rebuild.core.RebuildException;
 import com.rebuild.core.service.PerHourJob;
+import com.rebuild.utils.CommonsUtils;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.BooleanUtils;
@@ -40,9 +41,7 @@ public class RebuildConfiguration extends KVStorage {
      * @return
      */
     public static File getFileOfData(String filepath) {
-        if (filepath != null && filepath.contains("../")) {
-            throw new SecurityException("Attack path detected : " + filepath);
-        }
+        CommonsUtils.checkFilePathAttack(filepath);
 
         String d = get(ConfigurationItem.DataDirectory);
         File datadir = null;
@@ -77,9 +76,7 @@ public class RebuildConfiguration extends KVStorage {
      * @see PerHourJob#doCleanTempFiles()
      */
     public static File getFileOfTemp(String filepath) {
-        if (filepath != null && filepath.contains("../")) {
-            throw new SecurityException("Attack path detected : " + filepath);
-        }
+        CommonsUtils.checkFilePathAttack(filepath);
 
         File temp = getFileOfData("temp");
         if (!temp.exists()) {
diff --git a/src/main/java/com/rebuild/core/support/integration/QiniuCloud.java b/src/main/java/com/rebuild/core/support/integration/QiniuCloud.java
index 1d2bab9ea..255269e3b 100644
--- a/src/main/java/com/rebuild/core/support/integration/QiniuCloud.java
+++ b/src/main/java/com/rebuild/core/support/integration/QiniuCloud.java
@@ -395,29 +395,29 @@ public class QiniuCloud {
     /**
      * 读取文件
      *
-     * @param filePath
+     * @param filepath
      * @return
      * @throws IOException
      * @throws RebuildException If cannot read/download
      */
-    public static File getStorageFile(String filePath) throws IOException, RebuildException {
-        File file;
-        if (filePath.startsWith("http://") || filePath.startsWith("https://")) {
-            String name = filePath.split("\\?")[0];
+    public static File getStorageFile(String filepath) throws IOException, RebuildException {
+        File file = null;
+        if (filepath.startsWith("http://") || filepath.startsWith("https://")) {
+            String name = filepath.split("\\?")[0];
             name = name.substring(name.lastIndexOf("/") + 1);
             file = RebuildConfiguration.getFileOfTemp("down" + System.nanoTime() + "." + name);
-            OkHttpUtils.readBinary(filePath, file, null);
+            OkHttpUtils.readBinary(filepath, file, null);
 
         } else if (QiniuCloud.instance().available()) {
-            String name = parseFileName(filePath);
+            String name = parseFileName(filepath);
             file = RebuildConfiguration.getFileOfTemp("down" + System.nanoTime() + "." + name);
-            instance().download(filePath, file);
+            instance().download(filepath, file);
 
-        } else {
-            file = RebuildConfiguration.getFileOfData(filePath);
+        } else if (filepath.startsWith("rb/") || filepath.startsWith("/rb/")) {
+            file = RebuildConfiguration.getFileOfData(filepath);
         }
 
-        if (!file.exists()) throw new RebuildException("Cannot read file : " + filePath);
+        if (file == null || !file.exists()) throw new RebuildException("Cannot read file : " + filepath);
         return file;
     }
 }
diff --git a/src/main/java/com/rebuild/utils/CommonsUtils.java b/src/main/java/com/rebuild/utils/CommonsUtils.java
index ec5b07c79..8c5c62bdd 100644
--- a/src/main/java/com/rebuild/utils/CommonsUtils.java
+++ b/src/main/java/com/rebuild/utils/CommonsUtils.java
@@ -299,4 +299,16 @@ public class CommonsUtils {
         int rnd = RandomUtils.nextInt(e);
         return rnd < s ? rnd + s : rnd;
     }
+
+    /**
+     * @param filepath
+     * @throws SecurityException
+     */
+    public static void checkFilePathAttack(String filepath) throws SecurityException {
+        if (filepath == null) return;
+        if (filepath.contains(".rebuild") || filepath.contains("../")
+                || filepath.contains("<") || filepath.contains(">")) {
+            throw new SecurityException("Attack path detected : " + filepath);
+        }
+    }
 }
diff --git a/src/main/java/com/rebuild/web/RebuildWebConfigurer.java b/src/main/java/com/rebuild/web/RebuildWebConfigurer.java
index 5ce88a014..329a2ebbe 100644
--- a/src/main/java/com/rebuild/web/RebuildWebConfigurer.java
+++ b/src/main/java/com/rebuild/web/RebuildWebConfigurer.java
@@ -21,6 +21,7 @@ import com.rebuild.core.support.RebuildConfiguration;
 import com.rebuild.core.support.i18n.Language;
 import com.rebuild.core.support.integration.QiniuCloud;
 import com.rebuild.utils.AppUtils;
+import com.rebuild.utils.CommonsUtils;
 import com.rebuild.utils.MarkdownUtils;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.catalina.connector.ClientAbortException;
@@ -203,10 +204,10 @@ public class RebuildWebConfigurer implements WebMvcConfigurer, ErrorViewResolver
         if (StringUtils.isBlank(errorMsg)) errorMsg = Language.L("系统繁忙，请稍后重试");
 
         error.getModel().put("error_code", errorCode);
-        error.getModel().put("error_msg", errorMsg);
+        error.getModel().put("error_msg", CommonsUtils.escapeHtml(errorMsg));
 
         if (ex != null && Application.devMode()) {
-            error.getModel().put("error_stack", ThrowableUtils.extractStackTrace(ex));
+            error.getModel().put("error_stack", CommonsUtils.escapeHtml(ThrowableUtils.extractStackTrace(ex)));
         }
 
         return error;
diff --git a/src/main/java/com/rebuild/web/commons/FileDownloader.java b/src/main/java/com/rebuild/web/commons/FileDownloader.java
index d531e87e1..1ca7f37e5 100644
--- a/src/main/java/com/rebuild/web/commons/FileDownloader.java
+++ b/src/main/java/com/rebuild/web/commons/FileDownloader.java
@@ -268,8 +268,8 @@ public class FileDownloader extends BaseController {
         filepath = CodecUtils.urlDecode(filepath);
         filepath = filepath.replace("\\", "/");
 
-        if (filepath.contains("../")
-                || filepath.startsWith("_log/") || filepath.contains("/_log/")
+        CommonsUtils.checkFilePathAttack(filepath);
+        if (filepath.startsWith("_log/") || filepath.contains("/_log/")
                 || filepath.startsWith("_backups/") || filepath.contains("/_backups/")) {
             throw new SecurityException("Attack path detected : " + filepath);
         }