wgh/coreshoppro
1
0
Fork 0
mirror of http://git.coreshop.cn/jianweie/coreshoppro.git synced 2025-12-06 14:53:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

【优化】前端上传接口增加数据校验,防止出现恶意提交脚本数据的问题。

Browse Source
This commit is contained in:
大灰灰
2024-08-20 11:38:19 +08:00
parent 8604fb0c4b
commit 0386eb43de
2 changed files with 35 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
CoreCms.Net.Utility/Helper/CommonHelper.cs
View File

@@ -746,6 +746,18 @@ namespace CoreCms.Net.Utility.Helper
return t;
}
#region
/// <summary>
/// 检测提交的内容是否包含非法信息。
/// </summary>
/// <param name="inputData"></param>
/// <returns></returns>
public static bool CheckData(string inputData)
{
var strRegex = @"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
return Regex.IsMatch(inputData, strRegex);
}
#endregion
}
}

31
CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
View File

@@ -13,6 +13,7 @@ using System.Collections.Generic;
using System.Globalization;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Aliyun.OSS;
using Aliyun.OSS.Util;
@@ -324,8 +325,6 @@ namespace CoreCms.Net.Web.WebApi.Controllers
#endregion
//验证接口====================================================================================================
#region ====================================================
@@ -351,8 +350,20 @@ namespace CoreCms.Net.Web.WebApi.Controllers
jm.msg = "请选择文件";
return jm;
}
string fileName = file.FileName;
string fileExt = Path.GetExtension(fileName).ToLowerInvariant();
var fileName = file.FileName;
var fileExt = Path.GetExtension(fileName).ToLowerInvariant();
// 使用StreamReader来读取文件内容
using (var reader = new StreamReader(file.OpenReadStream(), Encoding.UTF8))
{
var content = await reader.ReadToEndAsync(); // 注意:这可能会消耗大量内存对于大文件,所以需要限制上传大小
// 检查内容是否合法
if (CommonHelper.CheckData(content))
{
jm.msg = "请勿提交非法数据。";
return jm;
}
}
//检查大小
if (file.Length > maxSize)
@@ -369,7 +380,7 @@ namespace CoreCms.Net.Web.WebApi.Controllers
return jm;
}
string url = string.Empty;
var url = string.Empty;
if (filesStorageOptions.StorageType == GlobalEnumVars.FilesStorageOptionsType.LocalStorage.ToString())
{
url = await _toolsServices.UpLoadFileForLocalStorage(filesStorageOptions, fileExt, file, (int)GlobalEnumVars.FilesStorageLocation.API);
@@ -422,6 +433,12 @@ namespace CoreCms.Net.Web.WebApi.Controllers
return jm;
}
if (CommonHelper.CheckData(entity.base64))
{
jm.msg = "请勿提交非法内容。";
return jm;
}
//检查上传大小
if (!CommonHelper.CheckBase64Size(entity.base64, filesStorageOptions.MaxSize))
{
@@ -430,6 +447,7 @@ namespace CoreCms.Net.Web.WebApi.Controllers
}
entity.base64 = entity.base64.Replace("data:image/png;base64,", "").Replace("data:image/jgp;base64,", "").Replace("data:image/jpg;base64,", "").Replace("data:image/jpeg;base64,", "");//将base64头部信息替换
byte[] bytes = Convert.FromBase64String(entity.base64);
MemoryStream memStream = new MemoryStream(bytes);
@@ -442,7 +460,6 @@ namespace CoreCms.Net.Web.WebApi.Controllers
{
//上传到阿里云
url = await _toolsServices.UpLoadBase64ForAliYunOSS(filesStorageOptions, memStream);
}
else if (filesStorageOptions.StorageType == GlobalEnumVars.FilesStorageOptionsType.QCloudOSS.ToString())
{
@@ -468,7 +485,5 @@ namespace CoreCms.Net.Web.WebApi.Controllers
#endregion
}
}