From 0386eb43de6d456108bc548a0658ba589b3343dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=A7=E7=81=B0=E7=81=B0?= Date: Tue, 20 Aug 2024 11:38:19 +0800 Subject: [PATCH] =?UTF-8?q?=E3=80=90=E4=BC=98=E5=8C=96=E3=80=91=E5=89=8D?= =?UTF-8?q?=E7=AB=AF=E4=B8=8A=E4=BC=A0=E6=8E=A5=E5=8F=A3=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E6=95=B0=E6=8D=AE=E6=A0=A1=E9=AA=8C=EF=BC=8C=E9=98=B2=E6=AD=A2?= =?UTF-8?q?=E5=87=BA=E7=8E=B0=E6=81=B6=E6=84=8F=E6=8F=90=E4=BA=A4=E8=84=9A?= =?UTF-8?q?=E6=9C=AC=E6=95=B0=E6=8D=AE=E7=9A=84=E9=97=AE=E9=A2=98=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- CoreCms.Net.Utility/Helper/CommonHelper.cs | 12 +++++++ .../Controllers/CommonController.cs | 31 ++++++++++++++----- 2 files changed, 35 insertions(+), 8 deletions(-) diff --git a/CoreCms.Net.Utility/Helper/CommonHelper.cs b/CoreCms.Net.Utility/Helper/CommonHelper.cs index 69386c3d..f787e59e 100644 --- a/CoreCms.Net.Utility/Helper/CommonHelper.cs +++ b/CoreCms.Net.Utility/Helper/CommonHelper.cs @@ -746,6 +746,18 @@ namespace CoreCms.Net.Utility.Helper return t; } + #region 检测提交的内容是否包含非法信息 + /// + /// 检测提交的内容是否包含非法信息。 + /// + /// + /// + public static bool CheckData(string inputData) + { + var strRegex = @"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)"; + return Regex.IsMatch(inputData, strRegex); + } + #endregion } } diff --git a/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs b/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs index c9c2a5bc..ab010d86 100644 --- a/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs +++ b/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs @@ -13,6 +13,7 @@ using System.Collections.Generic; using System.Globalization; using System.IO; using System.Linq; +using System.Text; using System.Threading.Tasks; using Aliyun.OSS; using Aliyun.OSS.Util; @@ -324,8 +325,6 @@ namespace CoreCms.Net.Web.WebApi.Controllers #endregion - - //验证接口==================================================================================================== #region 上传附件通用接口==================================================== @@ -351,8 +350,20 @@ namespace CoreCms.Net.Web.WebApi.Controllers jm.msg = "请选择文件"; return jm; } - string fileName = file.FileName; - string fileExt = Path.GetExtension(fileName).ToLowerInvariant(); + var fileName = file.FileName; + var fileExt = Path.GetExtension(fileName).ToLowerInvariant(); + + // 使用StreamReader来读取文件内容 + using (var reader = new StreamReader(file.OpenReadStream(), Encoding.UTF8)) + { + var content = await reader.ReadToEndAsync(); // 注意:这可能会消耗大量内存对于大文件,所以需要限制上传大小 + // 检查内容是否合法 + if (CommonHelper.CheckData(content)) + { + jm.msg = "请勿提交非法数据。"; + return jm; + } + } //检查大小 if (file.Length > maxSize) @@ -369,7 +380,7 @@ namespace CoreCms.Net.Web.WebApi.Controllers return jm; } - string url = string.Empty; + var url = string.Empty; if (filesStorageOptions.StorageType == GlobalEnumVars.FilesStorageOptionsType.LocalStorage.ToString()) { url = await _toolsServices.UpLoadFileForLocalStorage(filesStorageOptions, fileExt, file, (int)GlobalEnumVars.FilesStorageLocation.API); @@ -422,6 +433,12 @@ namespace CoreCms.Net.Web.WebApi.Controllers return jm; } + if (CommonHelper.CheckData(entity.base64)) + { + jm.msg = "请勿提交非法内容。"; + return jm; + } + //检查上传大小 if (!CommonHelper.CheckBase64Size(entity.base64, filesStorageOptions.MaxSize)) { @@ -430,6 +447,7 @@ namespace CoreCms.Net.Web.WebApi.Controllers } entity.base64 = entity.base64.Replace("data:image/png;base64,", "").Replace("data:image/jgp;base64,", "").Replace("data:image/jpg;base64,", "").Replace("data:image/jpeg;base64,", "");//将base64头部信息替换 + byte[] bytes = Convert.FromBase64String(entity.base64); MemoryStream memStream = new MemoryStream(bytes); @@ -442,7 +460,6 @@ namespace CoreCms.Net.Web.WebApi.Controllers { //上传到阿里云 url = await _toolsServices.UpLoadBase64ForAliYunOSS(filesStorageOptions, memStream); - } else if (filesStorageOptions.StorageType == GlobalEnumVars.FilesStorageOptionsType.QCloudOSS.ToString()) { @@ -468,7 +485,5 @@ namespace CoreCms.Net.Web.WebApi.Controllers #endregion - - } } \ No newline at end of file