【优化】前端上传接口增加数据校验，防止出现恶意提交脚本数据的问题。

2025-12-06 17:23:26 +08:00 · 2024-08-20 11:38:19 +08:00
parent 8604fb0c4b
commit 0386eb43de
2 changed files with 35 additions and 8 deletions
--- a/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
+++ b/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
@@ -13,6 +13,7 @@ using System.Collections.Generic;
 using System.Globalization;
 using System.IO;
 using System.Linq;
+using System.Text;
 using System.Threading.Tasks;
 using Aliyun.OSS;
 using Aliyun.OSS.Util;
@@ -324,8 +325,6 @@ namespace CoreCms.Net.Web.WebApi.Controllers

        #endregion

-
-
        //验证接口====================================================================================================

        #region 上传附件通用接口====================================================
@@ -351,8 +350,20 @@ namespace CoreCms.Net.Web.WebApi.Controllers
                jm.msg = "请选择文件";
                return jm;
            }
-            string fileName = file.FileName;
-            string fileExt = Path.GetExtension(fileName).ToLowerInvariant();
+            var fileName = file.FileName;
+            var fileExt = Path.GetExtension(fileName).ToLowerInvariant();
+
+            // 使用StreamReader来读取文件内容  
+            using (var reader = new StreamReader(file.OpenReadStream(), Encoding.UTF8))
+            {
+                var content = await reader.ReadToEndAsync(); // 注意：这可能会消耗大量内存对于大文件，所以需要限制上传大小 
+                // 检查内容是否合法
+                if (CommonHelper.CheckData(content))
+                {
+                    jm.msg = "请勿提交非法数据。";
+                    return jm;
+                }
+            }

            //检查大小
            if (file.Length > maxSize)
@@ -369,7 +380,7 @@ namespace CoreCms.Net.Web.WebApi.Controllers
                return jm;
            }

-            string url = string.Empty;
+            var url = string.Empty;
            if (filesStorageOptions.StorageType == GlobalEnumVars.FilesStorageOptionsType.LocalStorage.ToString())
            {
                url = await _toolsServices.UpLoadFileForLocalStorage(filesStorageOptions, fileExt, file, (int)GlobalEnumVars.FilesStorageLocation.API);
@@ -422,6 +433,12 @@ namespace CoreCms.Net.Web.WebApi.Controllers
                return jm;
            }

+            if (CommonHelper.CheckData(entity.base64))
+            {
+                jm.msg = "请勿提交非法内容。";
+                return jm;
+            }
+
            //检查上传大小
            if (!CommonHelper.CheckBase64Size(entity.base64, filesStorageOptions.MaxSize))
            {
@@ -430,6 +447,7 @@ namespace CoreCms.Net.Web.WebApi.Controllers
            }

            entity.base64 = entity.base64.Replace("data:image/png;base64,", "").Replace("data:image/jgp;base64,", "").Replace("data:image/jpg;base64,", "").Replace("data:image/jpeg;base64,", "");//将base64头部信息替换
+
            byte[] bytes = Convert.FromBase64String(entity.base64);
            MemoryStream memStream = new MemoryStream(bytes);

@@ -442,7 +460,6 @@ namespace CoreCms.Net.Web.WebApi.Controllers
            {
                //上传到阿里云
                url = await _toolsServices.UpLoadBase64ForAliYunOSS(filesStorageOptions, memStream);
-
            }
            else if (filesStorageOptions.StorageType == GlobalEnumVars.FilesStorageOptionsType.QCloudOSS.ToString())
            {
@@ -468,7 +485,5 @@ namespace CoreCms.Net.Web.WebApi.Controllers

        #endregion

-
-
    }
 }