渗透fix: 上传接口加文件类型白名单,文件下载接口

controllers/banner.go

@@ -2,10 +2,12 @@ package controllers
 
 import (
 	"eta/eta_api/models"
+	"eta/eta_api/models/company"
 	"eta/eta_api/services"
 	"eta/eta_api/utils"
 	"os"
 	"path"
+	"strings"
 	"time"
 )
 
@@ -22,16 +24,44 @@ type BannerController struct {
 func (this *BannerController) Upload() {
 	br := new(models.BaseResponse).Init()
 	defer func() {
+		if br.ErrMsg == "" {
+			br.IsSendEmail = false
+		}
 		this.Data["json"] = br
 		this.ServeJSON()
 	}()
+	sysUser := this.SysUser
+	if sysUser == nil {
+		br.Msg = "请登录"
+		br.ErrMsg = "请登录，SysUser Is Empty"
+		br.Ret = 408
+		return
+	}
+
 	f, h, err := this.GetFile("file")
 	if err != nil {
 		br.Msg = "获取资源信息失败"
 		br.ErrMsg = "获取资源信息失败,Err:" + err.Error()
 		return
 	}
+
+	// 限制文件类型
+	confVal, e := company.GetConfigDetailByCode(company.ConfUploadAllowImgExt)
+	if e != nil && e.Error() != utils.ErrNoRow() {
+		br.Msg = "操作失败"
+		br.ErrMsg = "文件上传失败, Err: " + e.Error()
+		return
+	}
+	allowExt := make([]string, 0)
+	if confVal.ConfigValue != "" {
+		allowExt = strings.Split(confVal.ConfigValue, ",")
+	}
 	ext := path.Ext(h.Filename)
+	if !utils.InArrayByStr(allowExt, ext) {
+		br.Msg = "图片格式有误"
+		return
+	}
+
 	dateDir := time.Now().Format("20060102")
 	uploadDir := utils.STATIC_DIR + "hongze/" + dateDir
 	err = os.MkdirAll(uploadDir, utils.DIR_MOD)

controllers/cloud_disk.go

@@ -4,6 +4,7 @@ import (
 	"archive/zip"
 	"encoding/json"
 	"eta/eta_api/models"
+	"eta/eta_api/models/company"
 	"eta/eta_api/services"
 	"eta/eta_api/services/alarm_msg"
 	"eta/eta_api/utils"
@@ -517,9 +518,20 @@ func (this *CloudDiskController) CheckResourceRepeat() {
 func (this *CloudDiskController) ResourceUpload() {
 	br := new(models.BaseResponse).Init()
 	defer func() {
+		if br.ErrMsg == "" {
+			br.IsSendEmail = false
+		}
 		this.Data["json"] = br
 		this.ServeJSON()
 	}()
+	sysUser := this.SysUser
+	if sysUser == nil {
+		br.Msg = "请登录"
+		br.ErrMsg = "请登录，SysUser Is Empty"
+		br.Ret = 408
+		return
+	}
+
 	menuId, _ := this.GetInt("MenuId", 0)
 	if menuId <= 0 {
 		br.Msg = "不允许上传文件至根目录"
@@ -543,10 +555,25 @@ func (this *CloudDiskController) ResourceUpload() {
 	defer func() {
 		_ = f.Close()
 	}()
-
 	extIndex := strings.LastIndex(originName, ".")
 	fileName := originName[:extIndex]
+
+	// 限制文件类型
+	confVal, e := company.GetConfigDetailByCode(company.ConfCloudDiskAllowExt)
+	if e != nil && e.Error() != utils.ErrNoRow() {
+		br.Msg = "操作失败"
+		br.ErrMsg = "文件上传失败, Err: " + e.Error()
+		return
+	}
+	allowExt := make([]string, 0)
+	if confVal.ConfigValue != "" {
+		allowExt = strings.Split(confVal.ConfigValue, ",")
+	}
 	ext := path.Ext(h.Filename)
+	if !utils.InArrayByStr(allowExt, ext) {
+		br.Msg = "不允许上传该格式文件"
+		return
+	}
 
 	// 重名校验
 	existItem := new(models.CloudDiskResource)

controllers/report.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"encoding/json"
 	"eta/eta_api/models"
+	"eta/eta_api/models/company"
 	"eta/eta_api/models/report_approve"
 	"eta/eta_api/services"
 	"eta/eta_api/services/alarm_msg"
@@ -1225,7 +1226,23 @@ func (this *ReportController) SaveReportContent() {
 // @Param   File   query   file  true       "文件"
 // @Success 200 上传成功
 // @router /uploadImg [post]
-func (this *ReportUploadCommonController) UploadImg() {
+func (this *ReportController) UploadImg() {
+	br := new(models.BaseResponse).Init()
+	defer func() {
+		if br.ErrMsg == "" {
+			br.IsSendEmail = false
+		}
+		this.Data["json"] = br
+		this.ServeJSON()
+	}()
+	sysUser := this.SysUser
+	if sysUser == nil {
+		br.Msg = "请登录"
+		br.ErrMsg = "请登录，SysUser Is Empty"
+		br.Ret = 408
+		return
+	}
+
 	var err error
 	defer func() {
 		if err != nil {
@@ -1238,7 +1255,24 @@ func (this *ReportUploadCommonController) UploadImg() {
 	if err != nil {
 		return
 	}
+
+	// 限制文件类型
+	confVal, e := company.GetConfigDetailByCode(company.ConfUploadAllowImgExt)
+	if e != nil && e.Error() != utils.ErrNoRow() {
+		br.Msg = "操作失败"
+		br.ErrMsg = "文件上传失败, Err: " + e.Error()
+		return
+	}
+	allowExt := make([]string, 0)
+	if confVal.ConfigValue != "" {
+		allowExt = strings.Split(confVal.ConfigValue, ",")
+	}
 	ext := path.Ext(h.Filename)
+	if !utils.InArrayByStr(allowExt, ext) {
+		br.Msg = "图片格式有误"
+		return
+	}
+
 	dateDir := time.Now().Format("20060102")
 	uploadDir := utils.STATIC_DIR + "hongze/" + dateDir
 	err = os.MkdirAll(uploadDir, utils.DIR_MOD)

controllers/resource.go

@@ -2,12 +2,14 @@ package controllers
 
 import (
 	"bufio"
+	"encoding/base64"
 	"eta/eta_api/models"
 	"eta/eta_api/services"
 	"eta/eta_api/utils"
 	"fmt"
 	"github.com/kgiannakakis/mp3duration/src/mp3duration"
 	"io"
+	"net/http"
 	"os"
 	"path"
 	"regexp"
@@ -21,6 +23,11 @@ type ResourceController struct {
 	BaseCommonController
 }
 
+// ResourceAuthController 文件资源
+type ResourceAuthController struct {
+	BaseAuthController
+}
+
 // @Title 图片上传
 // @Description 图片上传接口
 // @Param   file   query   file  true       "文件"
@@ -914,3 +921,76 @@ func (this *ResourceController) OssSTSToken() {
 	//	br.Success = true
 	//}
 }
+
+// FileDownload
+// @Title 文件下载
+// @Description 文件下载
+// @Param   FileUrl  query  string  true  "文件路径"
+// @Success 200 Ret=200 操作成功
+// @router /file/download [get]
+func (this *ResourceAuthController) FileDownload() {
+	br := new(models.BaseResponse).Init()
+	defer func() {
+		if br.ErrMsg == "" {
+			br.IsSendEmail = false
+		}
+		this.Data["json"] = br
+		this.ServeJSON()
+	}()
+	sysUser := this.SysUser
+	if sysUser == nil {
+		br.Msg = "请登录"
+		br.ErrMsg = "请登录，SysUser Is Empty"
+		br.Ret = 408
+		return
+	}
+	fileName := this.GetString("FileName")
+	fileName = strings.TrimSpace(fileName)
+	if fileName == "" {
+		br.Msg = "参数有误"
+		return
+	}
+	fileEncode := this.GetString("FileUrl")
+	fileEncode = strings.TrimSpace(fileEncode)
+	if fileEncode == "" {
+		br.Msg = "参数有误"
+		return
+	}
+	fileByte, e := base64.StdEncoding.DecodeString(fileEncode)
+	if e != nil {
+		br.Msg = "下载失败"
+		br.ErrMsg = "文件地址解析失败, Err: " + e.Error()
+		return
+	}
+	fileUrl := string(fileByte)
+
+	// 获取文件
+	down, e := http.Get(fileUrl)
+	if e != nil {
+		br.Msg = "下载失败"
+		br.ErrMsg = "文件下载失败, http get: " + e.Error()
+		return
+	}
+	defer down.Body.Close()
+	if down.StatusCode != http.StatusOK {
+		br.Msg = "下载失败"
+		br.ErrMsg = fmt.Sprintf("文件下载失败, http status: %d", down.StatusCode)
+		return
+	}
+
+	// 写入响应流
+	_, e = io.Copy(this.Ctx.ResponseWriter, down.Body)
+	if e != nil {
+		br.Msg = "下载失败"
+		br.ErrMsg = "复制文件资源失败, Err: " + e.Error()
+		return
+	}
+
+	// 设置响应头
+	this.Ctx.ResponseWriter.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s", fileName))
+	this.Ctx.ResponseWriter.Header().Set("Content-Type", "application/octet-stream")
+
+	br.Ret = 200
+	br.Msg = "下载成功"
+	br.Success = true
+}

models/company/company_config.go

@@ -5,8 +5,10 @@ import (
 )
 
 const (
-	ConfAreaCodeListKey = "area_code_list" // 手机号区号列表
-	ConfEnAuthRoleKey   = "en_auth_role"   // 英文权限角色配置Key
+	ConfAreaCodeListKey   = "area_code_list"       // 手机号区号列表
+	ConfEnAuthRoleKey     = "en_auth_role"         // 英文权限角色配置Key
+	ConfCloudDiskAllowExt = "cloud_disk_allow_ext" // 云盘允许上传的文件类型
+	ConfUploadAllowImgExt = "upload_allow_img_ext" // 允许上传的图片文件类型
 )
 
 type CrmConfig struct {

routers/commentsRouter.go

@@ -7405,7 +7405,7 @@ func init() {
             Filters: nil,
             Params: nil})
 
-    beego.GlobalControllerRouter["eta/eta_api/controllers:ReportUploadCommonController"] = append(beego.GlobalControllerRouter["eta/eta_api/controllers:ReportUploadCommonController"],
+    beego.GlobalControllerRouter["eta/eta_api/controllers:ReportController"] = append(beego.GlobalControllerRouter["eta/eta_api/controllers:ReportController"],
         beego.ControllerComments{
             Method: "UploadImg",
             Router: `/uploadImg`,
@@ -7432,6 +7432,15 @@ func init() {
             Filters: nil,
             Params: nil})
 
+    beego.GlobalControllerRouter["eta/eta_api/controllers:ResourceAuthController"] = append(beego.GlobalControllerRouter["eta/eta_api/controllers:ResourceAuthController"],
+        beego.ControllerComments{
+            Method: "FileDownload",
+            Router: `/file/download`,
+            AllowHTTPMethods: []string{"get"},
+            MethodParams: param.Make(),
+            Filters: nil,
+            Params: nil})
+
     beego.GlobalControllerRouter["eta/eta_api/controllers:ResourceController"] = append(beego.GlobalControllerRouter["eta/eta_api/controllers:ResourceController"],
         beego.ControllerComments{
             Method: "Upload",

routers/router.go

@@ -146,6 +146,7 @@ func init() {
 		web.NSNamespace("/resource",
 			web.NSInclude(
 				&controllers.ResourceController{},
+				&controllers.ResourceAuthController{},
 			),
 		),
 		web.NSNamespace("/datamanage",