Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: 文件分发路径校验存在问题 #2062 #2063

Merged
merged 1 commit into from
May 17, 2023
Merged

fix: 文件分发路径校验存在问题 #2062 #2063

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 16 additions & 12 deletions ...mmons/common-utils/src/main/java/com/tencent/bk/job/common/util/FilePathValidateUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,18 +21,21 @@ public class FilePathValidateUtil {

/**
* 验证文件系统绝对路径的合法性
*
* @param path 绝对路径
* @return boolean true合法,false非法
*/
public static boolean validateFileSystemAbsolutePath(String path) {
if (StringUtils.isBlank(path)) {
return false;
}
if (isLinuxAbsolutePath(path)) {
return validateLinuxFileSystemAbsolutePath(path);
} else {
return validateWindowsFileSystemAbsolutePath(path);
}
// 临时规避,后续补齐校验逻辑;目前只判断路径非空
// if (StringUtils.isBlank(path)) {
// return false;
// }
// if (isLinuxAbsolutePath(path)) {
// return validateLinuxFileSystemAbsolutePath(path);
// } else {
// return validateWindowsFileSystemAbsolutePath(path);
// }
return StringUtils.isNotBlank(path);
}

/**
Expand All @@ -50,10 +53,11 @@ private static boolean isLinuxAbsolutePath(String path) {

/**
* 1 传统DOS路径
* 标准的DOS路径可由以下三部分组成:
* 1)卷号或驱动器号,后跟卷分隔符(:)。
* 2)目录名称。目录分隔符用来分隔嵌套目录层次结构中的子目录。
* 3)文件名。目录分隔符用来分隔文件路径和文件名。
* 标准的DOS路径可由以下三部分组成:
* 1)卷号或驱动器号,后跟卷分隔符(:)。
* 2)目录名称。目录分隔符用来分隔嵌套目录层次结构中的子目录。
* 3)文件名。目录分隔符用来分隔文件路径和文件名。
*
* @param path
* @return boolean
*/
Expand Down
58 changes: 27 additions & 31 deletions ...s/common-utils/src/test/java/com/tencent/bk/job/common/util/FilePathValidateUtilTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,32 @@
package com.tencent.bk.job.common.util;

import org.junit.jupiter.api.Test;

import static org.assertj.core.api.AssertionsForClassTypes.assertThat;

public class FilePathValidateUtilTest {
@Test
void testFileSystemAbsolutePath(){
// 传统DOS路径
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\Documents\\abc.txt")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("c:\\Documents\\abc.txt")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\Documents\\嘉 abc.txt")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath(":\\abc.txt")).isFalse();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:")).isFalse();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\\\")).isFalse();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\logs\\..\\access.log")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\.config\\conf")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\user\\abc>a")).isFalse();

// linux路径
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/data/test_2022-04-12.apk")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/data/test_2022 04 12.apk")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp/")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp/.conf/abc")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp/test/../test.log")).isTrue();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("data/test_2022-04-12.apk")).isFalse();
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("///")).isTrue(); // 根目录
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp////")).isTrue(); // /tmp/
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp//test/")).isTrue();// /tmp/test/
assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("///")).isTrue();
}
// @Test
// void testFileSystemAbsolutePath(){
// // 传统DOS路径
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\Documents\\abc.txt")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("c:\\Documents\\abc.txt")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\Documents\\嘉 abc.txt")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath(":\\abc.txt")).isFalse();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:")).isFalse();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\\\")).isFalse();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\logs\\..\\access.log")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\.config\\conf")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("C:\\user\\abc>a")).isFalse();
//
// // linux路径
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/data/test_2022-04-12.apk")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/data/test_2022 04 12.apk")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp/")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp/.conf/abc")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp/test/../test.log")).isTrue();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("data/test_2022-04-12.apk")).isFalse();
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("///")).isTrue(); // 根目录
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp////")).isTrue(); // /tmp/
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("/tmp//test/")).isTrue();// /tmp/test/
// assertThat(FilePathValidateUtil.validateFileSystemAbsolutePath("///")).isTrue();
// }

}
6 changes: 3 additions & 3 deletions ...anage/src/main/java/com/tencent/bk/job/manage/model/web/vo/task/TaskFileSourceInfoVO.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,11 @@
package com.tencent.bk.job.manage.model.web.vo.task;

import com.tencent.bk.job.common.model.vo.TaskTargetVO;
import com.tencent.bk.job.common.util.FilePathValidateUtil;
import com.tencent.bk.job.common.util.JobContextUtil;
import io.swagger.annotations.ApiModel;
import io.swagger.annotations.ApiModelProperty;
import lombok.Data;
import org.apache.commons.lang3.StringUtils;
import org.springframework.util.CollectionUtils;

import java.util.List;
Expand Down Expand Up @@ -80,8 +80,8 @@ public boolean validate(boolean isCreate) {
return false;
}
for (String file : fileLocation) {
if (StringUtils.isBlank(file)) {
JobContextUtil.addDebugMessage("fileLocation is null or blank!");
if (!FilePathValidateUtil.validateFileSystemAbsolutePath(file)) {
JobContextUtil.addDebugMessage("fileLocation is illegal!");
return false;
}
}
Expand Down
6 changes: 3 additions & 3 deletions ...-job-manage/src/main/java/com/tencent/bk/job/manage/model/web/vo/task/TaskFileStepVO.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,11 @@
import com.tencent.bk.job.common.constant.ErrorCode;
import com.tencent.bk.job.common.constant.NotExistPathHandlerEnum;
import com.tencent.bk.job.common.exception.InvalidParamException;
import com.tencent.bk.job.common.util.FilePathValidateUtil;
import com.tencent.bk.job.common.util.JobContextUtil;
import io.swagger.annotations.ApiModel;
import io.swagger.annotations.ApiModelProperty;
import lombok.Data;
import org.apache.commons.lang3.StringUtils;
import org.springframework.util.CollectionUtils;

import java.util.List;
Expand Down Expand Up @@ -115,8 +115,8 @@ public boolean validate(boolean isCreate) {
JobContextUtil.addDebugMessage("Empty destination info!");
return false;
}
if (StringUtils.isBlank(fileDestination.getPath())) {
JobContextUtil.addDebugMessage("fileDestinationPath is null or blank!");
if (!FilePathValidateUtil.validateFileSystemAbsolutePath(fileDestination.getPath())) {
JobContextUtil.addDebugMessage("fileDestinationPath is illegal!");
return false;
}
if (fileDestination.getAccount() == null || fileDestination.getAccount() <= 0) {
Expand Down