fix: modify resource upload

lu-yg · lu-yg · commit 28bef56632ac · 2025-09-16T20:50:58.000-07:00
diff --git a/base/src/main/java/com/tinyengine/it/controller/ResourceController.java b/base/src/main/java/com/tinyengine/it/controller/ResourceController.java
@@ -30,6 +30,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.validation.Valid;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.StringUtils;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -188,13 +189,14 @@ public Result<Resource> createResource(@Valid @RequestBody Resource resource) th
     @PostMapping("/resource/upload")
     public Result<Resource> resourceUpload(@RequestParam MultipartFile file) throws Exception {
         // 获取文件的原始名称
-        String fileName = file.getOriginalFilename();
-        if (file.isEmpty()) {
-            return Result.failed(ExceptionEnum.CM009);
-        }
+        String fileName = StringUtils.cleanPath(java.util.Optional.ofNullable(file.getOriginalFilename()).orElse("image"));
+
         if(!ImageThumbnailGenerator.validateByImageIO(file)){
             return Result.failed(ExceptionEnum.CM325);
         }
+        if(fileName.contains("..")) {
+            return Result.failed(ExceptionEnum.CM325);
+        }
         // 将文件转为 Base64
         String base64 = ImageThumbnailGenerator.convertToBase64(file);
         Resource resource = new Resource();
