Fix directory traversal bug

whgojp · whgojp · commit 321e924c13b9 · 2024-11-28T19:58:25.000+08:00
diff --git a/Dockerfile b/Dockerfile
@@ -8,9 +8,16 @@ LABEL description="I think therefore I am."
 
 COPY target/JavaSecLab.jar /work/JavaSecLab.jar
 
-RUN mkdir -p /tmp/upload && chmod -R 777 /tmp/upload \
+RUN mkdir -p /tmp/upload && mkdir -p /tmp/static \
+    && mkdir -p /tmp/static/api /tmp/static/css /tmp/static/images /tmp/static/js /tmp/static/lib /tmp/static/other /tmp/static/upload \
+    && chmod -R 777 /tmp/upload /tmp/static \
     && echo "vul test.jsp" > /tmp/upload/test.jsp \
-    && echo "vul test.txt" > /tmp/upload/test.txt
+    && echo "vul test.txt" > /tmp/upload/test.txt \
+    && echo "test readme.md" > /tmp/static/api/readme.md \
+    && echo "test styles.css" > /tmp/static/css/styles.css \
+    && echo "test script.js" > /tmp/static/js/script.js \
+    && echo "test resource.txt" > /tmp/static/other/resource.txt \
+    && echo "test file.txt" > /tmp/static/upload/file.txt
 
 EXPOSE 80
 
diff --git a/src/main/java/top/whgojp/common/constant/SysConstant.java b/src/main/java/top/whgojp/common/constant/SysConstant.java
@@ -37,36 +37,36 @@ public class SysConstant {
     @Autowired
     private ResourceLoader resourceLoader;
 
-    @Value("${upload.folder:/tmp/upload}") // 容器内部固定路径，默认值为/tmp/upload
+    @Value("${folder.upload:/tmp/upload}")
     private String uploadFolder;
 
+    @Value("${folder.static:/tmp/static}")
     private String staticFolder;
 
     public SysConstant(ResourceLoader resourceLoader) {
         this.resourceLoader = resourceLoader;
     }
 
-
     @PostConstruct
     public void init() throws IOException {
-        // 获取资源对象
-        File uploadDir = new File(uploadFolder);
-        if (!uploadDir.exists()) {
-            if (!uploadDir.mkdirs()) {
-                throw new IOException("Failed to create upload directory: " + uploadFolder);
-            }
-        }
+        // 初始化上传目录
+        initializeDirectory(uploadFolder, "upload");
+
+        // 初始化静态资源目录
+        initializeDirectory(staticFolder, "static");
+    }
 
-//        Resource uploadResource = resourceLoader.getResource("classpath:/static/upload/");
-        Resource staticResource = resourceLoader.getResource("classpath:/static/");
-        if (staticResource.exists()) {
-            try {
-                this.staticFolder = staticResource.getFile().getPath();
-            } catch (IOException e) {
-                this.staticFolder = staticResource.getURL().toString();
-            }
-        } else {
-            throw new IOException("Resource not found!");
+    /**
+     * 初始化目录，如果不存在则尝试创建
+     *
+     * @param path          目录路径
+     * @param directoryName 目录名称，用于错误提示
+     * @throws IOException 如果目录创建失败
+     */
+    private void initializeDirectory(String path, String directoryName) throws IOException {
+        File dir = new File(path);
+        if (!dir.exists() && !dir.mkdirs()) {
+            throw new IOException("Failed to create " + directoryName + " directory: " + path);
         }
     }
 
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -56,8 +56,9 @@ mybatis-plus:
     # 关闭MP3.0自带的banner
     banner: false
 
-upload:
-  folder: /tmp/upload
+folder:
+  upload: /tmp/upload
+  static: /tmp/static
 
 rsa:
   private:
