Преглед изворни кода

fix 修复 有某些无聊人士 对一个demo案例提漏洞 CVE-2025-6925

Signed-off-by: 疯狂的狮子Li <15040126243@163.com>
疯狂的狮子Li пре 1 година
родитељ
комит
fd5d028e95

+ 6 - 7
ruoyi-modules/ruoyi-demo/src/main/java/org/dromara/demo/controller/MailController.java

@@ -1,6 +1,5 @@
 package org.dromara.demo.controller;
 
-import cn.dev33.satoken.annotation.SaIgnore;
 import lombok.RequiredArgsConstructor;
 import org.dromara.common.core.domain.R;
 import org.dromara.common.mail.utils.MailUtils;
@@ -18,7 +17,6 @@ import java.util.Arrays;
  *
  * @author Michelle.Chung
  */
-@SaIgnore
 @Validated
 @RequiredArgsConstructor
 @RestController
@@ -44,11 +42,11 @@ public class MailController {
      * @param to       接收人
      * @param subject  标题
      * @param text     内容
-     * @param filePath 附件路径
      */
     @GetMapping("/sendMessageWithAttachment")
-    public R<Void> sendMessageWithAttachment(String to, String subject, String text, String filePath) {
-        MailUtils.sendText(to, subject, text, new File(filePath));
+    public R<Void> sendMessageWithAttachment(String to, String subject, String text) {
+        // 附件路径 禁止前端传递 有任意读取系统文件风险
+        MailUtils.sendText(to, subject, text, new File("/xxx/xxx"));
         return R.ok();
     }
 
@@ -58,10 +56,11 @@ public class MailController {
      * @param to       接收人
      * @param subject  标题
      * @param text     内容
-     * @param paths    附件路径
      */
     @GetMapping("/sendMessageWithAttachments")
-    public R<Void> sendMessageWithAttachments(String to, String subject, String text, String[] paths) {
+    public R<Void> sendMessageWithAttachments(String to, String subject, String text) {
+        // 附件路径 禁止前端传递 有任意读取系统文件风险
+        String[] paths = new String[]{"/xxx/xxx", "/xxx/xxx"};
         File[] array = Arrays.stream(paths).map(File::new).toArray(File[]::new);
         MailUtils.sendText(to, subject, text, array);
         return R.ok();