南网漏洞修复

sgzb-modules/sgzb-system/src/main/java/com/bonus/sgzb/system/controller/SysFileController.java

@@ -60,7 +60,7 @@ public class SysFileController {
                         ErrorCode.ATTACHMENT_UPLOAD_FAILED.getMessage());
             }
         }catch (Exception e){
-            log.error(e.getMessage());
+           return AjaxResult.error(e.getMessage());
         }
         if (file != null && file.getId() != 0){
             return AjaxResult.success(file);

sgzb-modules/sgzb-system/src/main/java/com/bonus/sgzb/system/service/impl/SysFileServiceImpl.java

@@ -53,6 +53,8 @@ public class SysFileServiceImpl implements SysFileService {
      */
     @Value("${file.path}")
     private String localFilePath;
+    // 允许的文件格式
+    private static final List<String> ALLOWED_EXTENSIONS = Arrays.asList("jpg", "jpeg", "txt", "png", "pdf", "docx", "doc", "xlsx", "xls");
 
     @Resource
     private FileClient fileClient;
@@ -73,6 +75,11 @@ public class SysFileServiceImpl implements SysFileService {
         HashMap<String, Object> map = getFile(req);
         List<MultipartFile> items = (List<MultipartFile>) map.get("filePath");
         MultipartFile item = items.get(0);
+        // 获取文件后缀名
+        String fileExtension = item.getOriginalFilename().substring(item.getOriginalFilename().lastIndexOf(".") + 1);
+        if (!ALLOWED_EXTENSIONS.contains(fileExtension.toLowerCase())) {
+            throw new Exception("不支持该文件格式");
+        }
         try {
             //String url = saveFile(request, item, photoType);
             /*AjaxResult res = fileClient.uploadFile(item);
@@ -102,6 +109,7 @@ public class SysFileServiceImpl implements SysFileService {
 
     /**
      * 腾讯云文件上传
+     *
      * @param file
      * @return
      */