优化：用户头像上传

改进：文件系统安全性

docker/Dockerfile

@@ -1,6 +1,6 @@
 FROM registry.cn-guangzhou.aliyuncs.com/jmalcloud/jmal-mongo:latest
 MAINTAINER [email protected]
-ENV VERSION 2.1.6
+ENV VERSION 2.1.7
 
 RUN mkdir -p /jmalcloud/files /jmal-cloud-view/dist
 

pom.xml

@@ -154,7 +154,11 @@
             <artifactId>hutool-all</artifactId>
             <version>5.4.4</version>
         </dependency>
-
+        <dependency>
+            <groupId>org.apache.tika</groupId>
+            <artifactId>tika-core</artifactId>
+            <version>1.25</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>

src/main/java/com/jmal/clouddisk/controller/rest/ShareController.java

@@ -4,6 +4,7 @@
 import com.jmal.clouddisk.annotation.Permission;
 import com.jmal.clouddisk.exception.CommonException;
 import com.jmal.clouddisk.exception.ExceptionType;
+import com.jmal.clouddisk.interceptor.FileInterceptor;
 import com.jmal.clouddisk.model.LogOperation;
 import com.jmal.clouddisk.model.rbac.ConsumerDO;
 import com.jmal.clouddisk.model.FileDocument;
@@ -51,6 +52,9 @@ public class ShareController {
     @Autowired
     IUserService userService;
 
+    @Autowired
+    FileInterceptor fileInterceptor;
+
     @ApiOperation("该分享已失效")
     @GetMapping("/public/s/invalid")
     public String invalid() {
@@ -140,6 +144,9 @@ public ResponseEntity<Object> publicThumbnail(String id) {
     private ResponseEntity<Object> thumbnail(String id) {
         ResultUtil.checkParamIsNull(id);
         Optional<FileDocument> file = fileService.thumbnail(id, null);
+        if (fileInterceptor.isNotAllowAccess(file.orElse(null))) {
+            return null;
+        }
         return file.<ResponseEntity<Object>>map(fileDocument ->
                 ResponseEntity.ok()
                         .header(HttpHeaders.CONTENT_DISPOSITION, "fileName=" + fileDocument.getName())

src/main/java/com/jmal/clouddisk/interceptor/FileInterceptor.java

@@ -146,7 +146,7 @@ private boolean fileAuthError(HttpServletRequest request) throws UnsupportedEnco
      * 如果为公共文件，或者分享有效期内的文件，则允许访问
      * @return true 不允许访问，false 允许访问
      */
-    private boolean isNotAllowAccess(FileDocument fileDocument) {
+    public boolean isNotAllowAccess(FileDocument fileDocument) {
         if (fileDocument == null) {
             return true;
         }

src/main/java/com/jmal/clouddisk/service/impl/FileServiceImpl.java

@@ -26,6 +26,9 @@
 import net.coobird.thumbnailator.Thumbnails;
 import net.coobird.thumbnailator.tasks.UnsupportedFormatException;
 import org.apache.commons.compress.utils.Lists;
+import org.apache.tika.mime.MimeType;
+import org.apache.tika.mime.MimeTypeException;
+import org.apache.tika.mime.MimeTypes;
 import org.bson.BsonNull;
 import org.bson.Document;
 import org.bson.conversions.Bson;
@@ -41,6 +44,7 @@
 import org.springframework.util.StringUtils;
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.socket.WebSocketSession;
+import sun.net.www.content.image.jpeg;
 
 import javax.imageio.IIOImage;
 import javax.imageio.ImageIO;
@@ -520,6 +524,9 @@ public Optional<FileDocument> thumbnail(String id, String username) {
         if (fileDocument != null) {
             if (fileDocument.getContent() == null) {
                 String currentDirectory = getUserDirectory(fileDocument.getPath());
+                if (StringUtils.isEmpty(username)) {
+                    username = userService.getUserNameById(fileDocument.getUserId());
+                }
                 File file = new File(fileProperties.getRootDir() + File.separator + username + currentDirectory + fileDocument.getName());
                 if (file.exists()) {
                     fileDocument.setContent(FileUtil.readBytes(file));
@@ -717,6 +724,14 @@ public String uploadConsumerImage(UploadApiParamDTO upload) throws CommonExcepti
         String username = upload.getUsername();
         String userId = upload.getUserId();
         String fileName = upload.getFilename();
+        MimeTypes allTypes = MimeTypes.getDefaultMimeTypes();
+        MimeType mimeType = null;
+        try {
+            mimeType = allTypes.forName(multipartFile.getContentType());
+            fileName += mimeType.getExtension();
+        } catch (MimeTypeException e) {
+            log.error(e.getMessage(), e);
+        }
         Path userImagePaths = Paths.get(fileProperties.getUserImgDir());
         // userImagePaths 不存在则新建
         upsertFolder(userImagePaths, username, userId);
@@ -734,7 +749,7 @@ public String uploadConsumerImage(UploadApiParamDTO upload) throws CommonExcepti
         } catch (IOException e) {
             throw new CommonException(2, "上传失败");
         }
-        return createFile(username, newFile, userId, null);
+        return createFile(username, newFile, userId, true);
     }
 
     @Override

src/main/java/com/jmal/clouddisk/service/impl/UserServiceImpl.java

@@ -168,7 +168,7 @@ public ResponseResult<Object> update(ConsumerDTO user, MultipartFile blobAvatar)
                 UploadApiParamDTO upload = new UploadApiParamDTO();
                 upload.setUserId(userId);
                 upload.setUsername(consumer.getUsername());
-                upload.setFilename("avatar-" + TimeUntils.getStringTime(System.currentTimeMillis()));
+                upload.setFilename("avatar-" + System.currentTimeMillis());
                 upload.setFile(blobAvatar);
                 fileId = fileService.uploadConsumerImage(upload);
                 update.set("avatar", fileId);