RuoYi-Vue 3.2.1 released, preventing arbitrary file download vulnerabilities

If  v3.2.1 of the front-end and back-end separation version has been released, the update log :

• Prevent arbitrary file download vulnerabilities
• Code generation supports upload control
• Added image upload component
• Adjust the default homepage
• Upgrade druid to the latest version v1.2.2
• MapperLocations configuration supports separators
• Permission information adjustment
• Adjust sql default time
• Solve the problem of no bit type in code generation
• Upgrade pagehelper to the latest version 1.3.0
• Arbitrary file download vulnerability RuoYi <= v3.2.0

Any file download vulnerability, the normal use is to download server files, such as script code, server configuration or system configuration, etc. It can be used ../to guess the path layer by layer.

Due to business needs, websites often need to provide file viewing or file downloading functions, but if there are no restrictions on the files that users can view or download, malicious users can view or download any sensitive files. This is a file viewing and downloading vulnerability.

Detection of vulnerabilities: CommonController.java, /common/download/resourcethe interface is included checkAllowDownloadfor checking whether files can be downloaded, if there is no need to modify this method to prevent critical information is downloaded.

Solution: upgrade the RuoYiversion to  >=3.2.1, or re-add file download check to prevent arbitrary file download.

/**
 * 本地资源通用下载
 */
@GetMapping("/common/download/resource")
public void resourceDownload(String resource, HttpServletRequest request, HttpServletResponse response)
		throws Exception
{
	try
	{
		if (!FileUtils.checkAllowDownload(resource))
		{
			throw new Exception(StringUtils.format("资源文件({})非法，不允许下载。 ", resource));
		}
		// 本地资源路径
		String localPath = Global.getProfile();
		// 数据库资源地址
		String downloadPath = localPath + StringUtils.substringAfter(resource, Constants.RESOURCE_PREFIX);
		// 下载名称
		String downloadName = StringUtils.substringAfterLast(downloadPath, "/");
		response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);
		FileUtils.setAttachmentResponseHeader(response, downloadName);
		FileUtils.writeBytes(downloadPath, response.getOutputStream());
	}
	catch (Exception e)
	{
		log.error("下载文件失败", e);
	}
}

/**
 * 检查文件是否可下载
 * 
 * @param resource 需要下载的文件
 * @return true 正常 false 非法
 */
public static boolean checkAllowDownload(String resource)
{
	// 禁止目录上跳级别
	if (StringUtils.contains(resource, ".."))
	{
		return false;
	}

	// 检查允许下载的文件规则
	if (ArrayUtils.contains(MimeTypeUtils.DEFAULT_ALLOWED_EXTENSION, FileTypeUtils.getFileType(resource)))
	{
		return true;
	}

	// 不在允许下载的文件规则
	return false;
}

Front-end and back-end separation authority management system based on SpringBoot + Vue.

Download link RuoYi-Vue

If you need not to separate the application, please move to  RuoYi (保持同步更新) , if you need other versions, please move to the  project extension (不定时更新)

Built-in function

1. User management: The user is the system operator, this function mainly completes the system user configuration.
2. Department management: configure the system organization (company, department, group), and display the tree structure to support data permissions.
3. Position management: Configure the positions of system users.
4. Menu management: configure the system menu, operation authority, button authority identification, etc.
5. Role management: Role menu permission assignment and role setting are divided into data scope permissions by organization.
6. Dictionary management: Maintain some relatively fixed data frequently used in the system.
7. Parameter management: dynamically configure common parameters for the system.
8. Notice announcement: The system informs the announcement of information release and maintenance.
9. Operation log: system normal operation log record and query; system abnormal information log record and query.
10. Login log: The system login log record query contains login exceptions.
11. Online users: monitor the status of active users in the current system.
12. Timed tasks: online (add, modify, delete) task scheduling includes execution result logs.
13. Code generation: front-end and back-end code generation (java, html, xml, sql) supports CRUD download.
14. System interface: automatically generate related api interface documents according to the business code.
15. Service monitoring: monitor current system CPU, memory, disk, stack and other related information.
16. Online builder: Drag form elements to generate corresponding HTML code.
17. Connection pool monitoring: Monitor the current system database connection pool status, and analyze SQL to find system performance bottlenecks.

online experience

Demo address: http://vue.ruoyi.vip

Document address: http://doc.ruoyi.vip

Demo