JavaEE开发篇&文件安全&上传下载读取写入&功能点入口&Filter过滤器
#JavaEE审计-文件安全-上传&下载&读取&写入等
1、搜索类别:业务关键字&相关操作类&封装关键字
2、功能点也适用,直接找文件操作功能进行代码追溯
new File(
String path
String fileName
new FileInputStream(
new FileOutputStream(
new FileReader
response.setContentType("application/octet-stream;
file.delete();
FileUtils.
new ZipEntity(
file.getName(
.unzip(
.mkdirs(
stream.write(
save2File(
fos、fis.close()
MultipartFile(
file.getOriginalFilename(
IOUtil
FileUtil
download
fileName
filePath
write
getFile
getPath
getWriter
上传 // 搜注释
下载 // 搜注释
........
#JavaEE审计-文件安全
案例1-文件上传-Inxedu
功能点->前台上传->ImageUploadController.class->gok4->fileType->jspx
/image/gok4?¶m=temp&fileType=jspx,jpg,gif,png,jpeg
案例2-配合过滤器上传-Tmall
1、搜new File(->filePath->fileName->extension->originalFileName->file
2、AdminPermissionFilter.java->doFilter->contains("/admin/login")
/admin/login/../../tmall/admin/uploadAdminHeadImage
案例3-文件下载-Ruoyi
搜FileInputStream->writeBytes->resourceDownload->resource
common/download/resource?resource=/profile/../RuoYi-v4.5.0/ruoyi-admin/src/main/resources/application-druid.yml
案例4-文件读取-Oasys
搜索new FileInputStream(->image->f.getPath()->path->startpath
/image///image..//image..//image..//image..//image..//image..//IDEA.txt
