Merge pull request #104 from Tinywan/main

walkor · web-flow · commit 0c9d9df5b32c · 2024-11-12T11:54:09.000+08:00
fix:优化检测是否是合法URL Path 支持http图片链接地址
diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,4 @@ src/plugin/admin/public/upload
 src/plugin/admin/config/database.php
 src/plugin/admin/config/thinkorm.php
 src/plugin/admin.zip
+composer.lock
diff --git a/composer.json b/composer.json
@@ -12,7 +12,8 @@
     "webman/event": "^1.0",
     "webman/captcha": "^1.0.0",
     "guzzlehttp/guzzle": "^7.5",
-    "laravel/serializable-closure": "^1.0"
+    "laravel/serializable-closure": "^1.0",
+    "ext-json": "*"
   },
   "autoload": {
     "psr-4": {
diff --git a/src/plugin/admin/api/Menu.php b/src/plugin/admin/api/Menu.php
@@ -1,10 +1,7 @@
 <?php
 namespace plugin\admin\api;
 
-use plugin\admin\app\model\Role;
 use plugin\admin\app\model\Rule;
-use support\exception\BusinessException;
-use function admin;
 
 /**
  * 对外提供的菜单接口
diff --git a/src/plugin/admin/app/common/Auth.php b/src/plugin/admin/app/common/Auth.php
@@ -2,17 +2,16 @@
 namespace plugin\admin\app\common;
 
 
-use plugin\admin\app\model\Admin;
 use plugin\admin\app\model\AdminRole;
 use plugin\admin\app\model\Role;
-use plugin\admin\app\model\Rule;
 
 class Auth
 {
     /**
      * 获取权限范围内的所有角色id
      * @param bool $with_self
      * @return array
+     * @throws \Exception
      */
     public static function getScopeRoleIds(bool $with_self = false): array
     {
@@ -35,6 +34,7 @@ public static function getScopeRoleIds(bool $with_self = false): array
      * 获取权限范围内的所有管理员id
      * @param bool $with_self
      * @return array
+     * @throws \Exception
      */
     public static function getScopeAdminIds(bool $with_self = false): array
     {
@@ -62,6 +62,7 @@ public static function isSupperAdmin(int $admin_id = 0): bool
      * 是否是超级管理员
      * @param int $admin_id
      * @return bool
+     * @throws \Exception
      */
     public static function isSuperAdmin(int $admin_id = 0): bool
     {
diff --git a/src/plugin/admin/app/common/Layui.php b/src/plugin/admin/app/common/Layui.php
@@ -1,7 +1,6 @@
 <?php
 namespace plugin\admin\app\common;
 
-use plugin\admin\app\common\Util;
 use support\exception\BusinessException;
 
 class Layui
diff --git a/src/plugin/admin/app/common/Util.php b/src/plugin/admin/app/common/Util.php
@@ -27,8 +27,8 @@ public static function passwordHash($password, string $algo = PASSWORD_DEFAULT)
 
     /**
      * 验证密码哈希
-     * @param $password
-     * @param $hash
+     * @param string $password
+     * @param string $hash
      * @return bool
      */
     public static function passwordVerify(string $password, string $hash): bool
@@ -109,7 +109,7 @@ public static function formatBytes($file_size): string
      */
     public static function pdoQuote($var)
     {
-        return Util::db()->getPdo()->quote($var, \PDO::PARAM_STR);
+        return Util::db()->getPdo()->quote($var);
     }
 
     /**
@@ -161,15 +161,23 @@ public static function filterNum($var)
     }
 
     /**
-     * 检测是否是合法URL Path
+     * @desc 检测是否是合法URL Path
      * @param $var
      * @return string
      * @throws BusinessException
      */
     public static function filterUrlPath($var): string
     {
-        if (!is_string($var) || !preg_match('/^[a-zA-Z0-9_\-\/&?.]+$/', $var)) {
-            throw new BusinessException('参数不合法');
+        if (!is_string($var)) {
+            throw new BusinessException('参数不合法，地址必须是一个字符串！');
+        }
+
+        if (strpos($var, 'https://') === 0 || strpos($var, 'http://') === 0) {
+            if (!filter_var($var, FILTER_VALIDATE_URL)) {
+                throw new BusinessException('参数不合法，不是合法的URL地址！');
+            }
+        } elseif (!preg_match('/^[a-zA-Z0-9_\-\/&?.]+$/', $var)) {
+            throw new BusinessException('参数不合法，不是合法的Path！');
         }
         return $var;
     }
diff --git a/src/plugin/admin/app/controller/DevController.php b/src/plugin/admin/app/controller/DevController.php
@@ -2,7 +2,6 @@
 
 namespace plugin\admin\app\controller;
 
-use support\Request;
 use support\Response;
 use Throwable;
 
diff --git a/src/plugin/admin/app/controller/InstallController.php b/src/plugin/admin/app/controller/InstallController.php
@@ -4,7 +4,6 @@
 
 use Illuminate\Database\Capsule\Manager;
 use plugin\admin\app\common\Util;
-use plugin\admin\app\model\Admin;
 use support\exception\BusinessException;
 use support\Request;
 use support\Response;
diff --git a/src/plugin/admin/app/controller/PluginController.php b/src/plugin/admin/app/controller/PluginController.php
@@ -5,7 +5,6 @@
 use GuzzleHttp\Client;
 use GuzzleHttp\Exception\GuzzleException;
 use plugin\admin\app\common\Util;
-use plugin\admin\app\controller\Base;
 use process\Monitor;
 use support\exception\BusinessException;
 use support\Log;
diff --git a/src/plugin/admin/app/controller/RoleController.php b/src/plugin/admin/app/controller/RoleController.php
@@ -188,6 +188,7 @@ public function delete(Request $request): Response
      * 获取角色权限
      * @param Request $request
      * @return Response
+     * @throws \Exception
      */
     public function rules(Request $request): Response
     {
diff --git a/src/plugin/admin/app/controller/UploadController.php b/src/plugin/admin/app/controller/UploadController.php
@@ -4,10 +4,7 @@
 
 use Exception;
 use Intervention\Image\ImageManagerStatic as Image;
-use plugin\admin\app\controller\Base;
-use plugin\admin\app\controller\Crud;
 use plugin\admin\app\model\Upload;
-use Random\RandomException;
 use support\exception\BusinessException;
 use support\Request;
 use support\Response;
@@ -106,7 +103,7 @@ public function insert(Request $request): Response
         if (!$file || !$file->isValid()) {
             return $this->json(1, '未找到文件');
         }
-        $data = $this->base($request, '/upload/files/'.date('Ymd'));
+        $data = $this->base($request, '/upload/files/' . date('Ymd'));
         $upload = new Upload;
         $upload->admin_id = admin_id();
         $upload->name = $data['name'];
@@ -150,7 +147,7 @@ public function file(Request $request): Response
         if (in_array($file->getUploadExtension(), $img_exts)) {
             return $this->image($request);
         }
-        $data = $this->base($request, '/upload/files/'.date('Ymd'));
+        $data = $this->base($request, '/upload/files/' . date('Ymd'));
         return $this->json(0, '上传成功', [
             'url' => $data['url'],
             'name' => $data['name'],
@@ -166,7 +163,7 @@ public function file(Request $request): Response
      */
     public function image(Request $request): Response
     {
-        $data = $this->base($request, '/upload/img/'.date('Ymd'));
+        $data = $this->base($request, '/upload/img/' . date('Ymd'));
         $realpath = $data['realpath'];
         try {
             $img = Image::make($realpath);
@@ -178,17 +175,17 @@ public function image(Request $request): Response
             if ($height > $max_height || $width > $max_width) {
                 $ratio = $width > $height ? $max_width / $width : $max_height / $height;
             }
-            $img->resize($width*$ratio, $height*$ratio)->save($realpath);
+            $img->resize($width * $ratio, $height * $ratio)->save($realpath);
         } catch (Exception $e) {
             unlink($realpath);
-            return json( [
-                'code'  => 500,
-                'msg'  => '处理图片发生错误'
+            return json([
+                'code' => 500,
+                'msg' => '处理图片发生错误'
             ]);
         }
-        return json( [
-            'code'  => 0,
-            'msg'  => '上传成功',
+        return json([
+            'code' => 0,
+            'msg' => '上传成功',
             'data' => [
                 'url' => $data['url'],
                 'name' => $data['name'],
@@ -220,7 +217,7 @@ public function avatar(Request $request): Response
             if (!is_dir($real_path)) {
                 mkdir($real_path, 0777, true);
             }
-            $name = bin2hex(pack('Nn',time(), random_int(1, 65535)));
+            $name = bin2hex(pack('Nn', time(), random_int(1, 65535)));
             $ext = $file->getUploadExtension();
 
             $image->crop($size, $size)->resize(300, 300);
@@ -254,21 +251,22 @@ public function avatar(Request $request): Response
      * 删除附件
      * @param Request $request
      * @return Response
+     * @throws BusinessException
      */
     public function delete(Request $request): Response
     {
         $ids = $this->deleteInput($request);
         $primary_key = $this->model->getKeyName();
         $files = $this->model->whereIn($primary_key, $ids)->get()->toArray();
         $file_list = array_map(function ($item) {
-          $path =$item['url'];
-          if (preg_match("#^/app/admin#",$path)){
-              $admin_public_path = config('plugin.admin.app.public_path') ?: base_path() . "/plugin/admin/public";
-              return $admin_public_path . str_replace("/app/admin", "", $item['url']);
-          }
-          return null;
-        },$files);
-        $file_list = array_filter($file_list,function ($item){
+            $path = $item['url'];
+            if (preg_match("#^/app/admin#", $path)) {
+                $admin_public_path = config('plugin.admin.app.public_path') ?: base_path() . "/plugin/admin/public";
+                return $admin_public_path . str_replace("/app/admin", "", $item['url']);
+            }
+            return null;
+        }, $files);
+        $file_list = array_filter($file_list, function ($item) {
             return !empty($item);
         });
         $result = parent::delete($request);
@@ -285,7 +283,7 @@ public function delete(Request $request): Response
      * @param Request $request
      * @param $relative_dir
      * @return array
-     * @throws BusinessException|RandomException
+     * @throws BusinessException|\Random\RandomException
      */
     protected function base(Request $request, $relative_dir): array
     {
@@ -318,7 +316,7 @@ protected function base(Request $request, $relative_dir): array
             throw new BusinessException('不支持该格式的文件上传', 400);
         }
 
-        $relative_path = $relative_dir . '/' . bin2hex(pack('Nn',time(), random_int(1, 65535))) . ".$ext";
+        $relative_path = $relative_dir . '/' . bin2hex(pack('Nn', time(), random_int(1, 65535))) . ".$ext";
         $full_path = $base_dir . $relative_path;
         $file->move($full_path);
         $image_with = $image_height = 0;
@@ -327,10 +325,10 @@ protected function base(Request $request, $relative_dir): array
             $mime_type = $img_info['mime'];
         }
         return [
-            'url'     => "/app/admin/$relative_path",
-            'name'     => $file_name,
+            'url' => "/app/admin/$relative_path",
+            'name' => $file_name,
             'realpath' => $full_path,
-            'size'     => $file_size,
+            'size' => $file_size,
             'mime_type' => $mime_type,
             'image_with' => $image_with,
             'image_height' => $image_height,
diff --git a/src/plugin/admin/app/controller/UserController.php b/src/plugin/admin/app/controller/UserController.php
@@ -2,8 +2,6 @@
 
 namespace plugin\admin\app\controller;
 
-use plugin\admin\app\controller\Base;
-use plugin\admin\app\controller\Crud;
 use plugin\admin\app\model\User;
 use support\exception\BusinessException;
 use support\Request;

Original file line number	Diff line number	Diff line change
`@@ -188,6 +188,7 @@ public function delete(Request $request): Response`
`188`	`188`	`* 获取角色权限`
`189`	`189`	`* @param Request $request`
`190`	`190`	`* @return Response`
	`191`	`+ * @throws \Exception`
`191`	`192`	`*/`
`192`	`193`	`public function rules(Request $request): Response`
`193`	`194`	`{`