v.4.14.0

src/main/java/com/fdkankan/SceneApplication.java

@@ -1,5 +1,6 @@
 package com.fdkankan;
 
+import cn.hutool.core.io.FileUtil;
 import com.dtflys.forest.springboot.annotation.ForestScan;
 import com.fdkankan.common.util.ESAPIUtil;
 import com.yomahub.tlog.core.enhance.bytes.AspectLogEnhance;
@@ -31,6 +32,10 @@ public class SceneApplication{
     public static void main(String[] args) {
         SpringApplication.run(SceneApplication.class, args);
 
+        if(!FileUtil.exist(ESAPIUtil.tempPath)){
+            FileUtil.mkdir(ESAPIUtil.tempPath);
+        }
+
 //        String active = System.getProperty("spring.profiles.active");
 //        String esapiPropertiesName = "ESAPI.properties";
 //        if("local".equals(active)){

src/main/java/com/fdkankan/common/constant/ErrorCode.java

@@ -203,6 +203,8 @@ public enum ErrorCode {
     FAILURE_CODE_10004(10004, "api次数不能为空"),
 
     FAILURE_CODE_15059(15059, "该压缩包无可用obj或者mtl文件"),
+
+    FAILURE_CODE_15060(15060, "上传文件格式不正确"),
     //-----------------openApi----------------------end
 
 

src/main/java/com/fdkankan/common/util/ESAPIUtil.java

@@ -14,31 +14,16 @@ import java.util.Properties;
 
 public class ESAPIUtil {
 
-    public static Properties properties;
+//    public static final String rootPath = "D:\\app\\4dkankan\\";
+    public static final String rootPath = "/app/4dkankan/";
 
-    public static final String rootPath;
+    public static final String tempPath = rootPath + "temp/";
 
-    static {
-        String active = System.getProperty("spring.profiles.active");
-        String esapiPropertiesName = "ESAPI.properties";
-        if("local".equals(active)){
-            esapiPropertiesName = "ESAPI-local.properties";
-        }
-        InputStream resourceAsStream = ESAPIUtil.class.getClassLoader().getResourceAsStream(esapiPropertiesName);
-        properties = new Properties();
-        try {
-            properties.load(resourceAsStream);
-            rootPath = (String)properties.get("workDir");
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    public static String validFilePath(String inputPath, String rootPath) throws ValidationException {
+    public static String validFilePath(String inputPath, String rootPath) throws ValidationException, EncodingException {
         return ESAPI.validator().getValidDirectoryPath(inputPath, inputPath, new File(rootPath), false);
     }
 
-    public static String validFilePath(String inputPath) throws ValidationException {
+    public static String validFilePath(String inputPath) throws ValidationException, EncodingException {
         return validFilePath(inputPath,rootPath);
     }
 
@@ -64,12 +49,4 @@ public class ESAPIUtil {
         return inputData;
     }
 
-    public static void main(String[] args) throws ValidationException {
-        String suffix = "." + FileUtil.getSuffix("aaa/bbb/ccc.txt");
-        File tempFile = FileUtil.createTempFile(UUID.fastUUID().toString(), suffix, new File("/temp"), true);
-        System.out.println(System.getProperty("user.dir"));
-        System.out.println(ESAPIUtil.validFilePath(System.getProperty("user.dir") + "\\temp", "/temp"));
-        FileUtil.writeBytes("123123".getBytes(), tempFile);
-    }
-
 }

src/main/java/com/fdkankan/common/util/FdfsUtil.java

@@ -8,6 +8,7 @@ import cn.hutool.http.HttpResponse;
 import com.alibaba.fastjson.JSON;
 import com.fdkankan.scene.bean.TietaResBean;
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.esapi.errors.EncodingException;
 import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
@@ -58,7 +59,7 @@ public class FdfsUtil {
         return tietaResBean.getData();
     }
 
-    public Map<String, String> uploadFile(String nonce, String timestamp, String signature, String filePath) throws ValidationException {
+    public Map<String, String> uploadFile(String nonce, String timestamp, String signature, String filePath) throws ValidationException, EncodingException {
 
         Map<String, String> headers = new HashMap<>();
         headers.put(timestamp_key, timestamp);
@@ -68,8 +69,8 @@ public class FdfsUtil {
 
         Map<String, Object> test = new HashMap<>();
         test.put("visibilityLevel", "1003");
-        String parentPath = FileUtil.getParent(filePath, 1);
-        ESAPIUtil.validFilePath(parentPath);
+//        String parentPath = FileUtil.getParent(filePath, 1);
+//        ESAPIUtil.validFilePath(parentPath);
         test.put("file", new File(filePath));
         test.put("userId", "111111");
         HttpRequest httpRequest = HttpRequest.post(address.concat(api_uploadFile)).form(test).addHeaders(headers).timeout(120000);

src/main/java/com/fdkankan/scene/controller/SceneController.java

@@ -2,13 +2,13 @@ package com.fdkankan.scene.controller;
 
 
 import cn.hutool.core.io.FileUtil;
-import cn.hutool.core.lang.UUID;
 import cn.hutool.http.HttpResponse;
 import cn.hutool.http.HttpUtil;
 import com.alibaba.fastjson.JSON;
 import com.fdkankan.common.constant.SceneInfoReqType;
 import com.fdkankan.common.util.ESAPIUtil;
 import com.fdkankan.common.util.FdfsUtil;
+import com.fdkankan.common.util.XssFilterUtil;
 import com.fdkankan.scene.annotation.CheckToken;
 import com.fdkankan.scene.annotation.InitEditInfo;
 import com.fdkankan.scene.annotation.VrLog;
@@ -18,7 +18,10 @@ import com.fdkankan.scene.service.*;
 import com.fdkankan.scene.vo.SceneCheckKeyParamVO;
 import com.fdkankan.scene.vo.SceneInfoParamVO;
 import com.fdkankan.scene.vo.SceneInfoVO;
+import org.apache.commons.lang.StringEscapeUtils;
+import org.omg.PortableInterceptor.PolicyFactory;
 import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.errors.EncodingException;
 import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
@@ -33,6 +36,7 @@ import javax.websocket.server.PathParam;
 import java.io.File;
 import java.io.IOException;
 import java.util.Map;
+import java.util.UUID;
 
 /**
  * <p>
@@ -71,15 +75,7 @@ public class SceneController extends BaseController{
     @GetMapping(value = "/getInfo")
     public ResultData getInfo(@Validated SceneInfoParamVO param) throws Exception{
         param.setReqType(SceneInfoReqType.VIEW.code());
-//        param.setSubgroup(this.getSubgroup());
-//        ESAPI.encoder().encodeForHTML(JSON.toJSONString(param));
-//        ESAPI.encoder().encodeForHTMLAttribute(JSON.toJSONString(param));
-//        ESAPI.encoder().encodeForJavaScript(JSON.toJSONString(param));
-//        ESAPI.encoder().encodeForHTML(JSON.toJSONString(param));
-//        ESAPI.encoder().encodeForCSS(JSON.toJSONString(param));
-//        ESAPI.encoder().encodeForURL(JSON.toJSONString(param));
-        response.setHeader("Set-Cookie","cookiename=cookievalue; path=/; Domain=domainvaule; Max-age=seconds; HttpOnly");
-        SceneInfoVO sceneInfo = sceneEditInfoService.getSceneInfo(ESAPIUtil.encode(param.getNum()), param.getSubgroup(), param.getUpTimeKey(), (byte)1);
+        SceneInfoVO sceneInfo = sceneEditInfoService.getSceneInfo(StringEscapeUtils.escapeHtml(param.getNum()), param.getSubgroup(), param.getUpTimeKey(), (byte)1);
         return ResultData.ok(sceneInfo);
     }
 
@@ -107,19 +103,13 @@ public class SceneController extends BaseController{
     }
 
 
-//    @PostMapping("testUploadFile")
-//    public ResultData testUploadFile(String path){
-//        Map<String, String> stringStringMap = fdfsUtil.uploadFile(path);
-//        return ResultData.ok(stringStringMap);
-//    }
+    @PostMapping("testUploadFile")
+    public ResultData testUploadFile() throws EncodingException, ValidationException {
 
-    @GetMapping("/test")
-    public ResultData test() throws ValidationException {
-//        String s = ESAPIUtil.validFilePath("D:\\test");
-        fYunFileService.uploadFile("111", 0, "123456", "123456".getBytes(), "123123.txt");
-//        ESAPIUtil.getRealPath();
-//        String s = ESAPIUtil.validFilePath();
+        String temp = ESAPIUtil.getRealPath("temp");
+        String s = ESAPIUtil.validFilePath(temp);
         return ResultData.ok();
     }
+
 }
 

src/main/java/com/fdkankan/scene/controller/SceneEditController.java

@@ -1,6 +1,14 @@
 package com.fdkankan.scene.controller;
 
+import cn.hutool.core.collection.CollUtil;
+import cn.hutool.core.io.FileUtil;
+import cn.hutool.core.lang.UUID;
+import cn.hutool.core.util.StrUtil;
+import com.fdkankan.common.constant.ErrorCode;
 import com.fdkankan.common.constant.SceneInfoReqType;
+import com.fdkankan.common.constant.UploadFilePath;
+import com.fdkankan.common.exception.BusinessException;
+import com.fdkankan.common.util.BASE64DecodedMultipartFile;
 import com.fdkankan.common.util.ESAPIUtil;
 import com.fdkankan.scene.annotation.CheckToken;
 import com.fdkankan.scene.annotation.InitEditInfo;
@@ -8,12 +16,23 @@ import com.fdkankan.scene.bean.ResultData;
 import com.fdkankan.scene.service.*;
 import com.fdkankan.scene.vo.*;
 import lombok.extern.log4j.Log4j2;
+import org.apache.commons.fileupload.FileItem;
+import org.apache.commons.fileupload.FileItemFactory;
+import org.apache.commons.fileupload.disk.DiskFileItemFactory;
+import org.apache.commons.fileupload.servlet.ServletFileUpload;
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
+import javax.annotation.Resource;
+import java.io.File;
 import java.io.IOException;
+import java.util.*;
 
 /**
  * 场景编辑管理
@@ -247,7 +266,7 @@ public class SceneEditController extends BaseController{
      * @return
      **/
     @PostMapping(value = "/cad/rename")
-    public ResultData renameCad(@RequestBody @Validated RenameCadParamVO param) throws IOException {
+    public ResultData renameCad(@RequestBody @Validated RenameCadParamVO param) throws IOException, EncodingException, ValidationException {
         param.setSubgroup(this.getSubgroup());
         param.setUpTimeKey(this.getUpTime());
         return sceneEditInfoService.renameCad(param);
@@ -268,7 +287,7 @@ public class SceneEditController extends BaseController{
     public SceneInfoVO getInfo(@Validated SceneInfoParamVO param) throws Exception{
         param.setReqType(SceneInfoReqType.EDIT.code());
         response.setHeader("Set-Cookie","cookiename=cookievalue; path=/; Domain=domainvaule; Max-age=seconds; HttpOnly");
-        return sceneEditInfoService.getSceneInfo(param.getNum(), param.getSubgroup(), param.getUpTimeKey(), (byte)2);
+        return sceneEditInfoService.getSceneInfo(StringEscapeUtils.escapeHtml(param.getNum()), param.getSubgroup(), param.getUpTimeKey(), (byte)2);
     }
 
     /**
@@ -329,8 +348,18 @@ public class SceneEditController extends BaseController{
 //        return sceneProService.uploadModel(num, this.getSubgroup(), this.getUpTime(), file);
 //    }
 
+    private static Map<String, String> FILE_SIGNATURES;
+
+    static {
+        FILE_SIGNATURES = new HashMap<>();
+        FILE_SIGNATURES.put("jpg", "FFD8FF");
+        FILE_SIGNATURES.put("png", "89504E47");
+    }
+    @Resource
+    private FYunFileService fYunFileService;
+
     @RequestMapping(value = "/upload/files", method = RequestMethod.POST)
-    public String uploads(@RequestParam(value = "base64",required = false) String imgStr,
+    public String uploads(@RequestParam(value = "base64",required = false) String base64,
         @RequestParam(value = "fileName",required = false) String fileName,
         @RequestParam(value = "bizType",required = false) String bizType,
         @RequestParam(value = "files",required = false) MultipartFile[] files,
@@ -339,8 +368,85 @@ public class SceneEditController extends BaseController{
         @RequestParam(value = "uploadPath",required = false) String uploadPath) throws Exception {
         Integer subgroup = this.getSubgroup();
         String upTime = this.getUpTime();
-        response.setHeader("Set-Cookie","cookiename=cookievalue; path=/; Domain=domainvaule; Max-age=seconds; HttpOnly");
-        return sceneUploadService.uploads(imgStr,fileName,bizType,files,num,type,uploadPath, subgroup, upTime);
+        num = StringEscapeUtils.escapeHtml(num);
+        fileName = StringEscapeUtils.escapeHtml(fileName);
+        uploadPath = StringEscapeUtils.escapeHtml(uploadPath);
+        List<String> urlList = new ArrayList<>();
+//        return sceneUploadService.uploads(base64,fileName,bizType,files,num,type,uploadPath, subgroup, upTime);
+        if(Objects.nonNull(files) && files.length > 0){
+            for (MultipartFile file : files) {
+                String originalFilename = StringEscapeUtils.escapeHtml(file.getOriginalFilename());
+                if(files.length == 1 && StrUtil.isNotEmpty(fileName)){
+                    originalFilename = fileName;
+                }
+                String oldExtName = cn.hutool.core.io.FileUtil.extName(originalFilename);
+                String newExtName = oldExtName.toLowerCase();
+                originalFilename = originalFilename.substring(0, originalFilename.lastIndexOf(oldExtName)) + newExtName;
+                String suffix = "." + FileUtil.getSuffix(originalFilename);
+                File tempFile = FileUtil.createTempFile(UUID.fastUUID().toString(), suffix, new File(ESAPIUtil.validFilePath(ESAPIUtil.getRealPath("temp"))), true);
+                file.transferTo(tempFile);
+                String path = tempFile.getAbsolutePath();
+
+                String key = StrUtil.isNotBlank(uploadPath) ? uploadPath : (String.format(UploadFilePath.USER_VIEW_PATH , num) + originalFilename);
+                fYunFileService.uploadFile(num, subgroup, upTime, path, key);
+
+                urlList.add(originalFilename);
+
+                FileUtil.del(path);
+            }
+        }
+
+        if(StrUtil.isNotEmpty(base64)){
+            String suffix = "." + FileUtil.getSuffix(fileName);
+            MultipartFile file = BASE64DecodedMultipartFile.base64ToMultipart(base64);
+            File tempFile = FileUtil.createTempFile(UUID.fastUUID().toString(), suffix, new File(ESAPIUtil.validFilePath(ESAPIUtil.getRealPath("temp"))), true);
+            file.transferTo(tempFile);
+            String path = tempFile.getAbsolutePath();
+
+            String originalFilename = StringEscapeUtils.escapeHtml(file.getOriginalFilename());
+            if(StringUtils.isNotBlank(fileName)){
+                originalFilename = fileName ;
+            }
+            String oldExtName = cn.hutool.core.io.FileUtil.extName(originalFilename);
+            String newExtName = oldExtName.toLowerCase();
+            originalFilename = originalFilename.substring(0, originalFilename.lastIndexOf(oldExtName)) + newExtName;
+            String key = StrUtil.isNotBlank(uploadPath) ? uploadPath : (String.format(UploadFilePath.USER_VIEW_PATH , num) + originalFilename);
+            fYunFileService.uploadFile(num, subgroup, upTime, path, key);
+            urlList.add(originalFilename);
+
+            FileUtil.del(path);
+        }
+
+        StringBuilder returnString = new StringBuilder();
+        for (String res : urlList) {
+            if(StringUtils.isNotBlank(returnString)){
+                returnString.append(",");
+            }
+            returnString.append(res);
+        }
+        return returnString.toString();
+    }
+
+    private String bytesToHex(byte[] bytes) {
+        StringBuilder sb = new StringBuilder();
+        for (byte b : bytes) {
+            sb.append(String.format("%02X", b));
+        }
+        return sb.toString();
+    }
+
+    String sanitizeFileName(String fileName) {
+        return fileName.replaceAll("[^a-zA-Z0-9._-]", "");
+    }
+
+    boolean isValidFile(String fileName) {
+        String[] allowedExtensions = {".jpg", ".jpeg", ".png", ".gif"};
+        for (String ext : allowedExtensions) {
+            if (fileName.toLowerCase().endsWith(ext)) {
+                return true;
+            }
+        }
+        return false;
     }
 
     /**

src/main/java/com/fdkankan/scene/service/FYunFileService.java

@@ -1,5 +1,8 @@
 package com.fdkankan.scene.service;
 
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
+
 import java.io.IOException;
 import java.util.Map;
 
@@ -7,7 +10,7 @@ public interface FYunFileService {
 
     String getFileContent(String key, Integer subgroup, String upTime) throws IOException;
 
-    void uploadFile(String num, Integer subgroup, String upTime, byte[] data, String key);
+    void uploadFile(String num, Integer subgroup, String upTime, byte[] data, String key) throws EncodingException, ValidationException;
 
     void uploadFile(String num, Integer subgroup, String upTime, String path, String key);
 

src/main/java/com/fdkankan/scene/service/ICutModelService.java

@@ -5,6 +5,8 @@ import com.fdkankan.scene.bean.ResultData;
 import com.fdkankan.scene.vo.BaseJsonArrayParamVO;
 import com.fdkankan.scene.vo.BaseSceneParamVO;
 import com.fdkankan.scene.vo.DeleteSidListParamVO;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 
 import java.io.IOException;
 import java.util.List;
@@ -17,6 +19,6 @@ public interface ICutModelService {
 
     ResultData deleteCutModel(DeleteSidListParamVO param) throws Exception;
 
-    void publicCutModel(String sceneNum, Integer subgroup, String upTimeKey) throws IOException;
+    void publicCutModel(String sceneNum, Integer subgroup, String upTimeKey) throws IOException, EncodingException, ValidationException;
 
 }

src/main/java/com/fdkankan/scene/service/ISceneDrawService.java

@@ -3,6 +3,8 @@ package com.fdkankan.scene.service;
 import com.alibaba.fastjson.JSONObject;
 import com.fdkankan.scene.vo.BaseJsonArrayParamVO;
 import com.fdkankan.scene.vo.DeleteSidListParamVO;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 
 import java.io.IOException;
 import java.util.List;
@@ -15,6 +17,6 @@ public interface ISceneDrawService {
 
     void deleteSceneDraw(DeleteSidListParamVO param) throws Exception;
 
-    void publicSceneDraw(String sceneNum, Integer subgroup, String upTime, Integer cacheKeyHasTime) throws IOException;
+    void publicSceneDraw(String sceneNum, Integer subgroup, String upTime, Integer cacheKeyHasTime) throws IOException, EncodingException, ValidationException;
 
 }

src/main/java/com/fdkankan/scene/service/ISceneEditService.java

@@ -4,6 +4,8 @@ import com.fdkankan.scene.bean.ResultData;
 import com.fdkankan.scene.vo.BaseDataParamVO;
 import com.fdkankan.scene.vo.BaseSceneParamVO;
 import com.fdkankan.scene.vo.SceneAuthVO;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 
 import java.io.IOException;
 
@@ -21,7 +23,7 @@ public interface ISceneEditService {
 
 //    ResultData locales(LocalesParamVO param) throws Exception;
 
-    ResultData saveTour(BaseDataParamVO param) throws IOException;
+    ResultData saveTour(BaseDataParamVO param) throws IOException, EncodingException, ValidationException;
 
     ResultData deleteTour(BaseSceneParamVO param) throws Exception;
 

src/main/java/com/fdkankan/scene/service/ISceneUploadService.java

@@ -4,6 +4,8 @@ import com.fdkankan.scene.bean.ResultData;
 import com.fdkankan.scene.vo.DeleteFileParamVO;
 import org.springframework.web.multipart.MultipartFile;
 
+import java.util.List;
+
 /**
  * <p>
  *  服务类
@@ -20,4 +22,7 @@ public interface ISceneUploadService{
     ResultData delete(DeleteFileParamVO param) throws Exception;
 //
 //    String uploadContent(UploadContentParamVO param) throws Exception;
+
+    String uploadFiles(String sendFileName, String bizType, List<MultipartFile> files,
+                       String num, Integer type, String uploadPath, Integer subgroup, String upTime) throws Exception;
 }

src/main/java/com/fdkankan/scene/service/SceneEditInfoService.java

@@ -5,6 +5,8 @@ import com.fdkankan.scene.bean.ResultData;
 import com.fdkankan.scene.entity.SceneEditInfo;
 import com.baomidou.mybatisplus.extension.service.IService;
 import com.fdkankan.scene.vo.*;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.IOException;
@@ -40,13 +42,13 @@ public interface SceneEditInfoService extends IService<SceneEditInfo> {
 
     ResultData resetCad(String num, Integer subgroup, String upTime) throws IOException;
 
-    ResultData renameCad(RenameCadParamVO param) throws IOException;
+    ResultData renameCad(RenameCadParamVO param) throws IOException, EncodingException, ValidationException;
 
     void upgradeVersionById(Long id);
 
     void upgradeVersionAndImgVersionById(Long id);
 
-    void upgradeSceneJsonVersion(String num, Integer subgroup, String upTime, Integer cacheKeyHasTime, int version, Integer imgVersion) throws IOException ;
+    void upgradeSceneJsonVersion(String num, Integer subgroup, String upTime, Integer cacheKeyHasTime, int version, Integer imgVersion) throws IOException, EncodingException, ValidationException;
 
 //    ResultData uploadPanorama(String num, Integer subgroup, String upTime, MultipartFile file) throws Exception;
 //

src/main/java/com/fdkankan/scene/service/impl/CommonServiceImpl.java

@@ -4,9 +4,11 @@ import cn.hutool.core.io.FileUtil;
 import com.fdkankan.common.constant.ConstantFilePath;
 import com.fdkankan.common.constant.UploadFilePath;
 import com.fdkankan.common.util.CreateObjUtil;
+import com.fdkankan.common.util.ESAPIUtil;
 import com.fdkankan.redis.constant.RedisKey;
 import com.fdkankan.scene.service.FYunFileService;
 import com.fdkankan.scene.service.ICommonService;
+import org.apache.commons.lang.StringEscapeUtils;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.Resource;
@@ -20,6 +22,9 @@ public class CommonServiceImpl implements ICommonService {
 
     @Override
     public void transferToFlv(String num, Integer subgroup, String upTime, Integer cacheKeyHasTime, String fileName) throws Exception {
+        upTime = StringEscapeUtils.escapeHtml(upTime);
+        num = StringEscapeUtils.escapeHtml(num);
+        fileName = StringEscapeUtils.escapeHtml(fileName);
         String userEditPath = String.format(UploadFilePath.USER_VIEW_PATH, num);
         String numStr = RedisKey.getNumStr(num, subgroup, upTime, cacheKeyHasTime);
         String localImagesPath = String.format(ConstantFilePath.SCENE_USER_PATH_V4, numStr);

src/main/java/com/fdkankan/scene/service/impl/CutModelServiceImpl.java

@@ -18,6 +18,8 @@ import com.fdkankan.scene.service.*;
 import com.fdkankan.scene.vo.BaseJsonArrayParamVO;
 import com.fdkankan.scene.vo.BaseSceneParamVO;
 import com.fdkankan.scene.vo.DeleteSidListParamVO;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -111,7 +113,7 @@ public class CutModelServiceImpl implements ICutModelService {
     }
 
     @Override
-    public void publicCutModel(String sceneNum, Integer subgroup, String upTimeKey) throws IOException {
+    public void publicCutModel(String sceneNum, Integer subgroup, String upTimeKey) throws IOException, EncodingException, ValidationException {
         String numStr = RedisKey.getNumStr(sceneNum, subgroup, upTimeKey, 1);
         String Key = String.format(RedisKey.SCENE_CUT_MODEL, numStr);
         String userEditPath = String.format(UploadFilePath.USER_VIEW_PATH, sceneNum) + "cutModel.json";

src/main/java/com/fdkankan/scene/service/impl/FYunFileServiceImpl.java

@@ -11,6 +11,8 @@ import com.fdkankan.scene.entity.SceneFileMapping;
 import com.fdkankan.scene.httpclient.CustomHttpClient;
 import com.fdkankan.scene.service.FYunFileService;
 import com.fdkankan.scene.service.SceneFileMappingService;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -46,9 +48,9 @@ public class FYunFileServiceImpl implements FYunFileService {
     }
 
     @Override
-    public void uploadFile(String num, Integer subgroup, String upTime, byte[] data, String key) {
+    public void uploadFile(String num, Integer subgroup, String upTime, byte[] data, String key) throws EncodingException, ValidationException {
         String suffix = "." + FileUtil.getSuffix(key);
-        File tempFile = FileUtil.createTempFile(UUID.fastUUID().toString(), suffix, new File(ESAPIUtil.getRealPath("temp")), true);
+        File tempFile = FileUtil.createTempFile(UUID.fastUUID().toString(), suffix, new File(ESAPIUtil.validFilePath(ESAPIUtil.getRealPath("temp"))), true);
         FileUtil.writeBytes(data, tempFile);
         try {
             Map<String, String> mapping = fdfsUtil.uploadFile(tempFile.getAbsolutePath());

src/main/java/com/fdkankan/scene/service/impl/SceneDrawServiceImpl.java

@@ -18,6 +18,8 @@ import com.fdkankan.scene.service.*;
 import com.fdkankan.scene.vo.BaseJsonArrayParamVO;
 import com.fdkankan.scene.vo.DeleteSidListParamVO;
 import com.google.common.collect.Lists;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -159,7 +161,7 @@ public class SceneDrawServiceImpl implements ISceneDrawService {
     }
 
     @Override
-    public void publicSceneDraw(String sceneNum, Integer subgroup, String upTime, Integer cacheKeyHasTime) throws IOException {
+    public void publicSceneDraw(String sceneNum, Integer subgroup, String upTime, Integer cacheKeyHasTime) throws IOException, EncodingException, ValidationException {
         String Key = String.format(RedisKey.SCENE_DRAW, RedisKey.getNumStr(sceneNum, subgroup, upTime, cacheKeyHasTime));
         String userEditPath = String.format(UploadFilePath.USER_VIEW_PATH, sceneNum) + SCENE_DRAW_JSON_NAME;
         List<String> list = redisClient.hgetValues(Key);

src/main/java/com/fdkankan/scene/service/impl/SceneEditInfoExtServiceImpl.java

@@ -28,6 +28,8 @@ import com.fdkankan.scene.vo.BaseJsonArrayParamVO;
 import com.fdkankan.scene.vo.BaseSceneParamVO;
 import com.fdkankan.scene.vo.DeleteSidListParamVO;
 import com.fdkankan.scene.vo.DeleteStylesParamVO;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
@@ -238,7 +240,7 @@ public class SceneEditInfoExtServiceImpl extends ServiceImpl<SceneEditInfoExtMap
         this.updateById(sceneEditInfoExt);
     }
 
-    private void publicBillboardData(String sceneNum, Integer subgroup, String upTime, Integer cacheKeyHasTime) throws IOException {
+    private void publicBillboardData(String sceneNum, Integer subgroup, String upTime, Integer cacheKeyHasTime) throws IOException, EncodingException, ValidationException {
         String Key = String.format(RedisKey.SCENE_BILLBOARDS, RedisKey.getNumStr(sceneNum, subgroup, upTime, cacheKeyHasTime));
         String userEditPath = String.format(UploadFilePath.USER_VIEW_PATH, sceneNum) + "billboards.json";
         List<String> list = redisClient.hgetValues(Key);

src/main/java/com/fdkankan/scene/service/impl/SceneEditInfoServiceImpl.java

@@ -31,6 +31,8 @@ import com.fdkankan.scene.mapper.SceneEditInfoMapper;
 import com.fdkankan.scene.service.*;
 import com.fdkankan.scene.vo.*;
 import com.google.common.collect.Lists;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
@@ -175,7 +177,7 @@ public class SceneEditInfoServiceImpl extends ServiceImpl<SceneEditInfoMapper, S
     }
 
 
-    private void publicFilterData(String num, Integer subgroup, String upTime, Integer cacheKeyHasTime, int filters) throws IOException {
+    private void publicFilterData(String num, Integer subgroup, String upTime, Integer cacheKeyHasTime, int filters) throws IOException, EncodingException, ValidationException {
 
         String userEditPath = String.format(UploadFilePath.USER_VIEW_PATH, num);
         String fileKey = userEditPath + "filter.json";
@@ -425,7 +427,7 @@ public class SceneEditInfoServiceImpl extends ServiceImpl<SceneEditInfoMapper, S
     }
 
     @Override
-    public ResultData renameCad(RenameCadParamVO param) throws IOException {
+    public ResultData renameCad(RenameCadParamVO param) throws IOException, EncodingException, ValidationException {
 
         Scene scenePlus = sceneService.getByNum(param.getNum(), param.getSubgroup(), param.getUpTimeKey());
         if(Objects.isNull(scenePlus)){
@@ -478,7 +480,7 @@ public class SceneEditInfoServiceImpl extends ServiceImpl<SceneEditInfoMapper, S
     }
 
     @Override
-    public void upgradeSceneJsonVersion(String num, Integer subgroup, String upTime, Integer cacheKeyHasTime, int version, Integer imgVersion) throws IOException {
+    public void upgradeSceneJsonVersion(String num, Integer subgroup, String upTime, Integer cacheKeyHasTime, int version, Integer imgVersion) throws IOException, EncodingException, ValidationException {
 
         //更新redis缓存版本号
         String key = String.format(RedisKey.SCENE_JSON, RedisKey.getNumStr(num, subgroup, upTime, cacheKeyHasTime));

src/main/java/com/fdkankan/scene/service/impl/SceneEditServiceImpl.java

@@ -16,6 +16,8 @@ import com.fdkankan.scene.vo.BaseDataParamVO;
 import com.fdkankan.scene.vo.BaseSceneParamVO;
 import com.fdkankan.scene.vo.SceneAuthVO;
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.cloud.context.config.annotation.RefreshScope;
 import org.springframework.stereotype.Service;
@@ -68,7 +70,7 @@ public class SceneEditServiceImpl implements ISceneEditService {
 //    }
 
     @Override
-    public ResultData saveTour(BaseDataParamVO param) throws IOException {
+    public ResultData saveTour(BaseDataParamVO param) throws IOException, EncodingException, ValidationException {
         Scene scenePlus = scenePlusService.getByNum(param.getNum(), param.getSubgroup(), param.getUpTimeKey());
         if(Objects.isNull(scenePlus)){
             throw new BusinessException(ErrorCode.FAILURE_CODE_5005);

src/main/java/com/fdkankan/scene/service/impl/SceneProServiceImpl.java

@@ -28,6 +28,8 @@ import com.fdkankan.scene.vo.*;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import lombok.extern.slf4j.Slf4j;
+import org.owasp.esapi.errors.EncodingException;
+import org.owasp.esapi.errors.ValidationException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -171,7 +173,7 @@ public class SceneProServiceImpl implements ISceneProService {
         return ResultData.ok();
     }
 
-    private void deleteHotDataFromTourJson(String num, Integer subgroup, String upTime, List<String> sidList) throws IOException {
+    private void deleteHotDataFromTourJson(String num, Integer subgroup, String upTime, List<String> sidList) throws IOException, EncodingException, ValidationException {
         String key = String.format(UploadFilePath.USER_VIEW_PATH, num) + "tour.json";
         String tourJson = fYunFileService.getFileContent(key, subgroup, upTime);
         if(StrUtil.isEmpty(tourJson)){
@@ -282,7 +284,7 @@ public class SceneProServiceImpl implements ISceneProService {
         return iconList;
     }
 
-    private void publicHotData(String sceneNum, Integer subgroup, String upTime, Integer cacheKeyHasTime) {
+    private void publicHotData(String sceneNum, Integer subgroup, String upTime, Integer cacheKeyHasTime) throws EncodingException, ValidationException {
         String hotDataKey = String.format(RedisKey.SCENE_HOT_DATA, RedisKey.getNumStr(sceneNum, subgroup,upTime,cacheKeyHasTime));
         Map<String, String> hotMap = redisClient.hmget(hotDataKey);
 

src/main/java/com/fdkankan/scene/service/impl/SceneUploadServiceImpl.java

@@ -105,7 +105,7 @@ public class SceneUploadServiceImpl implements ISceneUploadService {
             // 获取文件后缀
 //            String prefix = fileName.substring(fileName.lastIndexOf("."));
             String suffix = "." + FileUtil.getSuffix(fileName);
-            File tempFile = FileUtil.createTempFile(UUID.fastUUID().toString(), suffix, new File(ESAPIUtil.getRealPath("temp")), true);
+            File tempFile = FileUtil.createTempFile(UUID.fastUUID().toString(), suffix, new File(ESAPIUtil.validFilePath(ESAPIUtil.getRealPath("temp"))), true);
 //            File tempFile = FileUtil.createTempFile(prefix, true);
             String path = tempFile.getAbsolutePath();
 //            FileUtil.mkParentDirs(path);