fixed 解决安全问题访问附件，id改为uuid

2026-05-20 11:45:57 +08:00 · 2023-12-12 14:31:21 +08:00
parent 0cb38bce4f
commit d74901cffa
8 changed files with 82 additions and 49 deletions
--- a/app/models/attachment.rb
+++ b/app/models/attachment.rb
@@ -1,44 +1,45 @@
-# == Schema Information
-#
-# Table name: attachments
-#
-#  id                        :integer          not null, primary key
-#  container_id              :integer
-#  container_type            :string(30)
-#  filename                  :string(255)      default(""), not null
-#  disk_filename             :string(255)      default(""), not null
-#  filesize                  :integer          default("0"), not null
-#  content_type              :string(255)      default("")
-#  digest                    :string(60)       default(""), not null
-#  downloads                 :integer          default("0"), not null
-#  author_id                 :integer          default("0"), not null
-#  created_on                :datetime
-#  description               :text(65535)
-#  disk_directory            :string(255)
-#  attachtype                :integer          default("1")
-#  is_public                 :integer          default("1")
-#  copy_from                 :integer
-#  quotes                    :integer          default("0")
-#  is_publish                :integer          default("1")
-#  publish_time              :datetime
-#  resource_bank_id          :integer
-#  unified_setting           :boolean          default("1")
-#  cloud_url                 :string(255)      default("")
-#  course_second_category_id :integer          default("0")
-#  delay_publish             :boolean          default("0")
-#  memo_image                :boolean          default("0")
-#  extra_type                :integer          default("0")
-#
-# Indexes
-#
-#  index_attachments_on_author_id                        (author_id)
-#  index_attachments_on_container_id_and_container_type  (container_id,container_type)
-#  index_attachments_on_course_second_category_id        (course_second_category_id)
-#  index_attachments_on_created_on                       (created_on)
-#  index_attachments_on_is_public                        (is_public)
-#  index_attachments_on_quotes                           (quotes)
-#
-
+# == Schema Information
+#
+# Table name: attachments
+#
+#  id                        :integer          not null, primary key
+#  container_id              :integer
+#  container_type            :string(30)
+#  filename                  :string(255)      default(""), not null
+#  disk_filename             :string(255)      default(""), not null
+#  filesize                  :integer          default("0"), not null
+#  content_type              :string(255)      default("")
+#  digest                    :string(60)       default(""), not null
+#  downloads                 :integer          default("0"), not null
+#  author_id                 :integer          default("0"), not null
+#  created_on                :datetime
+#  description               :text(65535)
+#  disk_directory            :string(255)
+#  attachtype                :integer          default("1")
+#  is_public                 :integer          default("1")
+#  copy_from                 :integer
+#  quotes                    :integer          default("0")
+#  is_publish                :integer          default("1")
+#  publish_time              :datetime
+#  resource_bank_id          :integer
+#  unified_setting           :boolean          default("1")
+#  cloud_url                 :string(255)      default("")
+#  course_second_category_id :integer          default("0")
+#  delay_publish             :boolean          default("0")
+#  memo_image                :boolean          default("0")
+#  extra_type                :integer          default("0")
+#  uuid                      :string(255)
+#
+# Indexes
+#
+#  index_attachments_on_author_id                        (author_id)
+#  index_attachments_on_container_id_and_container_type  (container_id,container_type)
+#  index_attachments_on_course_second_category_id        (course_second_category_id)
+#  index_attachments_on_created_on                       (created_on)
+#  index_attachments_on_is_public                        (is_public)
+#  index_attachments_on_quotes                           (quotes)
+#
+



@@ -97,6 +98,11 @@ class Attachment < ApplicationRecord
    downloads
  end

+  def generate_uuid
+    self.uuid = uuid || SecureRandom.uuid
+    save!
+  end
+
  def quotes_count
    quotes.nil? ? 0 : quotes
  end
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -224,13 +224,23 @@ class Issue < ApplicationRecord

  # 关附件到功能
  def associate_attachment_container
+    return if self.project_id == 0
    att_ids = []
    # 附件的格式为（/api/attachments/ + 附件id）的形式，提取出id进行附件属性关联，做附件访问权限控制
    att_ids += self.description.to_s.scan(/\(\/api\/attachments\/.+\)/).map{|s|s.match(/\d+/)[0]}
    att_ids += self.description.to_s.scan(/\/api\/attachments\/.+\"/).map{|s|s.match(/\d+/)[0]}
    att_ids += self.description.to_s.scan(/\/api\/attachments\/\d+/).map{|s|s.match(/\d+/)[0]}
    if att_ids.present?
-      Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Issue'").update_all(container_id: self.project_id, container_type: "Project")
+      Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Issue'").update_all(container_id: self.project_id, container_type: 'Project')
+    end
+
+    att_ids2 = []
+    # uuid_regex= /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/
+    # 附件的格式为（/api/attachments/ + uuid）的形式，提取出id进行附件属性关联，做附件访问权限控制
+    att_ids2 += self.description.to_s.scan(/\(\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\)/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
+    att_ids2 += self.description.to_s.scan(/\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
+    if att_ids2.present?
+      Attachment.where(uuid: att_ids2).where("container_type IS NULL OR container_type = 'Issue'").update_all(container_id: self.project_id, container_type: 'Project')
    end
  end

--- a/app/models/journal.rb
+++ b/app/models/journal.rb
@@ -61,6 +61,7 @@ class Journal < ApplicationRecord

  # 关附件到功能
  def associate_attachment_container
+    return if self.issue&.project_id.to_i == 0
    att_ids = []
    # 附件的格式为（/api/attachments/ + 附件id）的形式，提取出id进行附件属性关联，做附件访问权限控制
    att_ids += self.notes.to_s.scan(/\(\/api\/attachments\/.+\)/).map{|s|s.match(/\d+/)[0]}
@@ -69,6 +70,15 @@ class Journal < ApplicationRecord
    if att_ids.present?
      Attachment.where(id: att_ids).where("container_type IS NULL OR container_type = 'Journal'").update_all(container_id: self.issue.project_id, container_type: "Project")
    end
+
+    att_ids2 = []
+    # uuid_regex= /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/
+    # 附件的格式为（/api/attachments/ + uuid）的形式，提取出id进行附件属性关联，做附件访问权限控制
+    att_ids2 += self.notes.to_s.scan(/\(\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\)/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
+    att_ids2 += self.notes.to_s.scan(/\/api\/attachments\/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/).map{|s|s.match(/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/)[0]}
+    if att_ids2.present?
+      Attachment.where(uuid: att_ids).where("container_type IS NULL OR container_type = 'Journal'").update_all(container_id: self.issue.project_id, container_type: "Project")
+    end
  end

  def operate_content