fix #107 修复反射型xss

hsweb-system/hsweb-system-workflow/hsweb-system-workflow-local/src/main/java/org/hswebframework/web/workflow/enums/ModelType.java

@@ -0,0 +1,9 @@
+package org.hswebframework.web.workflow.enums;
+
+/**
+ * @author zhouhao
+ * @since 3.0.5
+ */
+public enum ModelType {
+    bpmn, json
+}

hsweb-system/hsweb-system-workflow/hsweb-system-workflow-local/src/main/java/org/hswebframework/web/workflow/web/FlowableModelManagerController.java

@@ -8,6 +8,7 @@ import com.fasterxml.jackson.databind.node.ObjectNode;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
+import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.activiti.bpmn.converter.BpmnXMLConverter;
 import org.activiti.bpmn.model.BpmnModel;
@@ -33,6 +34,7 @@ import org.hswebframework.web.bean.FastBeanCopier;
 import org.hswebframework.web.commons.entity.PagerResult;
 import org.hswebframework.web.commons.entity.param.QueryParamEntity;
 import org.hswebframework.web.controller.message.ResponseMessage;
+import org.hswebframework.web.workflow.enums.ModelType;
 import org.hswebframework.web.workflow.util.QueryUtils;
 import org.hswebframework.web.workflow.web.request.ModelCreateRequest;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -132,58 +134,51 @@ public class FlowableModelManagerController {
     @GetMapping(value = "export/{modelId}/{type}")
     @ApiOperation("导出模型")
     @Authorize(action = "export")
+    @SneakyThrows
     public void export(@PathVariable("modelId") @ApiParam("模型ID") String modelId,
-                       @PathVariable("type") @ApiParam(value = "类型", allowableValues = "bpmn,json", example = "json") String type,
+                       @PathVariable("type") @ApiParam(value = "类型", allowableValues = "bpmn,json", example = "json")
+                               ModelType type,
                        @ApiParam(hidden = true) HttpServletResponse response) {
-        try {
-            Model modelData = repositoryService.getModel(modelId);
-            BpmnJsonConverter jsonConverter = new BpmnJsonConverter();
-            byte[] modelEditorSource = repositoryService.getModelEditorSource(modelData.getId());
-
-            JsonNode editorNode = new ObjectMapper().readTree(modelEditorSource);
-            BpmnModel bpmnModel = jsonConverter.convertToBpmnModel(editorNode);
-
-            // 处理异常
-            if (bpmnModel.getMainProcess() == null) {
-                response.setStatus(HttpStatus.UNPROCESSABLE_ENTITY.value());
-                response.getOutputStream().println("no main process, can't export for dimension: " + type);
-                response.flushBuffer();
-                return;
-            }
-
-            String filename = "";
-            byte[] exportBytes = null;
-
-            String mainProcessId = bpmnModel.getMainProcess().getId();
+        Model modelData = repositoryService.getModel(modelId);
+        if (modelData == null) {
+            throw new NotFoundException("模型不存在");
+        }
+        BpmnJsonConverter jsonConverter = new BpmnJsonConverter();
+        byte[] modelEditorSource = repositoryService.getModelEditorSource(modelData.getId());
 
-            if ("bpmn".equals(type)) {
+        JsonNode editorNode = new ObjectMapper().readTree(modelEditorSource);
+        BpmnModel bpmnModel = jsonConverter.convertToBpmnModel(editorNode);
 
-                BpmnXMLConverter xmlConverter = new BpmnXMLConverter();
-                exportBytes = xmlConverter.convertToXML(bpmnModel);
+        // 处理异常
+        if (bpmnModel.getMainProcess() == null) {
+            throw new UnsupportedOperationException("无法导出模型文件:" + type);
+        }
 
-                filename = mainProcessId + ".bpmn20.xml";
-            } else if ("json".equals(type)) {
+        String filename = "";
+        byte[] exportBytes = null;
 
-                exportBytes = modelEditorSource;
-                filename = mainProcessId + ".json";
+        String mainProcessId = bpmnModel.getMainProcess().getId();
 
-            } else {
-                throw new UnsupportedOperationException("不支持的格式:" + type);
-            }
+        if (type == ModelType.bpmn) {
+            BpmnXMLConverter xmlConverter = new BpmnXMLConverter();
+            exportBytes = xmlConverter.convertToXML(bpmnModel);
+            filename = mainProcessId + ".bpmn20.xml";
+        } else if (type == ModelType.json) {
+            exportBytes = modelEditorSource;
+            filename = mainProcessId + ".json";
 
-            response.setCharacterEncoding("UTF-8");
-            response.setContentType("application/octet-stream");
-            response.setHeader("Content-Disposition", "attachment; filename=" + URLEncoder.encode(filename, "UTF-8"));
+        } else {
+            throw new UnsupportedOperationException("不支持的格式:" + type);
+        }
 
-            /*创建输入流*/
-            try (ByteArrayInputStream in = new ByteArrayInputStream(exportBytes)) {
-                IOUtils.copy(in, response.getOutputStream());
-                response.flushBuffer();
-                in.close();
-            }
+        response.setCharacterEncoding("UTF-8");
+        response.setContentType("application/octet-stream");
+        response.setHeader("Content-Disposition", "attachment; filename=" + URLEncoder.encode(filename, "UTF-8"));
 
-        } catch (Exception e) {
-            log.error("导出model的xml文件失败：modelId={}, type={}", modelId, type, e);
+        /*创建输入流*/
+        try (ByteArrayInputStream in = new ByteArrayInputStream(exportBytes)) {
+            IOUtils.copy(in, response.getOutputStream());
+            response.flushBuffer();
         }
     }