!405 1，文件上传校验真实文件类型

Merge pull request !405 from 适可而止/next

Admin.NET/Admin.NET.Core/Admin.NET.Core.csproj

@@ -39,6 +39,7 @@
     <PackageReference Include="System.Linq.Dynamic.Core" Version="1.2.19" />
     <PackageReference Include="UAParser" Version="3.1.47" />
     <PackageReference Include="Yitter.IdGenerator" Version="1.0.14" />
+    <PackageReference Include="Masuit.Tools.Core" Version="2.5.4" />
   </ItemGroup>
 
   <ItemGroup>

Admin.NET/Admin.NET.Core/Service/File/SysFileService.cs

@@ -1,3 +1,4 @@
+using Masuit.Tools.Files.FileDetector;
 using OnceMi.AspNetCore.OSS;
 
 namespace Admin.NET.Core.Service;
@@ -209,8 +210,22 @@ public class SysFileService : IDynamicApiController, ITransient
             var filePath = Path.Combine(App.WebHostEnvironment.WebRootPath, path);
             if (!Directory.Exists(filePath))
                 Directory.CreateDirectory(filePath);
-            using var stream = File.Create(Path.Combine(filePath, finalName));
+
+            var realFile = Path.Combine(filePath, finalName);
+            await using var stream = File.Create(realFile);
             await file.CopyToAsync(stream);
+            var detector = stream.DetectFiletype();
+            var realExt = detector.Extension;//真实扩展名
+
+            // 二次校验扩展名
+            if (!string.Equals(realExt, suffix.Replace(".", ""), StringComparison.OrdinalIgnoreCase))
+            {
+                var delFilePath = Path.Combine(App.WebHostEnvironment.WebRootPath, realFile);
+                if (File.Exists(delFilePath))
+                    File.Delete(delFilePath);
+                throw Oops.Oh(ErrorCodeEnum.D8001);
+            }
+
             //生成外链
             newFile.Url = _commonService.GetFileUrl(newFile);
         }