🐛 Uncontrolled data used in path expression (#11822)

https://github.com/alibaba/nacos/issues/11821

common/src/main/java/com/alibaba/nacos/common/utils/StringUtils.java

@@ -48,11 +48,11 @@ public class StringUtils {
     
     private static final String[] EMPTY_STRING_ARRAY = {};
     
-    private static final String TOP_PATH = "..";
+    public static final String TOP_PATH = "..";
     
-    private static final String FOLDER_SEPARATOR = "/";
+    public static final String FOLDER_SEPARATOR = "/";
     
-    private static final String WINDOWS_FOLDER_SEPARATOR = "\\";
+    public static final String WINDOWS_FOLDER_SEPARATOR = "\\";
     
     /**
      * <p>Create a string with encoding format as utf8.</p>

console/src/main/java/com/alibaba/nacos/console/controller/ServerStateController.java

@@ -34,6 +34,10 @@ import java.io.File;
 import java.util.HashMap;
 import java.util.Map;
 
+import static com.alibaba.nacos.common.utils.StringUtils.FOLDER_SEPARATOR;
+import static com.alibaba.nacos.common.utils.StringUtils.TOP_PATH;
+import static com.alibaba.nacos.common.utils.StringUtils.WINDOWS_FOLDER_SEPARATOR;
+
 /**
  * Server state controller.
  *
@@ -66,6 +70,9 @@ public class ServerStateController {
     public RestResult<String> getAnnouncement(
             @RequestParam(required = false, name = "language", defaultValue = "zh-CN") String language) {
         String file = ANNOUNCEMENT_FILE.substring(0, ANNOUNCEMENT_FILE.length() - 5) + "_" + language + ".conf";
+        if (file.contains(TOP_PATH) || file.contains(FOLDER_SEPARATOR) || file.contains(WINDOWS_FOLDER_SEPARATOR)) {
+            throw new IllegalArgumentException("Invalid filename");
+        }
         File announcementFile = new File(EnvUtil.getConfPath(), file);
         String announcement = null;
         if (announcementFile.exists() && announcementFile.isFile()) {