bonus
/
Bonus-Cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

修复渗透测试漏洞

This commit is contained in:
weiweiw 2024-11-05 09:03:42 +08:00
parent 0b184bb2c5
commit 1fb44349dd
2 changed files with 9 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/ParamSecureHandler.java
View File

@ -24,8 +24,8 @@ import static org.springframework.http.MediaType.MULTIPART_FORM_DATA_VALUE;
@Slf4j @Slf4j
public class ParamSecureHandler implements AsyncHandlerInterceptor { public class ParamSecureHandler implements AsyncHandlerInterceptor {
private static String OPERLOG_URL = "/operlog/addLogs"; private static final String [] WHITE_URL = {
private static final String REGISTER = "/user/register"; "/login", "/isAdmin", "/isLogin", "/register","/operlog/addLogs"};
private String rnd = null; private String rnd = null;
public static String ur = "/"; public static String ur = "/";
@ -54,15 +54,9 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor {
XssRequestWrapper requestWrapper = new XssRequestWrapper(request); XssRequestWrapper requestWrapper = new XssRequestWrapper(request);
String requestUrl = requestWrapper.getRequestURI(); String requestUrl = requestWrapper.getRequestURI();
if (OPERLOG_URL.equals(requestUrl)) { if (isWhiteUrl(requestUrl)){
return true; return true;
} }
if (REGISTER.equals(requestUrl)) {
return true;
}
// if (RECOGNITION.equals(requestUrl)) {
// return true;
// }
/** /**
* 白名单中不验证参数 * 白名单中不验证参数
*/ */
@ -86,7 +80,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor {
*/ */
String readerParam = requestWrapper.getReaderParam(); String readerParam = requestWrapper.getReaderParam();
// 判断是否是文件上传是不对流参数进行验证 // 判断是否是文件上传是不对流参数进行验证
String uplFile = "uploadFile", upImage = "uploadImage"; String uplFile = "/upload", upImage = "/uploadFiles";
if (!requestUrl.contains(uplFile) && !requestUrl.contains(upImage)) { if (!requestUrl.contains(uplFile) && !requestUrl.contains(upImage)) {
boolean checkReader = checkReader(readerParam, requestUrl); boolean checkReader = checkReader(readerParam, requestUrl);
if (!checkReader) { if (!checkReader) {
@ -232,4 +226,8 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor {
throws Exception { throws Exception {
SecurityContextHolder.remove(); SecurityContextHolder.remove();
} }
private boolean isWhiteUrl(String requestUrl) {
return Arrays.asList(WHITE_URL).contains(requestUrl);
}
} }

2
bonus-common/bonus-common-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
View File

@ -1,4 +1,4 @@
#com.bonus.common.security.config.MyFilter com.bonus.common.security.config.MyFilter
com.bonus.common.security.config.WebMvcConfig com.bonus.common.security.config.WebMvcConfig
com.bonus.common.security.config.VerificationCodeConfig com.bonus.common.security.config.VerificationCodeConfig
com.bonus.common.security.service.TokenService com.bonus.common.security.service.TokenService