修复渗透测试漏洞

2024-11-05 09:03:42 +08:00 · 2024-11-05 09:03:42 +08:00 · 1fb44349dd
parent 0b184bb2c5
commit 1fb44349dd
2 changed files with 9 additions and 11 deletions
--- a/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/ParamSecureHandler.java
+++ b/bonus-common/bonus-common-security/src/main/java/com/bonus/common/security/interceptor/ParamSecureHandler.java
@ -24,8 +24,8 @@ import static org.springframework.http.MediaType.MULTIPART_FORM_DATA_VALUE;
@Slf4j
 public class ParamSecureHandler implements AsyncHandlerInterceptor {

-    private static String OPERLOG_URL = "/operlog/addLogs";
-    private static final String REGISTER = "/user/register";
+    private static final String [] WHITE_URL = {
+            "/login", "/isAdmin", "/isLogin", "/register","/operlog/addLogs"};
    private String rnd = null;

    public static String ur = "/";
@ -54,15 +54,9 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor {

        XssRequestWrapper requestWrapper = new XssRequestWrapper(request);
        String requestUrl = requestWrapper.getRequestURI();
-        if (OPERLOG_URL.equals(requestUrl)) {
+        if (isWhiteUrl(requestUrl)){
            return true;
        }
-        if (REGISTER.equals(requestUrl)) {
-            return true;
-        }
-//        if (RECOGNITION.equals(requestUrl)) {
-//            return true;
-//        }
        /**
         * 白名单中不验证参数
         */
@ -86,7 +80,7 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor {
         */
        String readerParam = requestWrapper.getReaderParam();
        // 判断是否是文件上传，是不对流参数进行验证
-        String uplFile = "uploadFile", upImage = "uploadImage";
+        String uplFile = "/upload", upImage = "/uploadFiles";
        if (!requestUrl.contains(uplFile) && !requestUrl.contains(upImage)) {
            boolean checkReader = checkReader(readerParam, requestUrl);
            if (!checkReader) {
@ -232,4 +226,8 @@ public class ParamSecureHandler implements AsyncHandlerInterceptor {
            throws Exception {
        SecurityContextHolder.remove();
    }
+
+    private boolean isWhiteUrl(String requestUrl) {
+        return Arrays.asList(WHITE_URL).contains(requestUrl);
+    }
 }
--- a/bonus-common/bonus-common-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
+++ b/bonus-common/bonus-common-security/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports
@ -1,4 +1,4 @@
-#com.bonus.common.security.config.MyFilter
+com.bonus.common.security.config.MyFilter
 com.bonus.common.security.config.WebMvcConfig
 com.bonus.common.security.config.VerificationCodeConfig
 com.bonus.common.security.service.TokenService