bonus
/
Bonus-Cloud
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

安全扫描修复

This commit is contained in:
gaowdong 2025-06-25 14:30:48 +08:00
parent 1403165f3e
commit 3214250e09
5 changed files with 88 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bonus-auth/src/main/java/com/bonus/auth/controller/TokenController.java
View File

@ -4,6 +4,7 @@ import com.alibaba.fastjson.JSONObject;
import com.bonus.auth.config.LoginType; import com.bonus.auth.config.LoginType;
import com.bonus.auth.factory.LoginStrategyFactory; import com.bonus.auth.factory.LoginStrategyFactory;
import com.bonus.auth.form.LoginBody; import com.bonus.auth.form.LoginBody;
import com.bonus.auth.form.LoginIsAdminBody;
import com.bonus.auth.form.RegisterBody; import com.bonus.auth.form.RegisterBody;
import com.bonus.auth.service.*; import com.bonus.auth.service.*;
import com.bonus.common.core.constant.CacheConstants; import com.bonus.common.core.constant.CacheConstants;
@ -92,7 +93,7 @@ public class TokenController {
private String iwsH5Url; private String iwsH5Url;
@PostMapping("isAdmin") @PostMapping("isAdmin")
public R<?> isAdmin(@RequestBody LoginBody form) { public R<?> isAdmin(@RequestBody LoginIsAdminBody form) {
if (!config.isAdmin()) { if (!config.isAdmin()) {
return R.ok(false); return R.ok(false);
} }

23
bonus-auth/src/main/java/com/bonus/auth/form/LoginIsAdminBody.java Normal file
View File

@ -0,0 +1,23 @@
package com.bonus.auth.form;
import com.bonus.auth.config.LoginType;
import com.bonus.auth.config.VerificationCodeType;
import lombok.Data;
/**
* 用户登录对象
*
* @author bonus
*/
@Data
public class LoginIsAdminBody {
/**
* 用户名
*/
private String username;
/**
* 用户密码
*/
private String password;
}

17
bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/web/page/TableSupport.java
View File

@ -1,7 +1,9 @@
package com.bonus.common.core.web.page; package com.bonus.common.core.web.page;
import com.bonus.common.core.exception.ServiceException;
import com.bonus.common.core.text.Convert; import com.bonus.common.core.text.Convert;
import com.bonus.common.core.utils.ServletUtils; import com.bonus.common.core.utils.ServletUtils;
import com.bonus.common.core.utils.StringUtils;
/** /**
* 表格数据处理 * 表格数据处理
@ -41,6 +43,7 @@ public class TableSupport
*/ */
public static PageDomain getPageDomain() public static PageDomain getPageDomain()
{ {
isValidPageParams(PAGE_SIZE, PAGE_NUM);
PageDomain pageDomain = new PageDomain(); PageDomain pageDomain = new PageDomain();
pageDomain.setPageNum(Convert.toInt(ServletUtils.getParameter(PAGE_NUM), 1)); pageDomain.setPageNum(Convert.toInt(ServletUtils.getParameter(PAGE_NUM), 1));
pageDomain.setPageSize(Convert.toInt(ServletUtils.getParameter(PAGE_SIZE), 10)); pageDomain.setPageSize(Convert.toInt(ServletUtils.getParameter(PAGE_SIZE), 10));
@ -54,4 +57,18 @@ public class TableSupport
{ {
return getPageDomain(); return getPageDomain();
} }
public static void isValidPageParams(String... paramNames) {
for(String paramName : paramNames) {
String valueStr = ServletUtils.getParameter(paramName);
if (StringUtils.isNotBlank(valueStr)) {
try {
Integer.parseInt(valueStr.trim());
} catch (NumberFormatException e) {
throw new ServiceException("无效的分页参数");
}
}
}
}
} }

11
bonus-gateway/src/main/java/com/bonus/gateway/config/GlobalCorsConfig.java
View File

@ -1,5 +1,8 @@
package com.bonus.gateway.config; package com.bonus.gateway.config;
import cn.hutool.core.collection.CollUtil;
import com.bonus.gateway.config.properties.CorsProperties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfiguration;
@ -12,6 +15,8 @@ import org.springframework.web.util.pattern.PathPatternParser;
*/ */
@Configuration @Configuration
public class GlobalCorsConfig { public class GlobalCorsConfig {
@Autowired
private CorsProperties corsProperties;
@Bean @Bean
public CorsWebFilter corsFilter() { public CorsWebFilter corsFilter() {
// 创建一个新的CorsConfiguration对象用于配置跨域请求 // 创建一个新的CorsConfiguration对象用于配置跨域请求
@ -19,9 +24,15 @@ public class GlobalCorsConfig {
// 允许所有的HTTP请求方法GET, POST, PUT, DELETE等 // 允许所有的HTTP请求方法GET, POST, PUT, DELETE等
config.addAllowedMethod("*"); config.addAllowedMethod("*");
// 允许所有的域名发起的请求 比如http://localhost:8080 // 允许所有的域名发起的请求 比如http://localhost:8080
if(CollUtil.isNotEmpty(corsProperties.getAllowedOrigins())) {
for(String cors : corsProperties.getAllowedOrigins()) {
config.addAllowedOrigin(cors);
}
}else {
config.addAllowedOrigin("*"); config.addAllowedOrigin("*");
// 允许所有的域名发起的请求支持正则表达式 比如http://localhost:8080 // 允许所有的域名发起的请求支持正则表达式 比如http://localhost:8080
config.addAllowedOriginPattern("*"); config.addAllowedOriginPattern("*");
}
// 允许所有的请求头部信息 比如tokenContent-Type // 允许所有的请求头部信息 比如tokenContent-Type
config.addAllowedHeader("*"); config.addAllowedHeader("*");
// 创建一个UrlBasedCorsConfigurationSource对象并使用PathPatternParser进行路径匹配 // 创建一个UrlBasedCorsConfigurationSource对象并使用PathPatternParser进行路径匹配

32
bonus-gateway/src/main/java/com/bonus/gateway/config/properties/CorsProperties.java Normal file
View File

@ -0,0 +1,32 @@
package com.bonus.gateway.config.properties;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Configuration;
import java.util.ArrayList;
import java.util.List;
/**
* XSS跨站脚本配置
*
* @author bonus
*/
@Configuration
@RefreshScope
@ConfigurationProperties(prefix = "security.cors")
public class CorsProperties
{
/**
* 合法源
*/
private List<String> allowedOrigins = new ArrayList<>();
public List<String> getAllowedOrigins() {
return allowedOrigins;
}
public void setAllowedOrigins(List<String> allowedOrigins) {
this.allowedOrigins = allowedOrigins;
}
}