安全漏洞和渗透修复

2025-08-27 10:24:12 +08:00 · 2025-08-27 10:24:12 +08:00 · ca4a805c5d
parent c79ade0cb8
commit ca4a805c5d
11 changed files with 5756 additions and 1517 deletions
--- a/src/main/java/com/bonus/boot/manager/basic/controller/SysLogController.java
+++ b/src/main/java/com/bonus/boot/manager/basic/controller/SysLogController.java
@ -35,6 +35,11 @@ public class SysLogController {
     */
    @RequestMapping(value = "/queryByPage")
    public String queryByPage(SysLogs sysLogs, @RequestParam("page") Integer page, @RequestParam("limit") Integer pageSize) {
        String username =  sysLogs.getUsername();
        // 用正则匹配“是否包含非法字符”（若匹配到，则说明有非法字符）
        if (username.matches(".*[^a-zA-Z0-9\u4e00-\u9fa5-].*")) {
            return "{\"code\":1 , \"msg\":\"操作人仅允许输入中英文、数字和连字符\"}";
        }
        int count =  sysLogDao.count(sysLogs);
        page = (page - 1) * pageSize;
        List<SysLogs> list = this.sysLogDao.queryAllByLimit(sysLogs, page, pageSize);
--- a/src/main/java/com/bonus/boot/manager/manager/config/BnsSecurityConfig.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/BnsSecurityConfig.java
@ -16,10 +16,11 @@ import org.springframework.security.web.authentication.AuthenticationFailureHand
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 import org.springframework.web.cors.CorsConfigurationSource;
 /**
 * spring security配置
- * 
+ *
 */
@EnableGlobalMethodSecurity(prePostEnabled = true)
 public class BnsSecurityConfig extends WebSecurityConfigurerAdapter {
@ -37,6 +38,9 @@ public class BnsSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Autowired
 	private TokenFilter tokenFilter;
 	@Autowired
 	private CorsConfigurationSource corsConfigurationSource;
 	@Bean
 	public BCryptPasswordEncoder bCryptPasswordEncoder() {
 		return new BCryptPasswordEncoder();
@ -45,7 +49,8 @@ public class BnsSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http.csrf().disable();
-
+		// 使用新的跨域配置
 		http.cors(cors -> cors.configurationSource(corsConfigurationSource));
 		// 基于token，所以不需要session
 		http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
--- a/src/main/java/com/bonus/boot/manager/manager/config/CorsConfig.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/CorsConfig.java
@ -0,0 +1,89 @@
 package com.bonus.boot.manager.manager.config;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import java.util.Arrays;
 import java.util.List;
 /**
 * 跨域配置类
 * 解决前后端不分离项目的跨域问题
 */
@Configuration
 public class CorsConfig implements WebMvcConfigurer {
    @Value("${cors.allowed-origins}")
    private String allowedOrigins;
    @Value("${cors.allowed-methods}")
    private String allowedMethods;
    @Value("${cors.allowed-headers}")
    private String allowedHeaders;
    @Value("${cors.allow-credentials}")
    private boolean allowCredentials;
    @Value("${cors.max-age}")
    private long maxAge;
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
                .allowedOriginPatterns(getAllowedOriginPatterns().toArray(new String[0]))
                .allowedMethods(getAllowedMethodArray())
                .allowedHeaders(getAllowedHeaderArray())
                .allowCredentials(allowCredentials)
                .maxAge(maxAge)
                .exposedHeaders("Content-Length", "Content-Type", "Token", "Authorization");
    }
    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOriginPatterns(getAllowedOriginPatterns());
        configuration.setAllowedMethods(Arrays.asList(getAllowedMethodArray()));
        configuration.setAllowedHeaders(Arrays.asList(getAllowedHeaderArray()));
        configuration.setExposedHeaders(Arrays.asList("Content-Length", "Content-Type", "Token", "Authorization"));
        configuration.setAllowCredentials(allowCredentials);
        configuration.setMaxAge(maxAge);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        // 统一仅注册一套白名单策略，避免出现“*”
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }
    private List<String> getAllowedOriginPatterns() {
        if (allowedOrigins == null || allowedOrigins.trim().isEmpty()) {
            return Arrays.asList(
                    "http://localhost:*",
                    "http://127.0.0.1:*",
                    "http://192.168.*.*:*",
                    "http://10.*.*.*:*"
            );
        }
        return Arrays.asList(allowedOrigins.split(","));
    }
    private String[] getAllowedMethodArray() {
        if (allowedMethods == null || allowedMethods.trim().isEmpty()) {
            return new String[]{"GET", "POST", "PUT", "DELETE", "OPTIONS"};
        }
        return allowedMethods.split(",");
    }
    private String[] getAllowedHeaderArray() {
        if (allowedHeaders == null || allowedHeaders.trim().isEmpty()) {
            return new String[]{"Content-Type", "X-Requested-With", "Token", "Authorization", "X-Custom-Header"};
        }
        return allowedHeaders.split(",");
    }
 }
--- a/src/main/java/com/bonus/boot/manager/manager/config/SecurityHeadersFilter.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/SecurityHeadersFilter.java
@ -0,0 +1,71 @@
 package com.bonus.boot.manager.manager.config;
 import org.springframework.core.annotation.Order;
 import org.springframework.stereotype.Component;
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 /**
 * 额外的安全头过滤器
 * 用于设置更多的安全相关头信息
 */
@Component
@Order(2)
 public class SecurityHeadersFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        // 设置额外的安全头
        setAdditionalSecurityHeaders(httpRequest, httpResponse);
        chain.doFilter(request, response);
    }
    private void setAdditionalSecurityHeaders(HttpServletRequest request, HttpServletResponse response) {
        // 1) 缓存控制
        response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0");
        response.setHeader("Pragma", "no-cache");
        response.setHeader("Expires", "0");
        // 2) IE下载策略
        response.setHeader("X-Download-Options", "noopen");
        // 3) 跨域策略（条件化设置）
        if (isPotentiallyTrustworthy(request)) {
            response.setHeader("Cross-Origin-Opener-Policy", "same-origin");
            response.setHeader("Cross-Origin-Resource-Policy", "same-origin");
            response.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
        } else {
            response.setHeader("Cross-Origin-Opener-Policy", "");
            response.setHeader("Cross-Origin-Resource-Policy", "");
            response.setHeader("Cross-Origin-Embedder-Policy", "");
        }
        // 4) 不再设置已废弃的 Feature-Policy，避免与 Permissions-Policy 冲突
        // Permissions-Policy 已在 CspFilter 中统一设置
    }
    private boolean isPotentiallyTrustworthy(HttpServletRequest request) {
        boolean isSecure = request.isSecure();
        String forwardedProto = request.getHeader("X-Forwarded-Proto");
        if (!isSecure && forwardedProto != null) {
            isSecure = "https".equalsIgnoreCase(forwardedProto);
        }
        String host = request.getServerName();
        boolean isLocalhost = "localhost".equalsIgnoreCase(host) || "127.0.0.1".equals(host);
        return isSecure || isLocalhost;
    }
    @Override
    public void destroy() {
        // 清理资源
    }
 }
--- a/src/main/java/com/bonus/boot/manager/manager/config/WebMvcConfig.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/WebMvcConfig.java
@ -19,10 +19,10 @@ public class WebMvcConfig implements WebMvcConfigurer {
 	/**
 	 * 跨域支持
-	 * 
+	 *
 	 * @return
 	 */
-	@Bean
+	/*@Bean
 	public WebMvcConfigurer corsConfigurer() {
 		return new WebMvcConfigurer() {
 			@Override
@ -30,11 +30,11 @@ public class WebMvcConfig implements WebMvcConfigurer {
 				registry.addMapping("/**").allowedMethods("*");
 			}
 		};
-	}
+	}*/
 	/**
 	 * datatable分页解析
-	 * 
+	 *
 	 * @return
 	 */
 	@Bean
--- a/src/main/java/com/bonus/boot/manager/manager/controller/UserController.java
+++ b/src/main/java/com/bonus/boot/manager/manager/controller/UserController.java
@ -119,7 +119,10 @@ public class UserController {
 	@ApiOperation(value = "当前登录用户")
 	@GetMapping("/current")
 	public SysUser currentUser() {
-		return UserUtil.getLoginUser();
+		//置空password
 		SysUser sysUser = UserUtil.getLoginUser();
 		sysUser.setPassword(null);
 		return sysUser;
 	}
 	@GetMapping("/getTokenKey")
@ -155,7 +158,7 @@ public class UserController {
 	}
 /**-------------------------------------------以上为老代码,以下为layui新页面所使用的方法-----------------------------------------------------------------*/
-	
+
 	@LogAnnotation
 	@PostMapping("getMsgContent")
 	@ApiOperation(value = "用户管理-列表")
--- a/src/main/java/com/bonus/boot/manager/manager/filter/TokenFilter.java
+++ b/src/main/java/com/bonus/boot/manager/manager/filter/TokenFilter.java
@ -2,8 +2,7 @@ package com.bonus.boot.manager.manager.filter;
 import java.io.IOException;
-import javax.servlet.FilterChain;
+import javax.servlet.*;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@ -22,7 +21,7 @@ import com.bonus.boot.manager.manager.entity.LoginUser;
 * Token过滤器
 */
@Component
-public class TokenFilter extends OncePerRequestFilter {
+public class TokenFilter extends OncePerRequestFilter implements Filter {
 	public static final String TOKEN_KEY = "token";
@ -45,14 +44,18 @@ public class TokenFilter extends OncePerRequestFilter {
 				SecurityContextHolder.getContext().setAuthentication(authentication);
 			}
 		}
-
+		// 在这里设置 CSP 头或其他过滤逻辑
 		response.setHeader(
 				"Content-Security-Policy",
 				"default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline';"
 		);
 		filterChain.doFilter(request, response);
 	}
 	/**
 	 * 校验时间<br>
 	 * 过期时间与当前时间对比，临近过期10分钟内的话，自动刷新缓存
-	 * 
+	 *
 	 * @param loginUser
 	 * @return
 	 */
@ -70,7 +73,7 @@ public class TokenFilter extends OncePerRequestFilter {
 	/**
 	 * 根据参数或者header获取token
-	 * 
+	 *
 	 * @param request
 	 * @return
 	 */
@ -82,5 +85,4 @@ public class TokenFilter extends OncePerRequestFilter {
 		return token;
 	}
 }
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@ -1,5 +1,5 @@
 #\u8BBF\u95EE\u7AEF\u53E3
-#\u6B63\u5F0F\u7AEF\u53E3 
+#\u6B63\u5F0F\u7AEF\u53E3
 #server.port=18088
 #\u672C\u5730\u7AEF\u53E3
 server.port=18088
@ -73,4 +73,31 @@ files.path=/data/yn
 #\u672C\u5730
 #files.url=http://192.168.0.110:18088/YSpeaManager/statics
 #files.path=d:\\data\\yn
-#files.upload=d:\\files
+#files.upload=d:\\files
 # \u8DE8\u57DF\u914D\u7F6E
 # \u5141\u8BB8\u7684\u6E90\uFF08\u591A\u4E2A\u7528\u9017\u53F7\u5206\u9694\uFF09
 cors.allowed-origins=http://localhost:1616,http://127.0.0.1:1616,http://192.168.0.39:1616,http://192.168.0.14:1616,http://112.29.103.165:1616
 # \u5141\u8BB8\u7684HTTP\u65B9\u6CD5
 cors.allowed-methods=GET,POST,PUT,DELETE,OPTIONS
 # \u5141\u8BB8\u7684\u8BF7\u6C42\u5934
 cors.allowed-headers=Content-Type,X-Requested-With,Token,Authorization,X-Custom-Header
 # \u662F\u5426\u5141\u8BB8\u643A\u5E26\u8BA4\u8BC1\u4FE1\u606F
 cors.allow-credentials=true
 # \u9884\u68C0\u8BF7\u6C42\u7F13\u5B58\u65F6\u95F4\uFF08\u79D2\uFF09
 cors.max-age=3600
 # \u5B89\u5168\u5934\u914D\u7F6E
 # \u662F\u5426\u542F\u7528\u4E25\u683C\u7684\u5B89\u5168\u5934
 security.headers.strict=true
 # \u662F\u5426\u542F\u7528HSTS\uFF08HTTP\u4E25\u683C\u4F20\u8F93\u5B89\u5168\uFF09
 security.hsts.enabled=true
 # \u662F\u5426\u6E05\u9664\u670D\u52A1\u5668\u4FE1\u606F\u5934
 security.headers.clear-server-info=true
 management.endpoint.caches.enabled=false
--- a/src/main/resources/static/js/jedate/moment.min.js
+++ b/src/main/resources/static/js/jedate/moment.min.js
--- a/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
+++ b/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
--- a/src/main/resources/static/js/libs/jquery-2.1.1.min.js
+++ b/src/main/resources/static/js/libs/jquery-2.1.1.min.js