扫描漏洞解决

安全漏洞和渗透修复
2025-10-28 17:41:28 +08:00 · 2025-09-10 16:51:05 +08:00 · 2025-08-27 10:24:12 +08:00 · 2025-06-30 15:01:47 +08:00
20 changed files with 6029 additions and 1545 deletions
--- a/src/main/java/com/bonus/boot/manager/basic/controller/SysLogController.java
+++ b/src/main/java/com/bonus/boot/manager/basic/controller/SysLogController.java
@ -35,6 +35,11 @@ public class SysLogController {
     */
    @RequestMapping(value = "/queryByPage")
    public String queryByPage(SysLogs sysLogs, @RequestParam("page") Integer page, @RequestParam("limit") Integer pageSize) {
+        String username =  sysLogs.getUsername();
+        // 用正则匹配“是否包含非法字符”（若匹配到，则说明有非法字符）
+        if (username.matches(".*[^a-zA-Z0-9\u4e00-\u9fa5-].*")) {
+            return "{\"code\":1 , \"msg\":\"操作人仅允许输入中英文、数字和连字符\"}";
+        }
        int count =  sysLogDao.count(sysLogs);
        page = (page - 1) * pageSize;
        List<SysLogs> list = this.sysLogDao.queryAllByLimit(sysLogs, page, pageSize);
--- a/src/main/java/com/bonus/boot/manager/manager/config/BnsSecurityConfig.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/BnsSecurityConfig.java
@ -16,10 +16,11 @@ import org.springframework.security.web.authentication.AuthenticationFailureHand
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
+import org.springframework.web.cors.CorsConfigurationSource;

 /**
 * spring security配置
- * 
+ *
 */
@EnableGlobalMethodSecurity(prePostEnabled = true)
 public class BnsSecurityConfig extends WebSecurityConfigurerAdapter {
@ -37,6 +38,9 @@ public class BnsSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Autowired
 	private TokenFilter tokenFilter;

+	@Autowired
+	private CorsConfigurationSource corsConfigurationSource;
+
 	@Bean
 	public BCryptPasswordEncoder bCryptPasswordEncoder() {
 		return new BCryptPasswordEncoder();
@ -45,7 +49,8 @@ public class BnsSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 		http.csrf().disable();
-
+		// 使用新的跨域配置
+		http.cors(cors -> cors.configurationSource(corsConfigurationSource));
 		// 基于token，所以不需要session
 		http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);

@ -60,7 +65,7 @@ public class BnsSecurityConfig extends WebSecurityConfigurerAdapter {
 				.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
 		http.logout().logoutUrl("/logout").logoutSuccessHandler(logoutSuccessHandler);
 		// 解决不允许显示在iframe的问题
-		http.headers().frameOptions().disable();
+		//http.headers().frameOptions().disable();
 		http.headers().cacheControl();

 		http.addFilterBefore(tokenFilter, UsernamePasswordAuthenticationFilter.class);
--- a/src/main/java/com/bonus/boot/manager/manager/config/CorsConfig.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/CorsConfig.java
@ -0,0 +1,89 @@
+package com.bonus.boot.manager.manager.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * 跨域配置类
+ * 解决前后端不分离项目的跨域问题
+ */
+@Configuration
+public class CorsConfig implements WebMvcConfigurer {
+
+    @Value("${cors.allowed-origins}")
+    private String allowedOrigins;
+
+    @Value("${cors.allowed-methods}")
+    private String allowedMethods;
+
+    @Value("${cors.allowed-headers}")
+    private String allowedHeaders;
+
+    @Value("${cors.allow-credentials}")
+    private boolean allowCredentials;
+
+    @Value("${cors.max-age}")
+    private long maxAge;
+
+    @Override
+    public void addCorsMappings(CorsRegistry registry) {
+        registry.addMapping("/**")
+                .allowedOriginPatterns(getAllowedOriginPatterns().toArray(new String[0]))
+                .allowedMethods(getAllowedMethodArray())
+                .allowedHeaders(getAllowedHeaderArray())
+                .allowCredentials(allowCredentials)
+                .maxAge(maxAge)
+                .exposedHeaders("Content-Length", "Content-Type", "Token", "Authorization");
+    }
+
+    @Bean
+    public CorsConfigurationSource corsConfigurationSource() {
+        CorsConfiguration configuration = new CorsConfiguration();
+        configuration.setAllowedOriginPatterns(getAllowedOriginPatterns());
+        configuration.setAllowedMethods(Arrays.asList(getAllowedMethodArray()));
+        configuration.setAllowedHeaders(Arrays.asList(getAllowedHeaderArray()));
+        configuration.setExposedHeaders(Arrays.asList("Content-Length", "Content-Type", "Token", "Authorization"));
+        configuration.setAllowCredentials(allowCredentials);
+        configuration.setMaxAge(maxAge);
+
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        // 统一仅注册一套白名单策略，避免出现“*”
+        source.registerCorsConfiguration("/**", configuration);
+        return source;
+    }
+
+    private List<String> getAllowedOriginPatterns() {
+        if (allowedOrigins == null || allowedOrigins.trim().isEmpty()) {
+            return Arrays.asList(
+                    "http://localhost:*",
+                    "http://127.0.0.1:*",
+                    "http://192.168.*.*:*",
+                    "http://10.*.*.*:*"
+            );
+        }
+        return Arrays.asList(allowedOrigins.split(","));
+    }
+
+    private String[] getAllowedMethodArray() {
+        if (allowedMethods == null || allowedMethods.trim().isEmpty()) {
+            return new String[]{"GET", "POST", "PUT", "DELETE", "OPTIONS"};
+        }
+        return allowedMethods.split(",");
+    }
+
+    private String[] getAllowedHeaderArray() {
+        if (allowedHeaders == null || allowedHeaders.trim().isEmpty()) {
+            return new String[]{"Content-Type", "X-Requested-With", "Token", "Authorization", "X-Custom-Header"};
+        }
+        return allowedHeaders.split(",");
+    }
+}
--- a/src/main/java/com/bonus/boot/manager/manager/config/CspFilter.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/CspFilter.java
@ -0,0 +1,236 @@
+package com.bonus.boot.manager.manager.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+import java.util.List;
+import java.util.regex.Pattern;
+
+@Component
+@Order(1) // 确保过滤器优先级
+public class CspFilter implements Filter {
+
+    // 静态资源扩展名模式
+    private static final Pattern STATIC_RESOURCE_PATTERN = Pattern.compile(
+            ".*\\.(css|js|map|png|jpg|jpeg|gif|ico|svg|webp|bmp|" +
+                    "woff|woff2|ttf|eot|otf|pdf|txt|xml|json|" +
+                    "zip|rar|7z|tar|gz|mp4|mp3|wav|avi|mov|webm|" +
+                    "doc|docx|xls|xlsx|ppt|pptx)$",
+            Pattern.CASE_INSENSITIVE
+    );
+
+    // 静态资源路径前缀
+    private static final List<String> STATIC_PATH_PREFIXES = Arrays.asList(
+            "/static/", "/public/", "/resources/", "/assets/", "/css/", "/js/",
+            "/images/", "/img/", "/fonts/", "/webjars/", "/vendor/", "/dist/",
+            "/uploads/", "/downloads/", "/libs/", "/layui/"
+    );
+
+    // WebGL和3D地图相关页面路径
+    private static final List<String> WEBGL_PAGE_PATHS = Arrays.asList(
+            "/pages/synthesisQuery/digitalSignage.html",
+            "/pages/basic/lineManagement/child/setSpanTowerLonAndLat.html"
+    );
+
+    @Value("${spring.profiles.active:prod}")
+    private String activeProfile;
+
+    @Value("${csp.report-only:false}")
+    private boolean cspReportOnly;
+
+    @Value("${csp.allow-iframe:true}")
+    private boolean allowIframe;
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response,
+                         FilterChain chain) throws IOException, ServletException {
+
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+        String requestUri = httpRequest.getRequestURI();
+
+        // 设置所有必要的安全头
+        setSecurityHeaders(httpResponse, requestUri);
+
+        chain.doFilter(request, response);
+    }
+
+    private void setSecurityHeaders(HttpServletResponse response, String requestUri) {
+        // 1. 设置ClickJacking防护头（优先解决）
+        setClickJackingProtectionHeaders(response, requestUri);
+
+        // 2. 设置CSP头
+        setCspHeader(response, requestUri);
+
+        // 3. 设置其他安全头
+        setAdditionalSecurityHeaders(response);
+    }
+
+    private void setCspHeader(HttpServletResponse response, String requestUri) {
+        String cspPolicy;
+
+        if (isStaticResource(requestUri)) {
+            // 静态资源使用简单策略
+            cspPolicy = "default-src 'self'";
+        }
+        else if (isLoginPage(requestUri)) {
+            // 登录页面 - 使用安全的CSP策略，移除不安全的指令
+            String frameAncestors = allowIframe ? "'self'" : "'none'";
+
+            cspPolicy = "default-src 'self'; " +
+                    // 允许同源脚本和外部JavaScript库
+                    "script-src 'self' 'unsafe-inline' https:; " +
+                    // 只允许同源样式
+                    "style-src 'self' 'unsafe-inline' https:; " +
+                    // 只允许同源图片和数据URI
+                    "img-src 'self' data: blob: https:; " +
+                    // 只允许同源字体和数据URI
+                    "font-src 'self' data: https:; " +
+                    // 只允许同源连接
+                    "connect-src 'self' https:; " +
+                    "frame-ancestors " + frameAncestors + "; " +
+                    "form-action 'self'; " +
+                    "object-src 'none'; " +
+                    "base-uri 'self'; " +
+                    "report-uri /api/csp-violation";
+        }
+        else if (isWebglPage(requestUri)) {
+            // WebGL和3D地图页面 - 需要更宽松的策略支持WebGL、Worker等
+            String frameAncestors = allowIframe ? "'self'" : "'none'";
+
+            cspPolicy = "default-src 'self'; " +
+                    "script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data:; " +
+                    "style-src 'self' 'unsafe-inline' data: blob:; " +
+                    "img-src 'self' data: blob: https:; " +
+                    "font-src 'self' data: blob: https:; " +
+                    "connect-src 'self' https: blob: data: http://data.mars3d.cn; " +
+                    "frame-ancestors " + frameAncestors + "; " +
+                    "form-action 'self'; " +
+                    "object-src 'none'; " +
+                    "base-uri 'self'; " +
+                    "worker-src 'self' blob: data:; " +
+                    "child-src 'self' blob: data:; " +
+                    "report-uri /api/csp-violation"; // 移除 upgrade-insecure-requests，避免强制HTTPS
+        } else {
+            // 普通HTML页面 - 根据配置决定是否允许iframe
+            String frameAncestors = allowIframe ? "'self'" : "'none'";
+
+            cspPolicy = "default-src 'self'; " +
+                    "script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; " +
+                    "style-src 'self' 'unsafe-inline' https:; " +
+                    "img-src 'self' data: blob: https:; " +
+                    "font-src 'self' data: https:; " +
+                    "connect-src 'self' https:; " +
+                    "frame-ancestors " + frameAncestors + "; " +
+                    "form-action 'self'; " +
+                    "object-src 'none'; " +
+                    "base-uri 'self'; " +
+                    "report-uri /api/csp-violation"; // 移除 upgrade-insecure-requests，避免强制HTTPS
+        }
+
+        String headerName = cspReportOnly ?
+                "Content-Security-Policy-Report-Only" : "Content-Security-Policy";
+
+        response.setHeader(headerName, cspPolicy);
+    }
+
+    private void setClickJackingProtectionHeaders(HttpServletResponse response, String requestUri) {
+        // 对于静态资源，使用宽松的ClickJacking防护
+        if (isStaticResource(requestUri)) {
+            response.setHeader("X-Frame-Options", "SAMEORIGIN");
+            return;
+        }
+
+        // 对于HTML页面，根据配置决定防护级别
+        if (allowIframe) {
+            response.setHeader("X-Frame-Options", "SAMEORIGIN");
+        } else {
+            response.setHeader("X-Frame-Options", "DENY");
+        }
+    }
+
+    private void setAdditionalSecurityHeaders(HttpServletResponse response) {
+        response.setHeader("X-Content-Type-Options", "nosniff");
+        response.setHeader("X-XSS-Protection", "1; mode=block");
+        response.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+        response.setHeader("Permissions-Policy",
+                "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=()");
+
+        // 注意：HSTS 只应在 HTTPS 部署下开启；当前未在此处强制设置
+        // 如需开启，请在 HTTPS 部署完成后，通过配置控制
+        // 例如：Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
+    }
+
+    private boolean isStaticResource(String uri) {
+        if (uri == null || uri.isEmpty()) {
+            return false;
+        }
+
+        String path = uri.split("\\?")[0];
+
+        if (STATIC_RESOURCE_PATTERN.matcher(path).matches()) {
+            return true;
+        }
+
+        return STATIC_PATH_PREFIXES.stream().anyMatch(path::startsWith);
+    }
+
+    /**
+     * 判断是否为登录页面
+     */
+    private boolean isLoginPage(String requestUri) {
+        return requestUri != null && (
+                requestUri.endsWith("/login.html") ||
+                        requestUri.endsWith("/login") ||
+                        requestUri.contains("/login")
+        );
+    }
+
+    /**
+     * 生成随机nonce值
+     */
+    private String generateNonce() {
+        byte[] nonceBytes = new byte[16];
+        new java.util.Random().nextBytes(nonceBytes);
+        return java.util.Base64.getEncoder().encodeToString(nonceBytes);
+    }
+
+    /**
+     * 生成内容的SHA-256哈希值
+     */
+    private String generateHash(String content) {
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] hash = digest.digest(content.getBytes("UTF-8"));
+            return "'sha256-" + java.util.Base64.getEncoder().encodeToString(hash) + "'";
+        } catch (Exception e) {
+            return "";
+        }
+    }
+
+    private boolean isWebglPage(String uri) {
+        if (uri == null || uri.isEmpty()) {
+            return false;
+        }
+
+        String path = uri.split("\\?")[0];
+        return WEBGL_PAGE_PATHS.stream().anyMatch(path::contains);
+    }
+
+    private boolean isProduction() {
+        return "prod".equals(activeProfile) || "production".equals(activeProfile);
+    }
+
+    @Override
+    public void destroy() {
+        // 清理资源
+    }
+}
--- a/src/main/java/com/bonus/boot/manager/manager/config/SecurityHeadersFilter.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/SecurityHeadersFilter.java
@ -0,0 +1,71 @@
+package com.bonus.boot.manager.manager.config;
+
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * 额外的安全头过滤器
+ * 用于设置更多的安全相关头信息
+ */
+@Component
+@Order(2)
+public class SecurityHeadersFilter implements Filter {
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response,
+                         FilterChain chain) throws IOException, ServletException {
+
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+        // 设置额外的安全头
+        setAdditionalSecurityHeaders(httpRequest, httpResponse);
+
+        chain.doFilter(request, response);
+    }
+
+    private void setAdditionalSecurityHeaders(HttpServletRequest request, HttpServletResponse response) {
+        // 1) 缓存控制
+        response.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0");
+        response.setHeader("Pragma", "no-cache");
+        response.setHeader("Expires", "0");
+
+        // 2) IE下载策略
+        response.setHeader("X-Download-Options", "noopen");
+
+        // 3) 跨域策略（条件化设置）
+        if (isPotentiallyTrustworthy(request)) {
+            response.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+            response.setHeader("Cross-Origin-Resource-Policy", "same-origin");
+            response.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
+        } else {
+            response.setHeader("Cross-Origin-Opener-Policy", "");
+            response.setHeader("Cross-Origin-Resource-Policy", "");
+            response.setHeader("Cross-Origin-Embedder-Policy", "");
+        }
+
+        // 4) 不再设置已废弃的 Feature-Policy，避免与 Permissions-Policy 冲突
+        // Permissions-Policy 已在 CspFilter 中统一设置
+    }
+
+    private boolean isPotentiallyTrustworthy(HttpServletRequest request) {
+        boolean isSecure = request.isSecure();
+        String forwardedProto = request.getHeader("X-Forwarded-Proto");
+        if (!isSecure && forwardedProto != null) {
+            isSecure = "https".equalsIgnoreCase(forwardedProto);
+        }
+        String host = request.getServerName();
+        boolean isLocalhost = "localhost".equalsIgnoreCase(host) || "127.0.0.1".equals(host);
+        return isSecure || isLocalhost;
+    }
+
+    @Override
+    public void destroy() {
+        // 清理资源
+    }
+}
--- a/src/main/java/com/bonus/boot/manager/manager/config/WebMvcConfig.java
+++ b/src/main/java/com/bonus/boot/manager/manager/config/WebMvcConfig.java
@ -19,10 +19,10 @@ public class WebMvcConfig implements WebMvcConfigurer {

 	/**
 	 * 跨域支持
-	 * 
+	 *
 	 * @return
 	 */
-	@Bean
+	/*@Bean
 	public WebMvcConfigurer corsConfigurer() {
 		return new WebMvcConfigurer() {
 			@Override
@ -30,11 +30,11 @@ public class WebMvcConfig implements WebMvcConfigurer {
 				registry.addMapping("/**").allowedMethods("*");
 			}
 		};
-	}
+	}*/

 	/**
 	 * datatable分页解析
-	 * 
+	 *
 	 * @return
 	 */
 	@Bean
--- a/src/main/java/com/bonus/boot/manager/manager/controller/UserController.java
+++ b/src/main/java/com/bonus/boot/manager/manager/controller/UserController.java
@ -119,7 +119,10 @@ public class UserController {
 	@ApiOperation(value = "当前登录用户")
 	@GetMapping("/current")
 	public SysUser currentUser() {
-		return UserUtil.getLoginUser();
+		//置空password
+		SysUser sysUser = UserUtil.getLoginUser();
+		sysUser.setPassword(null);
+		return sysUser;
 	}

 	@GetMapping("/getTokenKey")
@ -155,7 +158,7 @@ public class UserController {
 	}

 /**-------------------------------------------以上为老代码,以下为layui新页面所使用的方法-----------------------------------------------------------------*/
-	
+
 	@LogAnnotation
 	@PostMapping("getMsgContent")
 	@ApiOperation(value = "用户管理-列表")
--- a/src/main/java/com/bonus/boot/manager/manager/filter/TokenFilter.java
+++ b/src/main/java/com/bonus/boot/manager/manager/filter/TokenFilter.java
@ -2,8 +2,7 @@ package com.bonus.boot.manager.manager.filter;

 import java.io.IOException;

-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
+import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;

@ -22,7 +21,7 @@ import com.bonus.boot.manager.manager.entity.LoginUser;
 * Token过滤器
 */
@Component
-public class TokenFilter extends OncePerRequestFilter {
+public class TokenFilter extends OncePerRequestFilter implements Filter {

 	public static final String TOKEN_KEY = "token";

@ -45,14 +44,18 @@ public class TokenFilter extends OncePerRequestFilter {
 				SecurityContextHolder.getContext().setAuthentication(authentication);
 			}
 		}
-
+		// 在这里设置 CSP 头或其他过滤逻辑
+		/*response.setHeader(
+				"Content-Security-Policy",
+				"default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline';font-src 'self' data:;img-src 'self' data:;"
+		);*/
 		filterChain.doFilter(request, response);
 	}

 	/**
 	 * 校验时间<br>
 	 * 过期时间与当前时间对比，临近过期10分钟内的话，自动刷新缓存
-	 * 
+	 *
 	 * @param loginUser
 	 * @return
 	 */
@ -70,7 +73,7 @@ public class TokenFilter extends OncePerRequestFilter {

 	/**
 	 * 根据参数或者header获取token
-	 * 
+	 *
 	 * @param request
 	 * @return
 	 */
@ -82,5 +85,4 @@ public class TokenFilter extends OncePerRequestFilter {

 		return token;
 	}
-
 }
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@ -1,20 +1,20 @@
 #\u8BBF\u95EE\u7AEF\u53E3
-#\u6B63\u5F0F\u7AEF\u53E3 
+#\u6B63\u5F0F\u7AEF\u53E3
 #server.port=18088
 #\u672C\u5730\u7AEF\u53E3
-server.port=18088
-#\u6D4B\u8BD5\u7AEF\u53E3
 #server.port=18088
+#\u6D4B\u8BD5\u7AEF\u53E3
+server.port=18088
 #\u8BBF\u95EE\u8DEF\u5F84
 server.servlet.context-path=/YSpeaManager
 #\u6B63\u5F0F\u5E93
-spring.datasource.url=jdbc:mysql://192.168.1.8:23342/yn_tj_appoint?useUnicode=true&characterEncoding=utf-8&allowMultiQueries=true
-spring.datasource.username=root
-spring.datasource.password=Bonus@yntj123!
-#\u6D4B\u8BD5\u5E93
-#spring.datasource.url=jdbc:mysql://192.168.0.14:1115/yn_tj_appoint?useSSL=false&allowMultiQueries=true&useUnicode=true&characterEncoding=utf-8&serverTimezone=Asia/Shanghai
+#spring.datasource.url=jdbc:mysql://192.168.1.8:23342/yn_tj_appoint?useUnicode=true&characterEncoding=utf-8&allowMultiQueries=true
 #spring.datasource.username=root
-#spring.datasource.password=xbzadmin@szedu14!
+#spring.datasource.password=Bonus@yntj123!
+#\u6D4B\u8BD5\u5E93
+spring.datasource.url=jdbc:mysql://192.168.0.14:1115/yn_tj_appoint?useSSL=false&allowMultiQueries=true&useUnicode=true&characterEncoding=utf-8&serverTimezone=Asia/Shanghai
+spring.datasource.username=root
+spring.datasource.password=xbzadmin@szedu14!
 #\u672C\u5730\u5E93
 #spring.datasource.url=jdbc:mysql://127.0.0.1:3306/yn_tj_appoint?useSSL=false&allowMultiQueries=true&useUnicode=true&characterEncoding=utf-8&serverTimezone=Asia/Shanghai
 #spring.datasource.username=root
@ -32,13 +32,13 @@ mybatis.mapper-locations=classpath:mappers/*/*Mapper.xml
 mybatis.type-aliases-package=com.bonus.boot.manager.*.entity

 #\u7EBF\u4E0A
-spring.redis.host=192.168.1.8
-spring.redis.port=23347
-spring.redis.password=Bonus@yntj123!
+#spring.redis.host=192.168.1.8
+#spring.redis.port=23347
+#spring.redis.password=Bonus@yntj123!
 #\u6D4B\u8BD5
-#spring.redis.host=192.168.0.14
-#spring.redis.port=2001
-#spring.redis.password=Dszbns@Redis123!
+spring.redis.host=192.168.0.14
+spring.redis.port=2001
+spring.redis.password=Dszbns@Redis123!
 #\u672C\u5730
 #spring.redis.host=127.0.0.1
 #spring.redis.port=6379
@ -65,12 +65,49 @@ token.expire.seconds=7200
 spring.servlet.multipart.enabled=true

 #\u6B63\u5F0F
-files.url=http://112.29.103.165:1616/medicalDocumentation/statics
-files.path=/data/yn
-#\u6D4B\u8BD5
-#files.url=http://192.168.0.14:18077/medicalDocumentation/statics
+#files.url=http://112.29.103.165:1616/medicalDocumentation/statics
 #files.path=/data/yn
+#\u6D4B\u8BD5
+files.url=http://192.168.0.14:18088/medicalDocumentation/statics
+files.path=/data/yn
 #\u672C\u5730
 #files.url=http://192.168.0.110:18088/YSpeaManager/statics
 #files.path=d:\\data\\yn
-#files.upload=d:\\files
+#files.upload=d:\\files
+# \u8DE8\u57DF\u914D\u7F6E
+# \u5141\u8BB8\u7684\u6E90\uFF08\u591A\u4E2A\u7528\u9017\u53F7\u5206\u9694\uFF09
+cors.allowed-origins=http://localhost:18088,http://127.0.0.1:18088,http://192.168.0.39:1616,http://192.168.0.14:18088,http://112.29.103.165:1616
+
+# \u5141\u8BB8\u7684HTTP\u65B9\u6CD5
+cors.allowed-methods=GET,POST,PUT,DELETE,OPTIONS
+
+# \u5141\u8BB8\u7684\u8BF7\u6C42\u5934
+cors.allowed-headers=Content-Type,X-Requested-With,Token,Authorization,X-Custom-Header
+
+# \u662F\u5426\u5141\u8BB8\u643A\u5E26\u8BA4\u8BC1\u4FE1\u606F
+cors.allow-credentials=true
+
+# \u9884\u68C0\u8BF7\u6C42\u7F13\u5B58\u65F6\u95F4\uFF08\u79D2\uFF09
+cors.max-age=3600
+
+# \u5B89\u5168\u5934\u914D\u7F6E
+# \u662F\u5426\u542F\u7528\u4E25\u683C\u7684\u5B89\u5168\u5934
+security.headers.strict=true
+
+# \u662F\u5426\u542F\u7528HSTS\uFF08HTTP\u4E25\u683C\u4F20\u8F93\u5B89\u5168\uFF09
+security.hsts.enabled=true
+
+# \u662F\u5426\u6E05\u9664\u670D\u52A1\u5668\u4FE1\u606F\u5934
+security.headers.clear-server-info=true
+
+management.endpoint.caches.enabled=false
+
+# CSP\u548C\u5B89\u5168\u5934\u914D\u7F6E
+# \u662F\u5426\u542F\u7528CSP\u62A5\u544A\u6A21\u5F0F\uFF08true\u4E3A\u4EC5\u62A5\u544A\uFF0Cfalse\u4E3A\u5F3A\u5236\u6267\u884C\uFF09
+csp.report-only=false
+
+# \u662F\u5426\u5141\u8BB8\u9875\u9762\u5728iframe\u4E2D\u663E\u793A\uFF08true\u4E3A\u5141\u8BB8\u540C\u6E90iframe\uFF0Cfalse\u4E3A\u5B8C\u5168\u7981\u6B62\uFF09
+csp.allow-iframe=true
+
+# \u662F\u5426\u542F\u7528WebGL\u652F\u6301\uFF08true\u4E3A\u542F\u7528\uFF0Cfalse\u4E3A\u7981\u7528\uFF09
+csp.enable-webgl=true
--- a/src/main/resources/mappers/physical/EmployeeHealthCheckMapper.xml
+++ b/src/main/resources/mappers/physical/EmployeeHealthCheckMapper.xml
@ -67,7 +67,7 @@
        where ppr.is_active = '1'

        <if test="physicalTime !=null and physicalTime !='null' and physicalTime !=''">
-            and ppr.create_time like concat ('%',#{physicalTime},'%')
+            AND SUBSTRING(ppr.create_time, 1, 4) = #{physicalTime}
        </if>
        <if test="physicalStatus !=null and physicalStatus !='null' and physicalStatus !=''">
            and pbpa.appoint_status  = #{physicalStatus}
--- a/src/main/resources/readme.md
+++ b/src/main/resources/readme.md
@ -0,0 +1 @@
+1.主分支
--- a/src/main/resources/static/index.html
+++ b/src/main/resources/static/index.html
@ -136,7 +136,7 @@
 	</div>
 	<div class="site-mobile-shade"></div>
 	<script type="text/javascript" src="layui-v2.8.3/layui/layui.js"></script>
-	<script type="text/javascript" src="js/libs/jquery-2.1.1.min.js"></script>
+	<script type="text/javascript" src="js/libs/jquery-3.7.1.min.js"></script>
 	<script type="text/javascript" src="js/common_methon.js"></script>
 	<script type="text/javascript" src="js/jq.js"></script>
 	<script type="text/javascript" src="js/publicJs.js"></script>
--- a/src/main/resources/static/js/jedate/moment.min.js
+++ b/src/main/resources/static/js/jedate/moment.min.js
--- a/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
+++ b/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
--- a/src/main/resources/static/js/jquery/jquery-3.7.1.min.js
+++ b/src/main/resources/static/js/jquery/jquery-3.7.1.min.js
--- a/src/main/resources/static/js/libs/jquery-2.1.1.min.js
+++ b/src/main/resources/static/js/libs/jquery-2.1.1.min.js
--- a/src/main/resources/static/js/libs/jquery-3.7.1.min.js
+++ b/src/main/resources/static/js/libs/jquery-3.7.1.min.js
--- a/src/main/resources/static/js/plugin/datatables/jquery.dataTables.min.js
+++ b/src/main/resources/static/js/plugin/datatables/jquery.dataTables.min.js
--- a/src/main/resources/static/pages/institution/orgList.html
+++ b/src/main/resources/static/pages/institution/orgList.html
@ -5,7 +5,7 @@
 <title>Insert title here</title>

    <link rel="icon" href="img/favicon.ico" type="image/x-icon" />
-    <script src="../../js/jquery/jquery-1.10.2.min.js"></script>
+    <script src="../../js/jquery/jquery-3.7.1.min.js"></script>
  <script type="text/javascript" src="../../layui/layui.all.js"></script>
    <script type="text/javascript" src="../../js/publicJs.js"></script>
    <script type="text/javascript" src="../../js/jq.js"></script>
--- a/src/main/resources/static/pages/institution/orgList01.html
+++ b/src/main/resources/static/pages/institution/orgList01.html
@ -5,7 +5,7 @@
 <title>Insert title here</title>

    <link rel="icon" href="img/favicon.ico" type="image/x-icon" />
-    <script src="../../js/jquery/jquery-1.10.2.min.js"></script>
+    <script src="../../js/jquery/jquery-3.7.1.min.js"></script>
  <script type="text/javascript" src="../../layui/layui.all.js"></script>
    <script type="text/javascript" src="../../js/publicJs.js"></script>
    <script type="text/javascript" src="../../js/jq.js"></script>
Author	SHA1	Message	Date
lSun	eed4fd7c7b	扫描漏洞解决	2025-10-28 17:41:28 +08:00
马三炮	5330d1e184	安全漏洞和渗透修复	2025-09-10 16:51:05 +08:00
马三炮	ca4a805c5d	安全漏洞和渗透修复	2025-08-27 10:24:12 +08:00
lSun	c79ade0cb8	分支备注	2025-06-30 15:01:47 +08:00