漏洞修改

2025-10-27 14:22:27 +08:00 · 2025-10-27 14:22:27 +08:00 · a23a89a7c2
parent da24510b46
commit a23a89a7c2
8 changed files with 153 additions and 27 deletions
--- a/.idea/jarRepositories.xml
+++ b/.idea/jarRepositories.xml
@ -21,5 +21,10 @@
      <option name="name" value="JBoss Community repository" />
      <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
    </remote-repository>
+    <remote-repository>
+      <option name="id" value="central" />
+      <option name="name" value="Central Repository" />
+      <option name="url" value="https://maven.aliyun.com/repository/public" />
+    </remote-repository>
  </component>
 </project>
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
@ -0,0 +1,36 @@
+package com.bonus.aqgqj.manager.common.config;
+
+import org.springframework.context.annotation.Configuration;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+// 注册过滤器
+@Configuration
+public class CspFilter implements Filter {
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+        // 配置 CSP 规则，添加 form-action 指令（根据需求调整允许的地址）
+        String cspPolicy = "default-src 'self'; " +
+                "script-src 'self' 'unsafe-inline'; " +  // 保留原有配置（注意：'unsafe-inline' 有风险，建议后续优化）
+                "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
+                "img-src 'self' data:; " +
+                "font-src 'self' https://cdnjs.cloudflare.com; " +
+                "form-action 'self';";  // 新增：限制表单仅提交到当前域名
+
+        httpResponse.setHeader("Content-Security-Policy", cspPolicy);
+        chain.doFilter(request, response);
+    }
+
+    // 初始化和销毁方法可留空
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {}
+
+    @Override
+    public void destroy() {}
+}
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
@ -0,0 +1,23 @@
+package com.bonus.aqgqj.manager.common.config;
+
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.HandlerInterceptor;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@Component
+public class CspInterceptor implements HandlerInterceptor {
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+        // 设置 CSP 头
+        String csp = "default-src 'self'; " +
+                "script-src 'self' 'unsafe-inline'; " +
+                "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
+                "img-src 'self' data:; " +
+                "font-src 'self' https://cdnjs.cloudflare.com; " +
+                "form-action 'self';";
+        response.setHeader("Content-Security-Policy", csp);
+        return true;
+    }
+}
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CustomRedisSerializer.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CustomRedisSerializer.java
@ -46,7 +46,10 @@ public class CustomRedisSerializer implements RedisSerializer<Object> {
                return super.resolveClass(desc);
            } catch (ClassNotFoundException e) {
                // 如果类路径不对，手动指定正确的类路径
-                return Class.forName("com.bonus.aqgqj.manager.security.entity.SelfUserEntity");
+                if (desc.getName().equals("com.bonus.aqgqj.manager.security.entity.SelfUserEntity")) {
+                    return Class.forName("com.bonus.gzgqj.manager.security.entity.SelfUserEntity");
+                }
+                throw e; // 如果不是目标类，抛出异常
            }
        }
    }
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/JWTTokenService.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/JWTTokenService.java
@ -1,5 +1,6 @@
 package com.bonus.aqgqj.manager.common.config;

+
 import com.bonus.aqgqj.manager.common.util.*;
 import com.bonus.aqgqj.manager.constant.CacheConstants;
 import com.bonus.aqgqj.manager.constant.SecurityConstants;
@ -107,6 +108,7 @@ public class JWTTokenService {
                return user;
            }
        } catch (Exception e) {
+            System.err.println(e.getMessage());
        }
        return user;
    }
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/WebMvcConfig.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/WebMvcConfig.java
@ -2,46 +2,72 @@ package com.bonus.aqgqj.manager.common.config;


 import com.bonus.aqgqj.business.utils.SystemUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
@Configuration
 public class WebMvcConfig implements WebMvcConfigurer {
-	/**
-	 * 跨域支持
-	 * @return
-	 * @return
-	 */
-	@Bean
-	public WebMvcConfigurer corsConfigurer() {
-		return new WebMvcConfigurer() {
-			@Override
-			public void addCorsMappings(CorsRegistry registry) {
-			registry.addMapping("/**").allowedMethods("*");
+
+
+    @Autowired
+    private CspInterceptor cspInterceptor;
+    /**
+     * 跨域支持
+     *
+     * @return
+     * @return
+     */
+    @Bean
+    public WebMvcConfigurer corsConfigurer() {
+        return new WebMvcConfigurer() {
+            @Override
+            public void addCorsMappings(CorsRegistry registry) {
+                registry.addMapping("/**").allowedMethods("*");
 //				registry.addMapping("/**")
 //						.allowedOrigins("http://example.com")
 //						.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
 //						.allowedHeaders("*")
 //						.allowCredentials(true);
-			}
-		};
-	}
+            }
+        };
+    }
+
+    @Bean
+    public FilterRegistrationBean<CspFilter> cspFilterRegistration() {
+        FilterRegistrationBean<CspFilter> registration = new FilterRegistrationBean<>();
+        registration.setFilter(new CspFilter());
+        registration.addUrlPatterns("/*");  // 对所有请求生效
+        registration.setName("cspFilter");
+        registration.setOrder(Ordered.HIGHEST_PRECEDENCE);  // 确保优先级最高，避免被其他过滤器覆盖
+        return registration;
+    }


+    /**
+     * 外部文件访问
+     */
+    @Override
+    public void addResourceHandlers(ResourceHandlerRegistry registry) {
+        String filePath = SystemUtils.getUploadPath();//获取文件上传路径
+        /** 本地文件上传路径 */
+        registry.addResourceHandler("/statics/**")
+                .addResourceLocations("file:" + filePath + "/");
+        registry.addResourceHandler("/files/**")
+                .addResourceLocations("file:" + filePath);

-	/**
-	 * 外部文件访问
-	 */
-	@Override
-	public void addResourceHandlers(ResourceHandlerRegistry registry) {
-		String filePath= SystemUtils.getUploadPath();//获取文件上传路径
-		/** 本地文件上传路径 */
-		registry.addResourceHandler("/statics/**")
-				.addResourceLocations("file:" + filePath+"/");
-		registry.addResourceHandler("/files/**")
-				.addResourceLocations("file:"+filePath);
-	}
+    }
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        // 对所有请求应用拦截器
+        registry.addInterceptor(cspInterceptor).addPathPatterns("/**");
+    }

 }
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
@ -0,0 +1,30 @@
+package com.bonus.aqgqj.manager.common.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+@Configuration
+public class WebSecurityConfig implements WebMvcConfigurer {
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(new HandlerInterceptor() {
+            @Override
+            public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
+                // 禁止被任何页面嵌入（推荐）
+                response.setHeader("X-Frame-Options", "DENY");
+                // 或仅允许同源页面嵌入（若业务需要被自身域名下的页面嵌入）
+                // response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
+                // 补充 CSP 头（增强安全性，与 X-Frame-Options 配合）
+                response.setHeader("Content-Security-Policy", "frame-ancestors 'none'"); // 禁止所有嵌入
+                // 若允许同源：frame-ancestors 'self';
+                return true;
+            }
+        }).addPathPatterns("/**"); // 对所有路径生效
+    }
+}
--- a/src/main/java/com/bonus/aqgqj/manager/security/jwt/JwtAuthenticationTokenFilter.java
+++ b/src/main/java/com/bonus/aqgqj/manager/security/jwt/JwtAuthenticationTokenFilter.java
@ -1,5 +1,6 @@
 package com.bonus.aqgqj.manager.security.jwt;

+
 import com.bonus.aqgqj.manager.common.config.JWTTokenService;
 import com.bonus.aqgqj.manager.common.util.JwtUtils;
 import com.bonus.aqgqj.manager.common.util.ResultUtil;