漏洞修改

2025-10-27 14:22:27 +08:00 · 2025-10-27 14:22:27 +08:00 · a23a89a7c2
parent da24510b46
commit a23a89a7c2
8 changed files with 153 additions and 27 deletions
--- a/.idea/jarRepositories.xml
+++ b/.idea/jarRepositories.xml
@ -21,5 +21,10 @@
      <option name="name" value="JBoss Community repository" />
      <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
    </remote-repository>
    <remote-repository>
      <option name="id" value="central" />
      <option name="name" value="Central Repository" />
      <option name="url" value="https://maven.aliyun.com/repository/public" />
    </remote-repository>
  </component>
 </project>
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CspFilter.java
@ -0,0 +1,36 @@
 package com.bonus.aqgqj.manager.common.config;
 import org.springframework.context.annotation.Configuration;
 import javax.servlet.*;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 // 注册过滤器
@Configuration
 public class CspFilter implements Filter {
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        HttpServletResponse httpResponse = (HttpServletResponse) response;
        // 配置 CSP 规则，添加 form-action 指令（根据需求调整允许的地址）
        String cspPolicy = "default-src 'self'; " +
                "script-src 'self' 'unsafe-inline'; " +  // 保留原有配置（注意：'unsafe-inline' 有风险，建议后续优化）
                "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
                "img-src 'self' data:; " +
                "font-src 'self' https://cdnjs.cloudflare.com; " +
                "form-action 'self';";  // 新增：限制表单仅提交到当前域名
        httpResponse.setHeader("Content-Security-Policy", cspPolicy);
        chain.doFilter(request, response);
    }
    // 初始化和销毁方法可留空
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {}
    @Override
    public void destroy() {}
 }
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CspInterceptor.java
@ -0,0 +1,23 @@
 package com.bonus.aqgqj.manager.common.config;
 import org.springframework.stereotype.Component;
 import org.springframework.web.servlet.HandlerInterceptor;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@Component
 public class CspInterceptor implements HandlerInterceptor {
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
        // 设置 CSP 头
        String csp = "default-src 'self'; " +
                "script-src 'self' 'unsafe-inline'; " +
                "style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; " +
                "img-src 'self' data:; " +
                "font-src 'self' https://cdnjs.cloudflare.com; " +
                "form-action 'self';";
        response.setHeader("Content-Security-Policy", csp);
        return true;
    }
 }
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/CustomRedisSerializer.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/CustomRedisSerializer.java
@ -46,7 +46,10 @@ public class CustomRedisSerializer implements RedisSerializer<Object> {
                return super.resolveClass(desc);
            } catch (ClassNotFoundException e) {
                // 如果类路径不对，手动指定正确的类路径
-                return Class.forName("com.bonus.aqgqj.manager.security.entity.SelfUserEntity");
+                if (desc.getName().equals("com.bonus.aqgqj.manager.security.entity.SelfUserEntity")) {
                    return Class.forName("com.bonus.gzgqj.manager.security.entity.SelfUserEntity");
                }
                throw e; // 如果不是目标类，抛出异常
            }
        }
    }
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/JWTTokenService.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/JWTTokenService.java
@ -1,5 +1,6 @@
 package com.bonus.aqgqj.manager.common.config;
 import com.bonus.aqgqj.manager.common.util.*;
 import com.bonus.aqgqj.manager.constant.CacheConstants;
 import com.bonus.aqgqj.manager.constant.SecurityConstants;
@ -107,6 +108,7 @@ public class JWTTokenService {
                return user;
            }
        } catch (Exception e) {
            System.err.println(e.getMessage());
        }
        return user;
    }
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/WebMvcConfig.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/WebMvcConfig.java
@ -2,46 +2,72 @@ package com.bonus.aqgqj.manager.common.config;
 import com.bonus.aqgqj.business.utils.SystemUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
 public class WebMvcConfig implements WebMvcConfigurer {
-	/**
+
-	 * 跨域支持
+
-	 * @return
+    @Autowired
-	 * @return
+    private CspInterceptor cspInterceptor;
-	 */
+    /**
-	@Bean
+     * 跨域支持
-	public WebMvcConfigurer corsConfigurer() {
+     *
-		return new WebMvcConfigurer() {
+     * @return
-			@Override
+     * @return
-			public void addCorsMappings(CorsRegistry registry) {
+     */
-			registry.addMapping("/**").allowedMethods("*");
+    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/**").allowedMethods("*");
 //				registry.addMapping("/**")
 //						.allowedOrigins("http://example.com")
 //						.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
 //						.allowedHeaders("*")
 //						.allowCredentials(true);
-			}
+            }
-		};
+        };
-	}
+    }
    @Bean
    public FilterRegistrationBean<CspFilter> cspFilterRegistration() {
        FilterRegistrationBean<CspFilter> registration = new FilterRegistrationBean<>();
        registration.setFilter(new CspFilter());
        registration.addUrlPatterns("/*");  // 对所有请求生效
        registration.setName("cspFilter");
        registration.setOrder(Ordered.HIGHEST_PRECEDENCE);  // 确保优先级最高，避免被其他过滤器覆盖
        return registration;
    }
    /**
     * 外部文件访问
     */
    @Override
    public void addResourceHandlers(ResourceHandlerRegistry registry) {
        String filePath = SystemUtils.getUploadPath();//获取文件上传路径
        /** 本地文件上传路径 */
        registry.addResourceHandler("/statics/**")
                .addResourceLocations("file:" + filePath + "/");
        registry.addResourceHandler("/files/**")
                .addResourceLocations("file:" + filePath);
-	/**
+    }
-	 * 外部文件访问
+
-	 */
+    @Override
-	@Override
+    public void addInterceptors(InterceptorRegistry registry) {
-	public void addResourceHandlers(ResourceHandlerRegistry registry) {
+        // 对所有请求应用拦截器
-		String filePath= SystemUtils.getUploadPath();//获取文件上传路径
+        registry.addInterceptor(cspInterceptor).addPathPatterns("/**");
-		/** 本地文件上传路径 */
+    }
 		registry.addResourceHandler("/statics/**")
 				.addResourceLocations("file:" + filePath+"/");
 		registry.addResourceHandler("/files/**")
 				.addResourceLocations("file:"+filePath);
 	}
 }
--- a/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
+++ b/src/main/java/com/bonus/aqgqj/manager/common/config/WebSecurityConfig.java
@ -0,0 +1,30 @@
 package com.bonus.aqgqj.manager.common.config;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@Configuration
 public class WebSecurityConfig implements WebMvcConfigurer {
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new HandlerInterceptor() {
            @Override
            public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) {
                // 禁止被任何页面嵌入（推荐）
                response.setHeader("X-Frame-Options", "DENY");
                // 或仅允许同源页面嵌入（若业务需要被自身域名下的页面嵌入）
                // response.setHeader("X-Frame-Options", "SAMEORIGIN");
                // 补充 CSP 头（增强安全性，与 X-Frame-Options 配合）
                response.setHeader("Content-Security-Policy", "frame-ancestors 'none'"); // 禁止所有嵌入
                // 若允许同源：frame-ancestors 'self';
                return true;
            }
        }).addPathPatterns("/**"); // 对所有路径生效
    }
 }
--- a/src/main/java/com/bonus/aqgqj/manager/security/jwt/JwtAuthenticationTokenFilter.java
+++ b/src/main/java/com/bonus/aqgqj/manager/security/jwt/JwtAuthenticationTokenFilter.java
@ -1,5 +1,6 @@
 package com.bonus.aqgqj.manager.security.jwt;
 import com.bonus.aqgqj.manager.common.config.JWTTokenService;
 import com.bonus.aqgqj.manager.common.util.JwtUtils;
 import com.bonus.aqgqj.manager.common.util.ResultUtil;