diff --git a/api/api-system/src/main/java/com/bonus/system/api/domain/SysUser.java b/api/api-system/src/main/java/com/bonus/system/api/domain/SysUser.java index bca0ba6..83225f1 100644 --- a/api/api-system/src/main/java/com/bonus/system/api/domain/SysUser.java +++ b/api/api-system/src/main/java/com/bonus/system/api/domain/SysUser.java @@ -6,6 +6,7 @@ import com.bonus.common.core.annotation.Excel.Type; import com.bonus.common.core.annotation.Excels; import com.bonus.common.core.web.domain.BaseEntity; import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonInclude; import com.fasterxml.jackson.annotation.JsonProperty; import lombok.Data; import org.apache.commons.lang3.builder.ToStringBuilder; @@ -57,6 +58,7 @@ public class SysUser extends BaseEntity /** 密码 */ @JsonIgnore + @JsonInclude(JsonInclude.Include.NON_NULL) @JsonProperty(access = JsonProperty.Access.WRITE_ONLY) private String password; diff --git a/api/api-system/src/main/java/com/bonus/system/api/model/LoginUser.java b/api/api-system/src/main/java/com/bonus/system/api/model/LoginUser.java index 9a9a389..a747de9 100644 --- a/api/api-system/src/main/java/com/bonus/system/api/model/LoginUser.java +++ b/api/api-system/src/main/java/com/bonus/system/api/model/LoginUser.java @@ -21,8 +21,6 @@ public class LoginUser implements Serializable /** * 用户唯一标识 */ - @JsonIgnore - @JsonProperty(access = JsonProperty.Access.WRITE_ONLY) private String token; /** diff --git a/auth/src/main/java/com/bonus/auth/service/SysLoginService.java b/auth/src/main/java/com/bonus/auth/service/SysLoginService.java index 2364632..17f8bd7 100644 --- a/auth/src/main/java/com/bonus/auth/service/SysLoginService.java +++ b/auth/src/main/java/com/bonus/auth/service/SysLoginService.java @@ -103,6 +103,7 @@ public class SysLoginService throw new ServiceException("用户不存在/密码错误"); } } + user.setPassword(""); recordLogininfor(user.getUserId() + "", Constants.LOGIN_SUCCESS, "登录成功"); return userInfo; } diff --git a/common/common-security/src/main/java/com/bonus/common/security/config/WebMvcConfig.java b/common/common-security/src/main/java/com/bonus/common/security/config/WebMvcConfig.java index 4a848a4..9eb5e80 100644 --- a/common/common-security/src/main/java/com/bonus/common/security/config/WebMvcConfig.java +++ b/common/common-security/src/main/java/com/bonus/common/security/config/WebMvcConfig.java @@ -49,7 +49,7 @@ public class WebMvcConfig implements WebMvcConfigurer public void addResourceHandlers(ResourceHandlerRegistry registry) { String os = System.getProperty("os.name"); if(os.toLowerCase().startsWith("win")){ - registry.addResourceHandler("/ynRealName/**").addResourceLocations("file:D://yn/real_name/"); + registry.addResourceHandler("/ynRealName/**").addResourceLocations("file:E://yn/real_name/"); }else{ registry.addResourceHandler("/ynRealName/**").addResourceLocations("file:/data/real_name/"); } diff --git a/common/common-security/src/main/java/com/bonus/common/security/service/TokenService.java b/common/common-security/src/main/java/com/bonus/common/security/service/TokenService.java index df056f5..dd717ed 100644 --- a/common/common-security/src/main/java/com/bonus/common/security/service/TokenService.java +++ b/common/common-security/src/main/java/com/bonus/common/security/service/TokenService.java @@ -58,6 +58,7 @@ public class TokenService claimsMap.put(SecurityConstants.DETAILS_USER_ID, userId); claimsMap.put(SecurityConstants.DETAILS_USERNAME, userName); + loginUser.getSysUser().setPassword(null); // 接口返回信息 Map rspMap = new HashMap(); rspMap.put("access_token", JwtUtils.createToken(claimsMap)); diff --git a/gateway/src/main/java/com/bonus/gateway/config/SecurityHeaderFilterConfig.java b/gateway/src/main/java/com/bonus/gateway/config/SecurityHeaderFilterConfig.java new file mode 100644 index 0000000..289d86c --- /dev/null +++ b/gateway/src/main/java/com/bonus/gateway/config/SecurityHeaderFilterConfig.java @@ -0,0 +1,52 @@ +package com.bonus.gateway.config; + +import org.springframework.cloud.gateway.filter.GlobalFilter; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.core.Ordered; +import org.springframework.core.annotation.Order; +import org.springframework.http.server.reactive.ServerHttpResponse; +import org.springframework.web.server.ServerWebExchange; +import reactor.core.publisher.Mono; + +/** + * packageName com.bonus.gateway.config + * + * @author lsun + * @version 1.0.0 + * @className SecurityHeaderFilterConfig (此处以class为例) + * @date 2025/10/30 + * @description + */ + +/** + * 全局安全响应头过滤器 + * 防止点击劫持 (Clickjacking)、XSS、MIME 类型嗅探等漏洞。 + */ +@Configuration +public class SecurityHeaderFilterConfig { + @Bean + @Order(Ordered.HIGHEST_PRECEDENCE) + public GlobalFilter addSecurityHeadersFilter() { + return (exchange, chain) -> chain.filter(exchange).then(Mono.fromRunnable(() -> { + ServerWebExchange responseExchange = exchange.mutate().build(); + ServerHttpResponse response = responseExchange.getResponse(); + + // 防点击劫持 (Clickjacking) + response.getHeaders().add("X-Frame-Options", "SAMEORIGIN"); + response.getHeaders().add("Content-Security-Policy", "frame-ancestors 'self'"); + + // 防 MIME 类型嗅探 + response.getHeaders().add("X-Content-Type-Options", "nosniff"); + + // 防 XSS(旧浏览器兼容) + response.getHeaders().add("X-XSS-Protection", "1; mode=block"); + + // 隐藏来源信息(可选) + response.getHeaders().add("Referrer-Policy", "no-referrer"); + + // 强制 HTTPS(仅在启用 HTTPS 部署时推荐) + response.getHeaders().add("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); + })); + } +} diff --git a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/OwnerController.java b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/OwnerController.java index e6f35fe..362214b 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/OwnerController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/OwnerController.java @@ -72,6 +72,13 @@ public class OwnerController { @Log(title = "获取业主列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:owner:query") public PageTableResponse getOwnerList(PageTableRequest request) { + + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } + return new PageTableHandler(new PageTableHandler.CountHandler() { @Override public int count(PageTableRequest request) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/ProjectController.java b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/ProjectController.java index 7d6b6f6..314017a 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/ProjectController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/ProjectController.java @@ -66,6 +66,11 @@ public class ProjectController { @Log(title = "获取工程列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:project:query") public PageTableResponse listProjects(PageTableRequest request) { + // 参数验证 + String orgIds = (String) request.getParams().get("orgId"); + if (orgIds != null && !orgIds.isEmpty() && !orgIds.matches("\\d+")) { + throw new IllegalArgumentException("非法的 orgId 参数"); + } request.getParams().put("generalProId", request.getParams().get("orgId")); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/ProjectGeneralController.java b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/ProjectGeneralController.java index 5e93e95..63d2ff8 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/ProjectGeneralController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/ProjectGeneralController.java @@ -19,9 +19,7 @@ import org.springframework.web.bind.annotation.*; import javax.annotation.Resource; import javax.servlet.http.HttpServletResponse; -import java.util.HashMap; -import java.util.List; -import java.util.Map; +import java.util.*; /** * @author 彭元博 @@ -45,13 +43,30 @@ public class ProjectGeneralController { @RequiresPermissions("sys:proGeneral:query") public PageTableResponse getProGeneralList(PageTableRequest request) { + Map params = request.getParams(); + if (params == null) { + params = new HashMap<>(); + request.setParams(params); + } + + // 允许的参数名(按你接口真实使用的填写) + Set allow = new HashSet<>(Arrays.asList( + "keyWord", "proStatus" + )); + + // 过滤掉所有不在允许列表中的参数(包含 columns[...]、order[...] 等) + params.keySet().removeIf(k -> !allow.contains(k)); + // 放回 request(可选) + request.setParams(params); + + SelfPermissionSettingUtils.getSelfPermission(request); String orgId = (String) request.getParams().get("orgId"); if(!StringUtils.isEmpty(orgId)){ String childList = getChildListDao.getChildList(orgId); - Map params = request.getParams(); - params.put("orgAll",childList); + Map params1 = request.getParams(); + params1.put("orgAll",childList); } List list = service.getProGeneralList(request.getParams(), request.getOffset(), request.getLimit()); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/WorkPlanAllController.java b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/WorkPlanAllController.java index b8262d3..7154e58 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/WorkPlanAllController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/basic/controller/WorkPlanAllController.java @@ -43,6 +43,11 @@ public class WorkPlanAllController { @Log(title = "获取作业总计划列表", businessType = BusinessType.SELECT) // @RequiresPermissions("sys:project:query") public PageTableResponse listProjects(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String proName = (String) request.getParams().get("proName"); + if (proName != null && !proName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in proName."); + } return new PageTableHandler(new PageTableHandler.CountHandler() { @Override public int count(PageTableRequest request) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/certificateAdministration/controller/CertificateStatController.java b/modules/bmw/src/main/java/com/bonus/bmw/certificateAdministration/controller/CertificateStatController.java index 432fa76..76c2330 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/certificateAdministration/controller/CertificateStatController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/certificateAdministration/controller/CertificateStatController.java @@ -39,9 +39,28 @@ public class CertificateStatController { @PostMapping("getTreeData1") @Log(title = "查询持证类型树", businessType = BusinessType.SELECT) public List getTreeData1(@RequestBody(required = false) CertificateStatBean o) { + if (o == null) { + return service.getTreeData1(null); + } + if (o.getName() != null) { + if (o.getName().length() > 200) { + throw new IllegalArgumentException("name too long"); + } + o.setName(escapeForLike(o.getName())); + } return service.getTreeData1(o); } + private String escapeForLike(String input) { + if (input == null) { + return null; + } + // 转义反斜杠 \、百分号 % 和下划线 _ + return input.replace("\\", "\\\\") // 转义反斜杠 + .replace("%", "\\%") // 转义 % + .replace("_", "\\_"); // 转义 _ + } + /** * 查询公司工程树 * @param o diff --git a/modules/bmw/src/main/java/com/bonus/bmw/config/IpAndPathConfig.java b/modules/bmw/src/main/java/com/bonus/bmw/config/IpAndPathConfig.java index d705277..380dfe7 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/config/IpAndPathConfig.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/config/IpAndPathConfig.java @@ -14,7 +14,7 @@ public class IpAndPathConfig { */ // @Value("${environment}") // public static String environment; - public static String environment = "test"; + public static String environment = "其他"; /** * 持证 diff --git a/modules/bmw/src/main/java/com/bonus/bmw/person/controller/FaceContrastNewController.java b/modules/bmw/src/main/java/com/bonus/bmw/person/controller/FaceContrastNewController.java index 86d9da3..e89023d 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/person/controller/FaceContrastNewController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/person/controller/FaceContrastNewController.java @@ -53,6 +53,12 @@ public class FaceContrastNewController { public PageTableResponse getSupAtHistory(PageTableRequest request) { Map params = request.getParams(); + + String subComIdStr = (String) request.getParams().get("subComId"); + if (subComIdStr != null && !subComIdStr.isEmpty() && !subComIdStr.matches("\\d+")) { + throw new IllegalArgumentException("非法的 subComId 参数"); + } + if(StringUtils.isEmpty((String) params.get("subComId"))){ String subComId = SecurityUtils.getLoginUser().getSysUser().getSubComId(); params.put("subComId",subComId); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/person/controller/PersonComprehensiveController.java b/modules/bmw/src/main/java/com/bonus/bmw/person/controller/PersonComprehensiveController.java index bfb69e2..5efa6fa 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/person/controller/PersonComprehensiveController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/person/controller/PersonComprehensiveController.java @@ -150,6 +150,7 @@ public class PersonComprehensiveController { try { String url = IpAndPathConfig.getFaceUrl(); ArcFaceHelper arcFaceHelper = new ArcFaceHelper(); + System.err.println(url + bean.getFacePhoto()); FaceResult faceResult = arcFaceHelper.getFaceFeatures(url + bean.getFacePhoto()); return R.ok(faceResult); } catch (Exception e) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/person/controller/WorkPayController.java b/modules/bmw/src/main/java/com/bonus/bmw/person/controller/WorkPayController.java index 3283936..96020e0 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/person/controller/WorkPayController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/person/controller/WorkPayController.java @@ -43,6 +43,12 @@ public class WorkPayController { @RequiresPermissions("sys:workPay:query") public PageTableResponse getList(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } + String roleLevel = SecurityUtils.getLoginUser().getSysUser().getRoleLevel(); String subId = SecurityUtils.getLoginUser().getSysUser().getSubId(); if("4".equals(roleLevel)) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/person/service/InOutServiceImpl.java b/modules/bmw/src/main/java/com/bonus/bmw/person/service/InOutServiceImpl.java index aae033a..fdad7a6 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/person/service/InOutServiceImpl.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/person/service/InOutServiceImpl.java @@ -48,19 +48,29 @@ public class InOutServiceImpl implements InOutService { params.put("orgAll",childList); }*/ + String orgId = (String) request.getParams().get("orgId"); + if (orgId != null && !orgId.isEmpty() && !orgId.matches("-?\\d+")) { + throw new IllegalArgumentException("非法的 orgId 参数"); + } + + String status = (String) request.getParams().get("status"); + if (status != null && !status.isEmpty() && !status.matches("-?\\d+")) { + throw new IllegalArgumentException("非法的 status 参数"); + } + String orgIdStr = SecurityUtils.getLoginUser().getSysUser().getOrgId(); //不单独去查所有的公司了,只放行一个公司 - if(!"1".equals(orgIdStr)){ + if (!"1".equals(orgIdStr)) { request.getParams().put("orgId", orgIdStr); } String roleLevel = SecurityUtils.getLoginUser().getSysUser().getRoleLevel(); String subId = SecurityUtils.getLoginUser().getSysUser().getSubId(); - if("4".equals(roleLevel)) { + if ("4".equals(roleLevel)) { Map params = request.getParams(); String subId1 = (String) params.get("subId"); - if(StringUtils.isEmpty(subId1)){ - params.put("subId",subId); + if (StringUtils.isEmpty(subId1)) { + params.put("subId", subId); } } @@ -84,11 +94,11 @@ public class InOutServiceImpl implements InOutService { String roleLevel = SecurityUtils.getLoginUser().getSysUser().getRoleLevel(); String subId = SecurityUtils.getLoginUser().getSysUser().getSubId(); - if("4".equals(roleLevel)) { + if ("4".equals(roleLevel)) { Map params = request.getParams(); String subId1 = (String) params.get("subId"); - if(StringUtils.isEmpty(subId1)){ - params.put("subId",subId); + if (StringUtils.isEmpty(subId1)) { + params.put("subId", subId); } } @@ -114,6 +124,7 @@ public class InOutServiceImpl implements InOutService { /** * 1.出场时添加当前有效的合同关联,无合同提示不让出场 20240219 fly * 2.出场人员是否报了日计划 20240304 fly + * * @param bean 人员 * @return 成功 or失败 */ @@ -122,7 +133,7 @@ public class InOutServiceImpl implements InOutService { public R batchPersonOutPlace(BasePersonBean bean) { // 逗号分割的idNumber,exitExamineRemark String[] split = bean.getIdNumber().split(","); - if(bean.getUserId() == 0){ + if (bean.getUserId() == 0) { Long userId = SecurityUtils.getLoginUser().getSysUser().getUserId(); bean.setUserId(userId); } @@ -133,11 +144,11 @@ public class InOutServiceImpl implements InOutService { //查询是否入场了 InOutSpaceNewBean inOutBean = dao.getPersonIsEinByIdNumber(idNumber); //入场并且不是临时人员才检查合同 - if(inOutBean != null && StringUtils.isNotEmpty(inOutBean.getIdNumber()) && !"0".equals(inOutBean.getSubId()) && !"0".equals(inOutBean.getProId())){ + if (inOutBean != null && StringUtils.isNotEmpty(inOutBean.getIdNumber()) && !"0".equals(inOutBean.getSubId()) && !"0".equals(inOutBean.getProId())) { String contractId = dao.getContractIdByIdNumber(idNumber); - if(StringUtils.isEmpty(contractId)){ + if (StringUtils.isEmpty(contractId)) { // contractId = "-1"; - throw new RuntimeException(idNumber+" 无合同,出场后将无法计算工资,请去补全合同,才能出场"); + throw new RuntimeException(idNumber + " 无合同,出场后将无法计算工资,请去补全合同,才能出场"); } o.setContractId(contractId); } @@ -171,7 +182,7 @@ public class InOutServiceImpl implements InOutService { public R batchPersonOutPlaceList(BasePersonBean bean) { // 逗号分割的idNumber,exitExamineRemark List BasePersonBeans = bean.getIdNumberList(); - if(bean.getUserId() == 0){ + if (bean.getUserId() == 0) { Long userId = SecurityUtils.getLoginUser().getSysUser().getUserId(); bean.setUserId(userId); } @@ -183,11 +194,11 @@ public class InOutServiceImpl implements InOutService { //查询是否入场了 InOutSpaceNewBean inOutBean = dao.getPersonIsEinByIdNumber(idNumber); //入场并且不是临时人员才检查合同 - if(inOutBean != null && StringUtils.isNotEmpty(inOutBean.getIdNumber()) && !"0".equals(inOutBean.getSubId()) && !"0".equals(inOutBean.getProId())){ + if (inOutBean != null && StringUtils.isNotEmpty(inOutBean.getIdNumber()) && !"0".equals(inOutBean.getSubId()) && !"0".equals(inOutBean.getProId())) { String contractId = dao.getContractIdByIdNumber(idNumber); - if(StringUtils.isEmpty(contractId)){ + if (StringUtils.isEmpty(contractId)) { // contractId = "-1"; - throw new RuntimeException(idNumber+" 无合同,出场后将无法计算工资,请去补全合同,才能出场"); + throw new RuntimeException(idNumber + " 无合同,出场后将无法计算工资,请去补全合同,才能出场"); } o.setContractId(contractId); } @@ -226,17 +237,18 @@ public class InOutServiceImpl implements InOutService { /** * 出场人员删除考勤机人脸 + * * @param idNumber */ private void dealWithAttendanceMachine(String idNumber) { String proId = dao.getProIdByIdNumber(idNumber); - if(StringUtils.isNotEmpty(proId)){ + if (StringUtils.isNotEmpty(proId)) { BasePersonBean bean = new BasePersonBean(); bean.setIdNumber(idNumber); List attendanceMachineArr = dao. selectAttendanceMachineArr(proId); bean.setOperate(3); - if(attendanceMachineArr.size() != 0) { + if (attendanceMachineArr.size() != 0) { attendanceMachineArr.forEach(c -> { bean.setAttendanceMachineId(c); dao.insertAttendanceMachinePush(bean); @@ -252,7 +264,7 @@ public class InOutServiceImpl implements InOutService { private void dealWithRedLight(RedLightHisBean rl) { //先查到未完结的红灯 List list = dao.getRedLightByIdNumber(rl.getIdNumber()); - if(list.size()>0) { + if (list.size() > 0) { for (RedLightHisBean hisBean : list) { hisBean.setEndTime(DateUtil.now()); } @@ -266,7 +278,7 @@ public class InOutServiceImpl implements InOutService { private void dealWithFurlough(FurloughHisBean o) { //先查到未完结的暂退 List list = dao.getFurloughByIdNumber(o.getIdNumber()); - if(list.size()>0){ + if (list.size() > 0) { for (FurloughHisBean hisBean : list) { hisBean.setReworkTime(DateUtil.now()); } @@ -281,7 +293,7 @@ public class InOutServiceImpl implements InOutService { String[] split = bean.getIdNumber().split(","); Long userId = SecurityUtils.getLoginUser().getSysUser().getUserId(); int x = 0; - for (int i = 0;i < split.length; i++){ + for (int i = 0; i < split.length; i++) { BasePersonBean o = new BasePersonBean(); o.setIdNumber(split[i]); o.setExitTime(DateUtils.getTime()); @@ -319,7 +331,7 @@ public class InOutServiceImpl implements InOutService { } private List basePersonListThread(List list) { - list.forEach(c->{ + list.forEach(c -> { Map map = StringUtils.getBirthdayAgeSex(c.getIdNumber()); String age = map.get("age"); String sex = map.get("sex"); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/person/service/PersonComprehensiveServiceImp.java b/modules/bmw/src/main/java/com/bonus/bmw/person/service/PersonComprehensiveServiceImp.java index 920ba3f..4df9864 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/person/service/PersonComprehensiveServiceImp.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/person/service/PersonComprehensiveServiceImp.java @@ -70,6 +70,12 @@ public class PersonComprehensiveServiceImp implements PersonComprehensiveService @Override public PageTableResponse selectPersonComprehensiveList(PageTableRequest request) { + + String einStatus = (String) request.getParams().get("einStatus"); + if (einStatus != null && !einStatus.isEmpty() && !einStatus.matches("-?\\d+")) { + throw new IllegalArgumentException("非法的 einStatus 参数"); + } + Map params = request.getParams(); String roleLevel = SecurityUtils.getLoginUser().getSysUser().getRoleLevel(); String subId = SecurityUtils.getLoginUser().getSysUser().getSubId(); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/person/utils/ArcFaceHelper.java b/modules/bmw/src/main/java/com/bonus/bmw/person/utils/ArcFaceHelper.java index e354e0d..08f43af 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/person/utils/ArcFaceHelper.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/person/utils/ArcFaceHelper.java @@ -193,7 +193,7 @@ public class ArcFaceHelper { String filePath; String os = System.getProperty("os.name"); if(StringUtils.startsWith(os.toLowerCase(), "win")){ - filePath = "D:\\images\\"+fileName; + filePath = "E:\\images\\"+fileName; } else { filePath = "/data/real_name/faceDetection/"+fileName; } diff --git a/modules/bmw/src/main/java/com/bonus/bmw/planAndRealName/controller/PlanAndRealNameController.java b/modules/bmw/src/main/java/com/bonus/bmw/planAndRealName/controller/PlanAndRealNameController.java index c570a07..65d73f6 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/planAndRealName/controller/PlanAndRealNameController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/planAndRealName/controller/PlanAndRealNameController.java @@ -132,6 +132,11 @@ public class PlanAndRealNameController { @GetMapping("/getFbListByCacheList") @Log(title = "各分包单位情况列表", businessType = BusinessType.SELECT) public PageTableResponse getFbListByCacheList(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } return new PageTableHandler(new PageTableHandler.CountHandler() { @Override public int count(PageTableRequest request) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/salary/controller/RedConfirmRecordController.java b/modules/bmw/src/main/java/com/bonus/bmw/salary/controller/RedConfirmRecordController.java index c7a6385..abea09c 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/salary/controller/RedConfirmRecordController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/salary/controller/RedConfirmRecordController.java @@ -10,6 +10,11 @@ import com.bonus.common.security.annotation.RequiresPermissions; import org.springframework.web.bind.annotation.*; import javax.annotation.Resource; +import java.util.Arrays; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; @RestController @RequestMapping(value = "/redConfirmRecord") @@ -18,29 +23,46 @@ public class RedConfirmRecordController { @Resource private RedConfirmRecordService service; - @GetMapping(value = "/getList") @Log(title = "获取列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:redConfirmRecord:query") public PageTableResponse getList(PageTableRequest request) { - return new PageTableHandler(new PageTableHandler.CountHandler() { - @Override - public int count(PageTableRequest request) { - return service.getCount(request.getParams()); - } - }, request1 -> service.getList(request1.getParams(), request1.getOffset(), request1.getLimit())).handle(request); + Map params = request.getParams(); + if (params == null) { + params = new HashMap<>(); + } + + // 允许的参数名 + Set allow = new HashSet<>(Arrays.asList( + "subComId", "proId", "startTime", "endTime", "keyWord", "subId" + )); + + // 过滤掉所有不在允许列表中的参数(包含 columns[...]、order[...] 等) + params.keySet().removeIf(k -> !allow.contains(k)); + + return new PageTableHandler( + new PageTableHandler.CountHandler() { + @Override + public int count(PageTableRequest request) { + return service.getCount(request.getParams()); + } + }, + request1 -> service.getList(request1.getParams(), request1.getOffset(), request1.getLimit()) + ).handle(request); } @GetMapping(value = "/getChildList") @Log(title = "获取列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:redConfirmRecord:query") public PageTableResponse getChildList(PageTableRequest request) { - return new PageTableHandler(new PageTableHandler.CountHandler() { - @Override - public int count(PageTableRequest request) { - return service.getChildListCount(request.getParams()); - } - }, request1 -> service.getChildList(request1.getParams(), request1.getOffset(), request1.getLimit())).handle(request); + return new PageTableHandler( + new PageTableHandler.CountHandler() { + @Override + public int count(PageTableRequest request) { + return service.getChildListCount(request.getParams()); + } + }, + request1 -> service.getChildList(request1.getParams(), request1.getOffset(), request1.getLimit()) + ).handle(request); } - } diff --git a/modules/bmw/src/main/java/com/bonus/bmw/salarystat/controller/SalaryStatController.java b/modules/bmw/src/main/java/com/bonus/bmw/salarystat/controller/SalaryStatController.java index 645493b..9d7a48c 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/salarystat/controller/SalaryStatController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/salarystat/controller/SalaryStatController.java @@ -29,6 +29,7 @@ public class SalaryStatController { @PostMapping("/getSalaryByProList") @Log(title = "已发工资工程统计-查询", businessType = BusinessType.SELECT) public PageTableResponse getSalaryByProList(PageTableRequest request){ + return service.getSalaryByProList(request); } diff --git a/modules/bmw/src/main/java/com/bonus/bmw/salarystat/service/SalaryStatServiceImpl.java b/modules/bmw/src/main/java/com/bonus/bmw/salarystat/service/SalaryStatServiceImpl.java index 5c93606..1ac6ddc 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/salarystat/service/SalaryStatServiceImpl.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/salarystat/service/SalaryStatServiceImpl.java @@ -46,6 +46,13 @@ public class SalaryStatServiceImpl implements SalaryStatService{ } private List getSalaryProList(PageTableRequest request) { + + // 输入验证:过滤掉可能的恶意字符 + String proName = (String) request.getParams().get("proName"); + if (proName != null && !proName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("非法的 proName 参数 "); + } + Map params = request.getParams(); String type = params.get("type").toString(); List list = null; @@ -170,6 +177,13 @@ public class SalaryStatServiceImpl implements SalaryStatService{ @Override public PageTableResponse getTemporarySalaryList(PageTableRequest request) { + + // 输入验证:过滤掉可能的恶意字符 + String proName = (String) request.getParams().get("proName"); + if (proName != null && !proName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("非法的 proName 参数 "); + } + List list = salaryStatDao.getTemporarySalaryList(request.getParams()); return new PageTableHandler(c -> list.size(), v -> TableRequest.handleList(list, v)).handle(request); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subContractor/controller/SubContractController.java b/modules/bmw/src/main/java/com/bonus/bmw/subContractor/controller/SubContractController.java index 372cbbf..fc20829 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subContractor/controller/SubContractController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subContractor/controller/SubContractController.java @@ -42,6 +42,12 @@ public class SubContractController { @RequiresPermissions("sys:subContract:query") public PageTableResponse list(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } + SelfPermissionSettingUtils.getSelfPermission(request); String orgId = (String) request.getParams().get("orgId"); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subContractor/controller/SubContractorController.java b/modules/bmw/src/main/java/com/bonus/bmw/subContractor/controller/SubContractorController.java index db5c93f..2622b8b 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subContractor/controller/SubContractorController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subContractor/controller/SubContractorController.java @@ -39,6 +39,16 @@ public class SubContractorController { @Log(title = "分包商-list查询", businessType = BusinessType.SELECT) @RequiresPermissions("sys:subContractor:query") public PageTableResponse listProjects(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String subName = (String) request.getParams().get("subName"); + if (subName != null && !subName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in subName."); + } + + String legalName = (String) request.getParams().get("legalName"); + if (legalName != null && !legalName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in legalName."); + } SelfPermissionSettingUtils.getSelfPermission(request); String orgId = (String) request.getParams().get("orgId"); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubBlackController.java b/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubBlackController.java index ffaf277..a32e472 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubBlackController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubBlackController.java @@ -40,6 +40,13 @@ public class SubBlackController { @Log(title = "获取列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:subBlack:query") public PageTableResponse getList(PageTableRequest request) { + + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } + return new PageTableHandler(new PageTableHandler.CountHandler() { @Override public int count(PageTableRequest request) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubCertificateStatisticsController.java b/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubCertificateStatisticsController.java index 1250127..713d893 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubCertificateStatisticsController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubCertificateStatisticsController.java @@ -15,8 +15,7 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; import javax.annotation.Resource; -import java.util.List; -import java.util.Map; +import java.util.*; @RestController @RequestMapping(value = "/subCertificateStatistics") @@ -30,15 +29,39 @@ public class SubCertificateStatisticsController { @Log(title = "获取列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:subCertificateStatistics:query") public PageTableResponse getList(PageTableRequest request) { + + Map params = request.getParams(); + if (params == null) { + params = new HashMap<>(); + request.setParams(params); + } + + // 允许的参数名(按你接口真实使用的填写) + Set allow = new HashSet<>(Arrays.asList( + "keyWord", "certificateName" + )); + + // 过滤掉所有不在允许列表中的参数(包含 columns[...]、order[...] 等) + params.keySet().removeIf(k -> !allow.contains(k)); + // 放回 request(可选) + request.setParams(params); + + + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } + int i = 0 ; String roleLevel = SecurityUtils.getLoginUser().getSysUser().getRoleLevel(); String subId = SecurityUtils.getLoginUser().getSysUser().getSubId(); if("4".equals(roleLevel)) { - Map params = request.getParams(); - String subId1 = (String) params.get("subId"); + Map params1 = request.getParams(); + String subId1 = (String) params1.get("subId"); if(StringUtils.isEmpty(subId1)){ - params.put("subId",subId); + params1.put("subId",subId); } } diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubCertificateTypeController.java b/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubCertificateTypeController.java index 5919985..6820513 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubCertificateTypeController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subcontract/controller/SubCertificateTypeController.java @@ -26,6 +26,11 @@ public class SubCertificateTypeController { @Log(title = "获取列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:subCertificateType:query") public PageTableResponse getList(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } int i = 0 ; return new PageTableHandler(new PageTableHandler.CountHandler() { @Override diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubCompareController.java b/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubCompareController.java index 673c373..3584bd0 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubCompareController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubCompareController.java @@ -35,6 +35,11 @@ public class SubCompareController { @Log(title = "分包商评价-分包商核心人员评价", businessType = BusinessType.SELECT) @RequiresPermissions("sys:SubCompare:query") public PageTableResponse listSubCompany(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String subName = (String) request.getParams().get("subName"); + if (subName != null && !subName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in subName."); + } Map params = request.getParams(); String reasonSelect = (String) params.get("reasonSelect"); if(StringUtils.isEmpty(reasonSelect)){ diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubEndyearController.java b/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubEndyearController.java index 0712414..d194455 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubEndyearController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubEndyearController.java @@ -35,6 +35,13 @@ public class SubEndyearController { @Log(title = "分包商评价-分包年终评价", businessType = BusinessType.SELECT) @RequiresPermissions("sys:SubEndyear:query") public PageTableResponse listSubCompany(PageTableRequest request) { + + // 输入验证:过滤掉可能的恶意字符 + String subName = (String) request.getParams().get("subName"); + if (subName != null && !subName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in subName."); + } + Map params = request.getParams(); String beginTime = (String) params.get("beginTime"); String year = ""; diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubProjectController.java b/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubProjectController.java index a060e98..a416547 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubProjectController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubProjectController.java @@ -171,6 +171,12 @@ public class SubProjectController { @Log(title = "获取列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:SubProjectEvaluate:query") public PageTableResponse getList(PageTableRequest request) { + + String subName = (String) request.getParams().get("subName"); + if (subName != null && !subName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in subName."); + } + Map params = request.getParams(); String beginTime = (String) params.get("beginTime"); String year = "",month = ""; diff --git a/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubTeamEvaController.java b/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubTeamEvaController.java index 0f9c3b7..01cfaaa 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubTeamEvaController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/subeva/controller/SubTeamEvaController.java @@ -12,6 +12,7 @@ import com.bonus.common.security.utils.SecurityUtils; import org.springframework.web.bind.annotation.*; import javax.annotation.Resource; +import java.util.Arrays; import java.util.List; import java.util.Map; @@ -30,7 +31,25 @@ public class SubTeamEvaController { @GetMapping @Log(title = "分包商评价-分包商班组评价", businessType = BusinessType.SELECT) public PageTableResponse list(PageTableRequest request) { + + // 处理 DataTables 排序参数 Map params = request.getParams(); + String orderColumn = (String) params.get("orderColumn"); // 假设你从前端拿到的列名 + String orderDir = (String) params.get("orderDir"); // 假设你从前端拿到的排序方向 + + // 白名单校验 + List allowedColumns = Arrays.asList("subComName","proName","payrollName","startDate","stopDate","personNum","userName","updateTime"); + if (!allowedColumns.contains(orderColumn)) { + orderColumn = "updateTime"; // 默认列 + } + if (!"asc".equalsIgnoreCase(orderDir) && !"desc".equalsIgnoreCase(orderDir)) { + orderDir = "asc"; // 默认排序 + } + + // 把处理后的列名和方向重新放回 params + params.put("orderColumn", orderColumn); + params.put("orderDir", orderDir); + return new PageTableHandler(new PageTableHandler.CountHandler() { @Override public int count(PageTableRequest request) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/team/controller/JobPointSettingController.java b/modules/bmw/src/main/java/com/bonus/bmw/team/controller/JobPointSettingController.java index e279013..f78afdd 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/team/controller/JobPointSettingController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/team/controller/JobPointSettingController.java @@ -68,6 +68,13 @@ public class JobPointSettingController { params.put("subId",subId); } } + + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } + return new PageTableHandler(new PageTableHandler.CountHandler() { @Override public int count(PageTableRequest request) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/team/controller/NoSignalTeamAttendController.java b/modules/bmw/src/main/java/com/bonus/bmw/team/controller/NoSignalTeamAttendController.java index 45603af..37b4f2c 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/team/controller/NoSignalTeamAttendController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/team/controller/NoSignalTeamAttendController.java @@ -53,6 +53,11 @@ public class NoSignalTeamAttendController { @Log(title = "无信号班组考勤列表", businessType = BusinessType.SELECT) @RequiresPermissions("sys:noSignalTeamAttend:query") public PageTableResponse listProjects(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } String roleLevel = SecurityUtils.getLoginUser().getSysUser().getRoleLevel(); String subId = SecurityUtils.getLoginUser().getSysUser().getSubId(); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/team/controller/NoSignalTeamSetUpController.java b/modules/bmw/src/main/java/com/bonus/bmw/team/controller/NoSignalTeamSetUpController.java index 5fcb681..628cd81 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/team/controller/NoSignalTeamSetUpController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/team/controller/NoSignalTeamSetUpController.java @@ -34,6 +34,12 @@ public class NoSignalTeamSetUpController { @RequiresPermissions("sys:noSignalTeamSetUp:query") public PageTableResponse listProjects(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String keyWord = (String) request.getParams().get("keyWord"); + if (keyWord != null && !keyWord.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in keyWord."); + } + String roleLevel = SecurityUtils.getLoginUser().getSysUser().getRoleLevel(); String subId = SecurityUtils.getLoginUser().getSysUser().getSubId(); if("4".equals(roleLevel)) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/temporaryEmployment/service/TemporaryEmploymentServiceImpl.java b/modules/bmw/src/main/java/com/bonus/bmw/temporaryEmployment/service/TemporaryEmploymentServiceImpl.java index dec1a6e..fed2cfb 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/temporaryEmployment/service/TemporaryEmploymentServiceImpl.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/temporaryEmployment/service/TemporaryEmploymentServiceImpl.java @@ -30,6 +30,10 @@ public class TemporaryEmploymentServiceImpl implements TemporaryEmploymentServic @Override public PageTableResponse list(PageTableRequest request) { + String status = (String) request.getParams().get("status"); + if (status != null && !status.isEmpty() && !status.matches("-?\\d+")) { + throw new IllegalArgumentException("非法的 status 参数"); + } SelfPermissionSettingUtils.getSelfPermission(request); diff --git a/modules/bmw/src/main/java/com/bonus/bmw/whiteBlackList/controller/SupplyChainBlackListController.java b/modules/bmw/src/main/java/com/bonus/bmw/whiteBlackList/controller/SupplyChainBlackListController.java index 2eea47a..51875eb 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/whiteBlackList/controller/SupplyChainBlackListController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/whiteBlackList/controller/SupplyChainBlackListController.java @@ -54,6 +54,34 @@ public class SupplyChainBlackListController { @Log(title = "黑名单统计-list查询", businessType = BusinessType.SELECT) @RequiresPermissions("sys:blackList:query") public PageTableResponse getBlackList(PageTableRequest request) { + // 输入验证:过滤掉可能的恶意字符 + String event = (String) request.getParams().get("event"); + if (event != null && !event.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in event."); + } + + String idNumber = (String) request.getParams().get("idNumber"); + if (idNumber != null && !idNumber.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in idNumber."); + } + + + String name = (String) request.getParams().get("name"); + if (name != null && !name.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in name."); + } + + String proName = (String) request.getParams().get("proName"); + if (proName != null && !proName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in proName."); + } + + String subName = (String) request.getParams().get("subName"); + if (subName != null && !subName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in subName."); + } + + return new PageTableHandler(new PageTableHandler.CountHandler() { @Override public int count(PageTableRequest request) { diff --git a/modules/bmw/src/main/java/com/bonus/bmw/whiteBlackList/controller/ViolationBlackListController.java b/modules/bmw/src/main/java/com/bonus/bmw/whiteBlackList/controller/ViolationBlackListController.java index ec25479..c24d7bc 100644 --- a/modules/bmw/src/main/java/com/bonus/bmw/whiteBlackList/controller/ViolationBlackListController.java +++ b/modules/bmw/src/main/java/com/bonus/bmw/whiteBlackList/controller/ViolationBlackListController.java @@ -52,6 +52,34 @@ public class ViolationBlackListController { @Log(title = "违规黑名单-list查询", businessType = BusinessType.SELECT) // @RequiresPermissions("sys:personTrain:query") public PageTableResponse getViolationBlackList(PageTableRequest request) { + + // 输入验证:过滤掉可能的恶意字符 + String event = (String) request.getParams().get("event"); + if (event != null && !event.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in event."); + } + + String idNumber = (String) request.getParams().get("idNumber"); + if (idNumber != null && !idNumber.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in idNumber."); + } + + + String name = (String) request.getParams().get("name"); + if (name != null && !name.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in name."); + } + + String proName = (String) request.getParams().get("proName"); + if (proName != null && !proName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in proName."); + } + + String subName = (String) request.getParams().get("subName"); + if (subName != null && !subName.matches("[a-zA-Z0-9\\s]*")) { // 只允许字母、数字和空格 + throw new IllegalArgumentException("Invalid characters in subName."); + } + return new PageTableHandler(new PageTableHandler.CountHandler() { @Override public int count(PageTableRequest request) { diff --git a/modules/bmw/src/main/resources/mapper/basic/ProjectMapper.xml b/modules/bmw/src/main/resources/mapper/basic/ProjectMapper.xml index ca68d51..728b2cf 100644 --- a/modules/bmw/src/main/resources/mapper/basic/ProjectMapper.xml +++ b/modules/bmw/src/main/resources/mapper/basic/ProjectMapper.xml @@ -51,7 +51,7 @@ LEFT JOIN bm_sub_contract bsc on bsc.pro_id = bp.id and bsc.is_active = '1' WHERE bp.is_active = 1 - AND bp.company_id in (${params.orgAll}) + AND bp.company_id in (#{params.orgAll}) AND bp.company_id = #{params.orgId} @@ -83,13 +83,13 @@ LEFT JOIN bm_sub_contract bsc on bsc.pro_id = bp.id and bsc.is_active = '1' WHERE bp.is_active = 1 - AND bp.company_id in (${params.orgAll}) + AND bp.company_id in (#{params.orgAll}) AND bp.company_id = #{params.orgId} - AND bp.project_general_id in (${params.generalProId}) + AND bp.project_general_id in (#{params.generalProId}) AND bsc.sub_id = #{params.subId} diff --git a/modules/bmw/src/main/resources/mapper/person/FaceContrastNewMapper.xml b/modules/bmw/src/main/resources/mapper/person/FaceContrastNewMapper.xml index bc5b9de..f026c82 100644 --- a/modules/bmw/src/main/resources/mapper/person/FaceContrastNewMapper.xml +++ b/modules/bmw/src/main/resources/mapper/person/FaceContrastNewMapper.xml @@ -30,7 +30,7 @@ FROM ( SELECT id,`name` FROM bm_project_general WHERE is_active = '1' - and id in (${params.subComId}) + and id in (#{params.subComId}) ) pm LEFT JOIN bm_project bp ON bp.project_general_id = pm.id and bp.is_active = '1' @@ -55,7 +55,7 @@ FROM ( SELECT id, `name` FROM bm_project_general WHERE is_active = '1' - and id in (${params.subComId}) + and id in (#{params.subComId}) ) pm LEFT JOIN bm_project bp ON bp.project_general_id = pm.id @@ -115,7 +115,7 @@ bm_project_general WHERE IS_ACTIVE = '1' - and id in (${params.subComId}) + and id in (#{params.subComId}) @@ -722,7 +722,7 @@ FROM ( SELECT id,`name` FROM bm_project_general WHERE is_active = '1' - and id in (${params.subComId}) + and id in (#{params.subComId}) ) pm LEFT JOIN bm_project bp ON bp.project_general_id = pm.id and bp.is_active = '1' diff --git a/modules/bmw/src/main/resources/mapper/person/InOutMapper.xml b/modules/bmw/src/main/resources/mapper/person/InOutMapper.xml index 51cdc70..ed5e512 100644 --- a/modules/bmw/src/main/resources/mapper/person/InOutMapper.xml +++ b/modules/bmw/src/main/resources/mapper/person/InOutMapper.xml @@ -15,7 +15,7 @@ and bp.id = #{params.proId} - and bweh.exit_status in (${params.status}) + and bweh.exit_status in (#{params.status}) and bweh.is_force = #{params.isForce} diff --git a/modules/bmw/src/main/resources/mapper/person/PersonComprehensiveMapper.xml b/modules/bmw/src/main/resources/mapper/person/PersonComprehensiveMapper.xml index bbeb99d..17a3bb2 100644 --- a/modules/bmw/src/main/resources/mapper/person/PersonComprehensiveMapper.xml +++ b/modules/bmw/src/main/resources/mapper/person/PersonComprehensiveMapper.xml @@ -476,7 +476,7 @@ and bw.ein_status = 0 - and bweh.exit_status in (${params.einStatus}) + and bweh.exit_status in (#{params.einStatus}) @@ -1213,7 +1213,7 @@ and bw.ein_status = 0 - and bweh.exit_status in (${params.einStatus}) + and bweh.exit_status in (#{params.einStatus}) GROUP BY diff --git a/modules/bmw/src/main/resources/mapper/team/JobPointMapper.xml b/modules/bmw/src/main/resources/mapper/team/JobPointMapper.xml index e5e24d2..f96a97f 100644 --- a/modules/bmw/src/main/resources/mapper/team/JobPointMapper.xml +++ b/modules/bmw/src/main/resources/mapper/team/JobPointMapper.xml @@ -36,7 +36,7 @@ @@ -65,7 +65,7 @@ ) a - AND a.orgId in (${params.orgAll}) + AND a.orgId in (#{params.orgAll}) AND a.orgId = #{params.orgId} @@ -112,7 +112,7 @@ ) a - AND a.orgId in (${params.orgAll}) + AND a.orgId in (#{params.orgAll}) AND a.orgId = #{params.orgId} @@ -140,7 +140,7 @@ LEFT JOIN bm_sub_team bst ON bst.id = bts.team_id and bst.is_active= '1' WHERE bps.is_active= '1' - and bp.id in (${params.proId}) + and bp.id in (#{params.proId}) GROUP BY bps.id @@ -160,7 +160,7 @@ LEFT JOIN bm_sub_team bst ON bst.id = bts.team_id and bst.is_active= '1' WHERE bps.is_active= '1' - and bp.id in (${params.proId}) + and bp.id in (#{params.proId}) GROUP BY bps.id @@ -174,7 +174,7 @@ FROM bm_project WHERE - id IN ( ${proId} ) + id IN ( #{proId} ) ',j=f.sSearch;j=j.match(/_INPUT_/)?j.replace("_INPUT_",i):j+i;var k=a("
",{"id":h.f?null:e+"_filter","class":d.sFilter}).append(a("