漏洞修复

2025-08-24 14:49:16 +08:00 · 2025-08-24 14:49:12 +08:00
2 changed files with 72 additions and 120 deletions
--- a/src/main/java/com/bonus/gs/sub/evaluate/manager/config/WebMvcConfig.java
+++ b/src/main/java/com/bonus/gs/sub/evaluate/manager/config/WebMvcConfig.java
@ -25,6 +25,7 @@ public class WebMvcConfig implements WebMvcConfigurer {
 	 *
 	 * @return
 	 */
+/*
 	@Bean
 	public WebMvcConfigurer corsConfigurer() {
 		return new WebMvcConfigurer() {
@ -34,6 +35,7 @@ public class WebMvcConfig implements WebMvcConfigurer {
 			}
 		};
 	}
+*/

 	/**
 	 * datatable分页解析
--- a/src/main/resources/static/login.html
+++ b/src/main/resources/static/login.html
@ -5,96 +5,76 @@
 	<meta http-equiv="Pragma" content="no-cache">
 	<meta http-equiv="Cache-Control" content="no-cache">
 	<meta http-equiv="Expires" content="0">
-	<title>登录 - 分包评价系统</title>
+	<title>登录</title>
 	<link href="css/login.css" type="text/css" rel="stylesheet">
-	<style>
-		.csrf-info {
-			background-color: #f8f9fa;
-			border-left: 4px solid #007bff;
-			padding: 10px 15px;
-			margin: 15px 0;
-			font-size: 14px;
-			display: none;
-		}
-		.csrf-token-field {
-			display: none;
-		}
-	</style>
 </head>
 <body>
+
 <div class="login">
 	<div class="message">分包评价</div>
 	<div id="darkbannerwrap"></div>

-	<div class="csrf-info" id="csrfInfo">
-		<strong>安全提示:</strong> 此表单包含CSRF保护令牌，防止跨站请求伪造攻击。
-	</div>
-
 	<form id="login-form" method="post" onsubmit="return false;">
-		<input id="username" name="username" placeholder="用户名" type="text" autocomplete="off">
+		<input id="username" name="username" placeholder="用户名" type="text"
+			   autocomplete="off">
 		<hr class="hr15">
-		<input id="password" name="password" placeholder="密码" type="password" autocomplete="off">
+		<input id="password" name="password" placeholder="密码" type="password"
+			   autocomplete="off">
 		<hr class="hr15">
-		<!-- CSRF令牌字段 -->
-		<input type="hidden" id="csrfToken" name="csrfToken" value="">
-		<button style="width: 100%;" type="submit" onclick="login(this)">登录</button>
+		<button style="width: 100%;" type="submit"
+				onclick="login(this)">登录</button>
 		<hr class="hr20">
 		<span id="info" style="color: red"></span>
 	</form>
+
+
 </div>

+</body>
 <script src="js/libs/jquery-2.1.1.min.js"></script>
 <script src="js/publicJs.js"></script>
 <script src="layui/layui.js"></script>
 <script src="layui/crypto-js.min.js"></script>

 <script type="text/javascript">
-	// 页面加载时获取CSRF令牌
-	document.addEventListener('DOMContentLoaded', function() {
-		fetchCSRFToken();
-	});
-
-	// 获取CSRF令牌
-	function fetchCSRFToken() {
-		$.ajax({
-			type: 'get',
-			url: ctxPath + '/csrf/token',
-			success: function(data) {
-				if (data && data.token) {
-					$('#csrfToken').val(data.token);
-					$('#csrfInfo').show();
-				}
-			},
-			error: function() {
-				// 如果获取令牌失败，生成一个客户端令牌作为备用
-				var clientToken = generateClientToken();
-				$('#csrfToken').val(clientToken);
-			}
-		});
-	}
-
-	// 生成客户端CSRF令牌
-	function generateClientToken() {
-		var timestamp = new Date().getTime();
-		var random = Math.random().toString(36).substring(2);
-		return CryptoJS.SHA256(timestamp + random).toString();
-	}
-
-	// 原有代码保持不变
+	// if (top != self) {
+	// 	parent.location.href = '/GsSubEvaluate/login.html';
+	// }
+	// 获取查询参数
 	let urlParams = new URLSearchParams(window.location.search);
-	let tokens = urlParams.get('tokens');
+	let tokens = urlParams.get('tokens');  // 假设 URL 为 https://example.com/path?query=1
 	let loginName = urlParams.get('loginName');
-
 	if(tokens && tokens!=='undefined'){
 		tokenVerify(tokens,loginName);
 	}

+	// var token = localStorage.getItem("token");
+	// if (token != null && token.trim().length != 0) {
+	// 	$.ajax({
+	// 		type : 'get',
+	// 		url : ctxPath + '/users/current?token=' + token,
+	// 		success : function(data) {
+	// 			location.href = ctxPath + '/index.html';
+	// 		},
+	// 		error : function(xhr, textStatus, errorThrown) {
+	// 			var msg = xhr.responseText;
+	// 			var response = JSON.parse(msg);
+	// 			var code = response.code;
+	// 			var message = response.message;
+	// 			if (code == 401) {
+	// 				localStorage.removeItem("token");
+	// 			}
+	// 		}
+	// 	});
+	// }
+
 	function tokenVerify(tokens,loginName) {
 		$.ajax({
 			type : 'post',
 			url : ctxPath + '/users/tokenVerify',
 			data : {tokens:tokens,loginName:loginName},
 			success : function(data) {
+				// debugger;
 				let res = data.res;
 				layer.msg(data.resMsg);
 				if(res === 1) {
@ -104,31 +84,20 @@
 				}
 			},
 			error : function(xhr, textStatus, errorThrown) {
-				// 错误处理
+
 			}
 		});
 	}

 	function login_2(username,password) {
-		// 确保有CSRF令牌
-		if (!$('#csrfToken').val()) {
-			fetchCSRFToken();
-			setTimeout(function() {
-				login_2(username, password);
-			}, 100);
-			return;
-		}
-
 		$.ajax({
 			type : 'post',
 			url : ctxPath + '/login',
-			data: {
-				username: username,
-				password: password,
-				csrfToken: $('#csrfToken').val()
-			},
+			data : {username:username,password:password},
 			success : function(data) {
+				// debugger;
 				localStorage.setItem("token", data.token);
+				localStorage.setItem("roleName", data.loginUser.roleName);
 				localStorage.setItem("loginUser", JSON.stringify(data.loginUser));
 				location.href = ctxPath + '/index.html';
 			},
@ -136,48 +105,36 @@
 				var msg = xhr.responseText;
 				var response = JSON.parse(msg);
 				$("#info").html(response.message);
+				$(obj).attr("disabled", false);
 			}
 		});
 	}
-
 	// AES加密函数
 	function encryptData(data, key) {
 		const keyHex = CryptoJS.enc.Utf8.parse(key);
-		const ivHex = CryptoJS.enc.Utf8.parse(key.substring(0, 16));
+		const ivHex = CryptoJS.enc.Utf8.parse(key.substring(0, 16)); // 使用密钥前16位作为IV
 		return CryptoJS.AES.encrypt(data, keyHex, {
 			iv: ivHex,
 			mode: CryptoJS.mode.CBC,
 			padding: CryptoJS.pad.Pkcs7
 		}).toString();
 	}
-
 	function login(obj) {
 		$(obj).attr("disabled", true);

 		var username = $.trim($('#username').val());
 		var password = $.trim($('#password').val());
-
 		if (username == "" || password == "") {
 			$("#info").html('用户名或者密码不能为空');
 			$(obj).attr("disabled", false);
 		} else {
-			// 确保有CSRF令牌
-			if (!$('#csrfToken').val()) {
-				fetchCSRFToken();
-				setTimeout(function() {
-					login(obj);
-				}, 100);
-				return;
-			}
-
-			// 加密密钥
+			// 加密密钥（需与后端一致）
 			var secretKey = "zhgd@bonus@zhgd@bonus@1234567890";

 			// 加密用户名和密码
 			var encryptedData = {
 				username: encryptData(username, secretKey),
 				password: encryptData(password, secretKey),
-				csrfToken: $('#csrfToken').val()
 			};

 			$.ajax({
@ -185,28 +142,21 @@
 				url : ctxPath + '/login',
 				data : encryptedData,
 				success : function(data) {
+					// debugger;
 					localStorage.setItem("token", data.token);
+					//	localStorage.setItem("roleName", data.loginUser.roleName);
 					localStorage.setItem("loginUser", JSON.stringify(data.loginUser));
 					location.href = ctxPath + '/index.html';
 				},
 				error : function(xhr, textStatus, errorThrown) {
 					var msg = xhr.responseText;
-					try {
 					var response = JSON.parse(msg);
 					$("#info").html(response.message);
-
-						// 如果错误是由于CSRF令牌无效，重新获取令牌
-						if (response.code === 403 && response.message.includes("CSRF")) {
-							fetchCSRFToken();
-						}
-					} catch(e) {
-						$("#info").html("登录失败，请重试");
-					}
 					$(obj).attr("disabled", false);
 				}
 			});
+
 		}
 	}
 </script>
-</body>
 </html>
Author	SHA1	Message	Date
liang.chao	989c4203e2	漏洞修复	2025-08-24 14:49:16 +08:00
liang.chao	4e75566cad	漏洞修复	2025-08-24 14:49:12 +08:00