From 2c97ee5f2c4be45621d1c466f2172b6144e214f1 Mon Sep 17 00:00:00 2001
From: ZY <zc857179121@qq.com>
Date: 星期一, 28 十月 2024 10:43:55 +0800
Subject: [PATCH] sql注入漏洞
---
src/main/java/com/zy/common/config/AdminInterceptor.java | 74 +++++++++++++++++++++++++++++--------
1 files changed, 58 insertions(+), 16 deletions(-)
diff --git a/src/main/java/com/zy/common/config/AdminInterceptor.java b/src/main/java/com/zy/common/config/AdminInterceptor.java
index a727bce..c947fa0 100644
--- a/src/main/java/com/zy/common/config/AdminInterceptor.java
+++ b/src/main/java/com/zy/common/config/AdminInterceptor.java
@@ -2,12 +2,15 @@
import com.alibaba.fastjson.JSON;
import com.baomidou.mybatisplus.mapper.EntityWrapper;
-import com.zy.common.utils.Http;
-import com.zy.system.entity.*;
-import com.zy.system.service.*;
+import com.core.annotations.AppAuth;
import com.core.annotations.ManagerAuth;
import com.core.common.BaseRes;
import com.core.common.Cools;
+import com.zy.common.properties.SystemProperties;
+import com.zy.common.utils.Http;
+import com.zy.common.utils.SqlInjectionUtils;
+import com.zy.system.entity.*;
+import com.zy.system.service.*;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.lang.Nullable;
@@ -19,6 +22,8 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Method;
+import java.util.Date;
+import java.util.Map;
/**
* Created by vincent on 2019-06-13
@@ -47,28 +52,44 @@
}
// super璐﹀彿
String token = request.getHeader("token");
- if (token!=null) {
+ if (token != null) {
String deToken = Cools.deTokn(token, superPwd);
- if (deToken!=null){
+ if (deToken != null) {
long timestamp = Long.parseLong(deToken.substring(0, 13));
// 1澶╁悗杩囨湡
- if (System.currentTimeMillis() - timestamp > 86400000){
+ if (System.currentTimeMillis() - timestamp > 86400000) {
Http.response(response, BaseRes.DENIED);
return false;
}
if ("super".equals(deToken.substring(13))) {
request.setAttribute("userId", 9527);
+ Map<String, String[]> parameterMap = request.getParameterMap();
+ if (!Cools.isEmpty(parameterMap) && SqlInjectionUtils.check(JSON.toJSONString(parameterMap))) {
+ Http.response(response, "sql娉ㄥ叆锛岃姝h璁块棶");
+ return false;
+ }
return true;
}
}
}
+ // 鐧藉悕鍗�
+// if (IpTools.gainRealIp(request).equals("127.0.0.1")) {
+// request.setAttribute("userId", 9527);
+// return true;
+// }
// 璺ㄥ煙璁剧疆
// response.setHeader("Access-Control-Allow-Origin", "*");
HandlerMethod handlerMethod = (HandlerMethod) handler;
Method method = handlerMethod.getMethod();
- if (method.isAnnotationPresent(ManagerAuth.class)){
+ if (method.isAnnotationPresent(AppAuth.class)) {
+ AppAuth annotation = method.getAnnotation(AppAuth.class);
+ if (annotation.value().equals(AppAuth.Auth.CHECK)) {
+ request.setAttribute("appAuth", annotation.memo());
+ }
+ }
+ if (method.isAnnotationPresent(ManagerAuth.class)) {
ManagerAuth annotation = method.getAnnotation(ManagerAuth.class);
- if (annotation.value().equals(ManagerAuth.Auth.CHECK)){
+ if (annotation.value().equals(ManagerAuth.Auth.CHECK)) {
return check(request, response, annotation.memo());
}
}
@@ -85,19 +106,24 @@
}
}
+ @Override
+ public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, @Nullable Exception ex) throws Exception {
+// Object r = request.getAttribute("cool-response");
+ }
+
private boolean check(HttpServletRequest request, HttpServletResponse response, String memo) {
try {
String token = request.getHeader("token");
UserLogin userLogin = userLoginService.selectOne(new EntityWrapper<UserLogin>().eq("token", token));
- if (null == userLogin){
+ if (null == userLogin) {
Http.response(response, BaseRes.DENIED);
return false;
}
User user = userService.selectById(userLogin.getUserId());
- String deToken = Cools.deTokn(token, user.getPassword());
- long timestamp = Long.parseLong(deToken.substring(0, 13));
- // 1澶╁悗杩囨湡
- if (System.currentTimeMillis() - timestamp > 86400000){
+// String deToken = Cools.deTokn(token, user.getPassword());
+// long timestamp = Long.parseLong(deToken.substring(0, 13));
+ // 15鍒嗛挓鍚庤繃鏈� 涓�澶�
+ if (System.currentTimeMillis() - userLogin.getCreateTime().getTime() > 86400000) {
Http.response(response, BaseRes.DENIED);
return false;
}
@@ -106,19 +132,34 @@
Http.response(response, BaseRes.LIMIT);
return false;
}
+ Map<String, String[]> parameterMap = request.getParameterMap();
+ if (!Cools.isEmpty(parameterMap) && SqlInjectionUtils.check(JSON.toJSONString(parameterMap))) {
+ Http.response(response, "sql娉ㄥ叆锛岃姝h璁块棶");
+ return false;
+ }
+
// 璇锋眰缂撳瓨
request.setAttribute("userId", user.getId());
+ // 鏇存柊 token 鏈夋晥鏈�
+ userLogin.setCreateTime(new Date());
+ userLoginService.updateById(userLogin);
// 鎿嶄綔鏃ュ織
if (!Cools.isEmpty(memo)) {
+ // 杩涜婵�娲诲垽鏂�
+ if (!SystemProperties.SYSTEM_ACTIVATION) {
+ Http.response(response, BaseRes.NO_ACTIVATION);
+ return false;
+ }
+ // 璁板綍鎿嶄綔鏃ュ織
OperateLog operateLog = new OperateLog();
- operateLog.setAction(Cools.isEmpty(memo)?request.getRequestURI():memo);
+ operateLog.setAction(Cools.isEmpty(memo) ? request.getRequestURI() : memo);
operateLog.setIp(request.getRemoteAddr());
operateLog.setUserId(user.getId());
operateLog.setRequest(JSON.toJSONString(request.getParameterMap()));
request.setAttribute("operateLog", operateLog);
}
return true;
- } catch (Exception e){
+ } catch (Exception e) {
Http.response(response, BaseRes.DENIED);
return false;
}
@@ -127,6 +168,7 @@
/**
* 鏉冮檺鎷︽埅
+ *
* @return false:鏃犳潈闄�; true:璁よ瘉閫氳繃
*/
private boolean limit(String action, User user) {
@@ -144,7 +186,7 @@
/**
* 璺ㄥ煙
*/
- private void cors(HttpServletResponse response){
+ public static void cors(HttpServletResponse response) {
// 璺ㄥ煙璁剧疆
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
--
Gitblit v1.9.1