wms / wms4_zhongputaicang · Commits

Commit 12ad80d539b4bf27aee4121d8d717eca92d4490e

Authored by zhangdaiscott
1 parent 5d093cb5

表字典接口存在SQL注入漏洞,增加签名拦截器 自定义组件验签失败 issues/I3XNK1

Inline Side-by-side
Showing 1 changed file with 17 additions and 7 deletions
jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/config/sign/util/HttpUtils.java
  View file @12ad80d
1 package org.jeecg.config.sign.util; 1 package org.jeecg.config.sign.util;
2 2
3 -import com.alibaba.fastjson.JSONObject;  
4 -import org.jeecg.common.util.oConvertUtils;  
5 -import org.springframework.http.HttpMethod;  
6 -  
7 -import javax.servlet.http.HttpServletRequest;  
8 import java.io.BufferedReader; 3 import java.io.BufferedReader;
9 import java.io.IOException; 4 import java.io.IOException;
10 import java.io.InputStreamReader; 5 import java.io.InputStreamReader;
@@ -15,12 +10,21 @@ import java.util.Map; @@ -15,12 +10,21 @@ import java.util.Map;
15 import java.util.SortedMap; 10 import java.util.SortedMap;
16 import java.util.TreeMap; 11 import java.util.TreeMap;
17 12
  13 +import javax.servlet.http.HttpServletRequest;
  14 +
  15 +import lombok.extern.slf4j.Slf4j;
  16 +import org.jeecg.common.util.oConvertUtils;
  17 +import org.springframework.http.HttpMethod;
  18 +
  19 +import com.alibaba.fastjson.JSONObject;
  20 +
18 /** 21 /**
19 * http 工具类 获取请求中的参数 22 * http 工具类 获取请求中的参数
20 * 23 *
21 * @author jeecg 24 * @author jeecg
22 * @date 20210621 25 * @date 20210621
23 */ 26 */
  27 +@Slf4j
24 public class HttpUtils { 28 public class HttpUtils {
25 29
26 /** 30 /**
@@ -36,7 +40,10 @@ public class HttpUtils { @@ -36,7 +40,10 @@ public class HttpUtils {
36 // 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username 40 // 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username
37 String pathVariable = request.getRequestURI().substring(request.getRequestURI().lastIndexOf("/") + 1); 41 String pathVariable = request.getRequestURI().substring(request.getRequestURI().lastIndexOf("/") + 1);
38 if (pathVariable.contains(",")) { 42 if (pathVariable.contains(",")) {
39 - result.put(SignUtil.xPathVariable, pathVariable); 43 + log.info(" pathVariable: {}",pathVariable);
  44 + String deString = URLDecoder.decode(pathVariable, "UTF-8");
  45 + log.info(" pathVariable decode: {}",deString);
  46 + result.put(SignUtil.xPathVariable, deString);
40 } 47 }
41 // 获取URL上的参数 48 // 获取URL上的参数
42 Map<String, String> urlParams = getUrlParams(request); 49 Map<String, String> urlParams = getUrlParams(request);
@@ -71,7 +78,10 @@ public class HttpUtils { @@ -71,7 +78,10 @@ public class HttpUtils {
71 // 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username 78 // 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username
72 String pathVariable = url.substring(url.lastIndexOf("/") + 1); 79 String pathVariable = url.substring(url.lastIndexOf("/") + 1);
73 if (pathVariable.contains(",")) { 80 if (pathVariable.contains(",")) {
74 - result.put(SignUtil.xPathVariable, pathVariable); 81 + log.info(" pathVariable: {}",pathVariable);
  82 + String deString = URLDecoder.decode(pathVariable, "UTF-8");
  83 + log.info(" pathVariable decode: {}",deString);
  84 + result.put(SignUtil.xPathVariable, deString);
75 } 85 }
76 // 获取URL上的参数 86 // 获取URL上的参数
77 Map<String, String> urlParams = getUrlParams(queryString); 87 Map<String, String> urlParams = getUrlParams(queryString);