From 5d18cd233f726f6c32b470f10ed89c48ba2d527b Mon Sep 17 00:00:00 2001
From: cheney <1251790704@qq.com>
Date: Thu, 18 Jul 2024 10:27:12 +0800
Subject: [PATCH] =?UTF-8?q?xss=E4=BF=AE=E6=94=B9=E3=80=81=E6=A0=8F?=
=?UTF-8?q?=E7=9B=AE=E6=96=87=E7=AB=A0=E7=BC=93=E5=AD=98=E6=B7=BB=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
pom.xml | 30 +++++++++++++++++++
.../filter/XssHttpServletRequestWrapper.java | 18 +++++++----
.../huoran/iasf/common/shiro/ShiroConfig.java | 4 +--
.../java/com/huoran/iasf/common/utils/R.java | 6 +++-
.../iasf/controller/SysColumnController.java | 11 +++++--
.../iasf/controller/SysContentController.java | 7 ++++-
.../controller/SysContentFileController.java | 4 +--
.../iasf/controller/SysFilesController.java | 4 +--
.../huoran/iasf/service/SysColumnService.java | 3 +-
.../service/impl/SysColumnServiceImpl.java | 9 ++++++
.../service/impl/SysFilesServiceImpl.java | 13 ++++++++
.../huoran/iasf/vo/resp/DeptRespNodeVO.java | 5 +++-
.../com/huoran/iasf/vo/resp/HomeRespVO.java | 5 +++-
.../com/huoran/iasf/vo/resp/LoginRespVO.java | 5 +++-
.../iasf/vo/resp/PageContentRespVO.java | 5 +++-
.../iasf/vo/resp/PermissionRespNode.java | 5 +++-
.../huoran/iasf/vo/resp/SortColumnRespVO.java | 4 ++-
.../huoran/iasf/vo/resp/UserInfoRespVO.java | 6 +++-
.../com/huoran/iasf/vo/resp/UserListResp.java | 6 +++-
.../iasf/vo/resp/UserOwnRoleRespVO.java | 5 +++-
src/main/resources/application-dev.yml | 9 +++---
21 files changed, 133 insertions(+), 31 deletions(-)
diff --git a/pom.xml b/pom.xml
index 3218cb6..08c123d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -291,6 +291,36 @@
true
+
+
+
+
+ net.roseboy
+ classfinal-maven-plugin
+ 1.2.1
+
+
+ #
+
+ com.huoran.iasf
+
+ *.properties,*.yml
+ org.spring
+
+
+
+
+ FDDEF78DF2FC3D09D733CBEAB15C3AEFD41D8CD98F00B204E9800998ECF8427ED41D8CD98F00B204E9800998ECF8427E
+
+
+
+ package
+
+ classFinal
+
+
+
+
diff --git a/src/main/java/com/huoran/iasf/common/filter/XssHttpServletRequestWrapper.java b/src/main/java/com/huoran/iasf/common/filter/XssHttpServletRequestWrapper.java
index 3cfbd7d..db5731c 100644
--- a/src/main/java/com/huoran/iasf/common/filter/XssHttpServletRequestWrapper.java
+++ b/src/main/java/com/huoran/iasf/common/filter/XssHttpServletRequestWrapper.java
@@ -146,11 +146,19 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
public ServletInputStream getInputStream() throws IOException {
// 非文件上传进行过滤
if (!fileUpload) {
- // 获取body中的请求参数
- JSONObject json = JSONObject.parseObject(new String(body));
- // 校验并过滤xss攻击和sql注入
- for (String k : json.keySet()) {
- cleanSQLInject(cleanXSS(json.getString(k)));
+
+ try {
+ // 解析请求体为字符串
+ String bodyStr = new String(body, StandardCharsets.UTF_8);
+
+ // 清理HTML,只允许安全的元素和属性
+ Safelist safelist = Safelist.basicWithImages(); // 自定义safelist
+ String safeHtml = Jsoup.clean(bodyStr, "", safelist, new Document.OutputSettings().prettyPrint(false));
+ cleanSQLInject(safeHtml);
+
+ } catch (Exception e) {
+ // 处理解析或处理过程中的任何异常
+ log.error("Error processing request body {}", e.getMessage());
}
}
// 将请求体参数流转 -- 流读取一次就会消失,所以我们事先读取之后就存在byte数组里边方便流转
diff --git a/src/main/java/com/huoran/iasf/common/shiro/ShiroConfig.java b/src/main/java/com/huoran/iasf/common/shiro/ShiroConfig.java
index 56d9eea..b2a1084 100644
--- a/src/main/java/com/huoran/iasf/common/shiro/ShiroConfig.java
+++ b/src/main/java/com/huoran/iasf/common/shiro/ShiroConfig.java
@@ -148,7 +148,7 @@ public class ShiroConfig {
filterChainDefinitionMap.put("/sysContent/queryArticleColumnParent", "anon");
/*filterChainDefinitionMap.put("/index/**", "anon");
- filterChainDefinitionMap.put("/doc.html", "anon");
+ filterChainDefinitionMap.put("/iasf/doc.html", "anon");
filterChainDefinitionMap.put("/swagger-resources/**", "anon");
filterChainDefinitionMap.put("/v2/api-docs", "anon");
filterChainDefinitionMap.put("/v2/api-docs-ext", "anon");
@@ -156,7 +156,7 @@ public class ShiroConfig {
filterChainDefinitionMap.put("/static/**", "anon");
filterChainDefinitionMap.put("/webjars/**", "anon");
filterChainDefinitionMap.put("/druid/**", "anon");
- filterChainDefinitionMap.put("/favicon.ico", "anon");
+ filterChainDefinitionMap.put("/iasf/favicon.ico", "anon");
filterChainDefinitionMap.put("/captcha.jpg", "anon");
filterChainDefinitionMap.put("/csrf", "anon");
//文件上传可直接访问
diff --git a/src/main/java/com/huoran/iasf/common/utils/R.java b/src/main/java/com/huoran/iasf/common/utils/R.java
index 8336db6..18dd846 100644
--- a/src/main/java/com/huoran/iasf/common/utils/R.java
+++ b/src/main/java/com/huoran/iasf/common/utils/R.java
@@ -5,6 +5,8 @@ import com.huoran.iasf.common.exception.code.ResponseCodeInterface;
import io.swagger.annotations.ApiModelProperty;
import lombok.Data;
+import java.io.Serializable;
+
/**
* 返回值R
*
@@ -13,7 +15,9 @@ import lombok.Data;
* @date 2022年7月28日
*/
@Data
-public class R {
+public class R implements Serializable {
+ // 类的内容
+ private static final long serialVersionUID = 1L;
/**
* 请求响应code,0为成功 其他为失败
diff --git a/src/main/java/com/huoran/iasf/controller/SysColumnController.java b/src/main/java/com/huoran/iasf/controller/SysColumnController.java
index 8b18860..723aa2d 100644
--- a/src/main/java/com/huoran/iasf/controller/SysColumnController.java
+++ b/src/main/java/com/huoran/iasf/controller/SysColumnController.java
@@ -19,6 +19,8 @@ import com.huoran.iasf.common.utils.R;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.cache.annotation.CacheEvict;
+import org.springframework.cache.annotation.Cacheable;
import org.springframework.util.StringUtils;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;
@@ -108,7 +110,7 @@ public class SysColumnController {
return R.success(sysColumn);
}
- @NoRepeatSubmit
+// @NoRepeatSubmit
@PostMapping("/save")
@ApiOperation(value = "新增", response = SysColumn.class)
@RequiresPermissions("sys:column:save")
@@ -126,6 +128,7 @@ public class SysColumnController {
@RequiresPermissions("sys:column:update")
public R update(@RequestBody SysColumn sysColumn) {
boolean updateState = service.updateById(sysColumn);
+ service.removeArticles(sysColumn.getId());
return updateState ? R.success() : R.fail("编辑失败");
}
@@ -184,13 +187,15 @@ public class SysColumnController {
//删除栏目后删除栏目下的文章
sysColumnLongPageService.remove(queryWrapper1);
ret = service.removeByIds(idList);
+ for (Integer columnId : idList) {
+ service.removeArticles(columnId);
+ }
}
return R.success();
}
-
@PostMapping("/sameLevelJudgment")
@Decrypt
@ApiOperation(value = "同级判重", response = ColumnWeightReqVO.class)
@@ -249,7 +254,7 @@ public class SysColumnController {
}
-
+ @Cacheable(value = "articles", key = "#id")
public String getIds(Integer id) {
//1 创建list集合,用于封装所有删除菜单id值
List idList = new ArrayList<>();
diff --git a/src/main/java/com/huoran/iasf/controller/SysContentController.java b/src/main/java/com/huoran/iasf/controller/SysContentController.java
index d714441..21b85d0 100644
--- a/src/main/java/com/huoran/iasf/controller/SysContentController.java
+++ b/src/main/java/com/huoran/iasf/controller/SysContentController.java
@@ -141,7 +141,7 @@ public class SysContentController {
}
sysContent.setSequence(count + 1);*/
boolean addState = service.save(sysContent);
-
+ columnService.removeArticles(sysContent.getColumnId());
return addState ? R.success(sysContent.getId()) : R.fail("新增失败");
}
@@ -152,6 +152,7 @@ public class SysContentController {
@ApiOperation(value = "修改", response = SysContent.class)
public R update(@RequestBody @ApiParam(name = "文章管理对象", value = "传入json格式", required = true) SysContent sysContent) {
boolean updateState = service.updateById(sysContent);
+ columnService.removeArticles(sysContent.getColumnId());
return updateState ? R.success() : R.fail("编辑失败");
}
@@ -166,6 +167,8 @@ public class SysContentController {
queryWrapper.eq("quote_type", 0);
queryWrapper.set("is_del", 1);
sysFilesService.update(queryWrapper);
+ SysContent sysContent = service.getById(id);
+ columnService.removeArticles(sysContent.getColumnId());
boolean delState = service.removeById(id);
return delState ? R.success() : R.fail("删除失败");
}
@@ -176,6 +179,8 @@ public class SysContentController {
@ApiOperation(value = "批量删除文章", response = SysContent.class)
public R batchDeletion(@ApiParam(name = "ids", value = "主键", required = true) @RequestBody List ids) {
for (Integer id : ids) {
+ SysContent sysContent = service.getById(id);
+ columnService.removeArticles(sysContent.getColumnId());
UpdateWrapper queryWrapper = new UpdateWrapper<>();
queryWrapper.eq("quote_id", id);
queryWrapper.eq("quote_type", 0);
diff --git a/src/main/java/com/huoran/iasf/controller/SysContentFileController.java b/src/main/java/com/huoran/iasf/controller/SysContentFileController.java
index 6c953f9..64a4120 100644
--- a/src/main/java/com/huoran/iasf/controller/SysContentFileController.java
+++ b/src/main/java/com/huoran/iasf/controller/SysContentFileController.java
@@ -48,7 +48,7 @@ public class SysContentFileController {
return R.success(sysContentFile);
}
- @NoRepeatSubmit
+// @NoRepeatSubmit
@PostMapping("/save")
@ApiOperation(value = "新增", response = SysContentFile.class)
public R save(@RequestBody @ApiParam(name = "文章附件管理表对象", value = "传入json格式", required = true) SysContentFile sysContentFile) {
@@ -64,7 +64,7 @@ public class SysContentFileController {
return updateState ? R.success() : R.fail("编辑失败");
}
- @NoRepeatSubmit
+// @NoRepeatSubmit
@PostMapping("/delete")
@ApiOperation(value = "删除", response = SysContentFile.class)
public R delete(@ApiParam(name = "id", value = "主键", required = true) @RequestParam Integer id) {
diff --git a/src/main/java/com/huoran/iasf/controller/SysFilesController.java b/src/main/java/com/huoran/iasf/controller/SysFilesController.java
index 0c8009c..279291b 100644
--- a/src/main/java/com/huoran/iasf/controller/SysFilesController.java
+++ b/src/main/java/com/huoran/iasf/controller/SysFilesController.java
@@ -75,7 +75,7 @@ public class SysFilesController {
result.put("imageFieldName", "file");
return result.toJSONString();
}
- @NoRepeatSubmit
+// @NoRepeatSubmit
@ApiOperation(value = "新增")
@PostMapping("/upload")
// @RequiresPermissions(value = {"sysFiles:add", "sysContent:update", "sysContent:add"}, logical = Logical.OR)
@@ -119,7 +119,7 @@ public class SysFilesController {
public void preview(@PathVariable String id, HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
sysFilesService.preview(id, req, res);
}
- @NoRepeatSubmit
+// @NoRepeatSubmit
@ApiOperation(value = "文件下载")
@GetMapping("/download/{id}")
public void download(@PathVariable String id, HttpServletRequest req, HttpServletResponse res) {
diff --git a/src/main/java/com/huoran/iasf/service/SysColumnService.java b/src/main/java/com/huoran/iasf/service/SysColumnService.java
index 61ddc67..2e19d16 100644
--- a/src/main/java/com/huoran/iasf/service/SysColumnService.java
+++ b/src/main/java/com/huoran/iasf/service/SysColumnService.java
@@ -7,6 +7,7 @@ import com.huoran.iasf.vo.req.ColumnWeightReqVO;
import com.huoran.iasf.vo.req.LongPageColumnReqVO;
import com.huoran.iasf.vo.req.PageContentReqVO;
import com.huoran.iasf.vo.req.PaginationColumnReqVO;
+import org.springframework.cache.annotation.CacheEvict;
import java.util.List;
@@ -31,7 +32,7 @@ public interface SysColumnService extends IService {
R getsTheSubColumn(Integer parentId,String ids,Integer siteId);
-
+ void removeArticles(Integer columnId);
R getsSublevelColumnsUnderALevel(Integer parentId,String ids,Integer siteId);
diff --git a/src/main/java/com/huoran/iasf/service/impl/SysColumnServiceImpl.java b/src/main/java/com/huoran/iasf/service/impl/SysColumnServiceImpl.java
index e73a997..3de29da 100644
--- a/src/main/java/com/huoran/iasf/service/impl/SysColumnServiceImpl.java
+++ b/src/main/java/com/huoran/iasf/service/impl/SysColumnServiceImpl.java
@@ -18,6 +18,8 @@ import com.huoran.iasf.vo.req.PageContentReqVO;
import com.huoran.iasf.vo.req.PaginationColumnReqVO;
import com.huoran.iasf.vo.resp.PageContentRespVO;
import org.springframework.beans.BeanUtils;
+import org.springframework.cache.annotation.CacheEvict;
+import org.springframework.cache.annotation.Cacheable;
import org.springframework.stereotype.Service;
import org.springframework.beans.factory.annotation.Autowired;
@@ -154,6 +156,12 @@ public class SysColumnServiceImpl extends ServiceImpl allRole;
@ApiModelProperty(value = "用户所拥有角色集合")
diff --git a/src/main/resources/application-dev.yml b/src/main/resources/application-dev.yml
index 7c07c49..4a18143 100644
--- a/src/main/resources/application-dev.yml
+++ b/src/main/resources/application-dev.yml
@@ -37,10 +37,9 @@ file:
path: C:/files/
#文件预览url
url: /iasf/sysFiles/preview/
-# ip: http://10.10.11.7
+ #本地开启
+# url: :10000/iasf/sysFiles/preview/
+# ip: http://192.168.31.51
ip: https://new.iasf.ac.cn
knife4j:
- production: true #生成环境禁用查看文档
-
- #本地开启
-# url: :10000/iasf/sysFiles/preview/
\ No newline at end of file
+ production: true #生成环境禁用查看文档
\ No newline at end of file