diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDataSourceController.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDataSourceController.java index a39a6307..d53f6ef8 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDataSourceController.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDataSourceController.java @@ -16,9 +16,11 @@ import org.apache.commons.lang.StringUtils; import org.apache.shiro.authz.annotation.RequiresRoles; import org.jeecg.common.api.vo.Result; import org.jeecg.common.aspect.annotation.AutoLog; +import org.jeecg.common.exception.JeecgBootException; import org.jeecg.common.system.base.controller.JeecgController; import org.jeecg.common.system.query.QueryGenerator; import org.jeecg.common.util.dynamic.db.DataSourceCachePool; +import org.jeecg.common.util.security.JdbcSecurityUtil; import org.jeecg.modules.system.entity.SysDataSource; import org.jeecg.modules.system.service.ISysDataSourceService; import org.jeecg.modules.system.util.SecurityUtil; @@ -47,6 +49,7 @@ public class SysDataSourceController extends JeecgController add(@RequestBody SysDataSource sysDataSource) { + //update-begin-author:taoyan date:2022-8-10 for: jdbc连接地址漏洞问题 + try { + JdbcSecurityUtil.validate(sysDataSource.getDbUrl()); + }catch (JeecgBootException e){ + log.error(e.toString()); + return Result.error("操作失败:" + e.getMessage()); + } + //update-end-author:taoyan date:2022-8-10 for: jdbc连接地址漏洞问题 return sysDataSourceService.saveDataSource(sysDataSource); } @@ -110,6 +121,14 @@ public class SysDataSourceController extends JeecgController edit(@RequestBody SysDataSource sysDataSource) { + //update-begin-author:taoyan date:2022-8-10 for: jdbc连接地址漏洞问题 + try { + JdbcSecurityUtil.validate(sysDataSource.getDbUrl()); + } catch (JeecgBootException e) { + log.error(e.toString()); + return Result.error("操作失败:" + e.getMessage()); + } + //update-end-author:taoyan date:2022-8-10 for: jdbc连接地址漏洞问题 return sysDataSourceService.editDataSource(sysDataSource); } diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDepartPermissionController.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDepartPermissionController.java index 8edb12b6..219be7fe 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDepartPermissionController.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDepartPermissionController.java @@ -283,11 +283,7 @@ public class SysDepartPermissionController extends JeecgController ids = new ArrayList<>(); try { - LambdaQueryWrapper query = new LambdaQueryWrapper(); - query.eq(SysPermission::getDelFlag, CommonConstant.DEL_FLAG_0); - query.orderByAsc(SysPermission::getSortNo); - query.inSql(SysPermission::getId,"select permission_id from sys_depart_permission where depart_id='"+departId+"'"); - List list = sysPermissionService.list(query); + List list = sysPermissionService.queryDepartPermissionList(departId); for(SysPermission sysPer : list) { ids.add(sysPer.getId()); } diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/ISysUserService.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/ISysUserService.java index 3ef056f2..32e3ae38 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/ISysUserService.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/ISysUserService.java @@ -140,7 +140,9 @@ public interface ISysUserService extends IService { * @param queryWrapper * @return */ - public IPage getUserByDepartIdAndQueryWrapper(Page page, String departId, QueryWrapper queryWrapper); + //update-begin-author:taoyan date:2022-9-13 for: VUEN-2245【漏洞】发现新漏洞待处理20220906 ----sql注入 方法没有使用,注掉 + // public IPage getUserByDepartIdAndQueryWrapper(Page page, String departId, QueryWrapper queryWrapper); + //update-end-author:taoyan date:2022-9-13 for: VUEN-2245【漏洞】发现新漏洞待处理20220906 ----sql注入 方法没有使用,注掉 /** * 根据 orgCode 查询用户,包括子部门下的用户 diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysUserServiceImpl.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysUserServiceImpl.java index 71dea40a..c9e14c76 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysUserServiceImpl.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysUserServiceImpl.java @@ -306,7 +306,8 @@ public class SysUserServiceImpl extends ServiceImpl impl return res; } - @Override + //update-begin-author:taoyan date:2022-9-13 for: VUEN-2245【漏洞】发现新漏洞待处理20220906 ----sql注入 方法没有使用,注掉 +/* @Override public IPage getUserByDepartIdAndQueryWrapper(Page page, String departId, QueryWrapper queryWrapper) { LambdaQueryWrapper lambdaQueryWrapper = queryWrapper.lambda(); @@ -314,7 +315,8 @@ public class SysUserServiceImpl extends ServiceImpl impl lambdaQueryWrapper.inSql(SysUser::getId, "SELECT user_id FROM sys_user_depart WHERE dep_id = '" + departId + "'"); return userMapper.selectPage(page, lambdaQueryWrapper); - } + }*/ + //update-end-author:taoyan date:2022-9-13 for: VUEN-2245【漏洞】发现新漏洞待处理20220906 ----sql注入 方法没有使用,注掉 @Override public IPage queryUserByOrgCode(String orgCode, SysUser userParams, IPage page) {