代码漏洞处理

2022-09-22 15:48:09 +08:00 · 2022-09-22 15:48:09 +08:00 · 8059b07ddc
parent fb2c06a334
commit 8059b07ddc
4 changed files with 27 additions and 8 deletions
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDataSourceController.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDataSourceController.java
@ -16,9 +16,11 @@ import org.apache.commons.lang.StringUtils;
 import org.apache.shiro.authz.annotation.RequiresRoles;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.aspect.annotation.AutoLog;
+import org.jeecg.common.exception.JeecgBootException;
 import org.jeecg.common.system.base.controller.JeecgController;
 import org.jeecg.common.system.query.QueryGenerator;
 import org.jeecg.common.util.dynamic.db.DataSourceCachePool;
+import org.jeecg.common.util.security.JdbcSecurityUtil;
 import org.jeecg.modules.system.entity.SysDataSource;
 import org.jeecg.modules.system.service.ISysDataSourceService;
 import org.jeecg.modules.system.util.SecurityUtil;
@ -47,6 +49,7 @@ public class SysDataSourceController extends JeecgController<SysDataSource, ISys
    @Autowired
    private ISysDataSourceService sysDataSourceService;

+
    /**
     * 分页列表查询
     *
@ -97,6 +100,14 @@ public class SysDataSourceController extends JeecgController<SysDataSource, ISys
    @ApiOperation(value = "多数据源管理-添加", notes = "多数据源管理-添加")
    @PostMapping(value = "/add")
    public Result<?> add(@RequestBody SysDataSource sysDataSource) {
+        //update-begin-author:taoyan date:2022-8-10 for: jdbc连接地址漏洞问题
+        try {
+            JdbcSecurityUtil.validate(sysDataSource.getDbUrl());
+        }catch (JeecgBootException e){
+            log.error(e.toString());
+            return Result.error("操作失败：" + e.getMessage());
+        }
+        //update-end-author:taoyan date:2022-8-10 for: jdbc连接地址漏洞问题
        return sysDataSourceService.saveDataSource(sysDataSource);
    }

@ -110,6 +121,14 @@ public class SysDataSourceController extends JeecgController<SysDataSource, ISys
    @ApiOperation(value = "多数据源管理-编辑", notes = "多数据源管理-编辑")
    @RequestMapping(value = "/edit", method ={RequestMethod.PUT, RequestMethod.POST})
    public Result<?> edit(@RequestBody SysDataSource sysDataSource) {
+        //update-begin-author:taoyan date:2022-8-10 for: jdbc连接地址漏洞问题
+        try {
+            JdbcSecurityUtil.validate(sysDataSource.getDbUrl());
+        } catch (JeecgBootException e) {
+            log.error(e.toString());
+            return Result.error("操作失败：" + e.getMessage());
+        }
+        //update-end-author:taoyan date:2022-8-10 for: jdbc连接地址漏洞问题
        return sysDataSourceService.editDataSource(sysDataSource);
    }

--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDepartPermissionController.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysDepartPermissionController.java
@ -283,11 +283,7 @@ public class SysDepartPermissionController extends JeecgController<SysDepartPerm
 		 //全部权限ids
 		 List<String> ids = new ArrayList<>();
 		 try {
-			 LambdaQueryWrapper<SysPermission> query = new LambdaQueryWrapper<SysPermission>();
-			 query.eq(SysPermission::getDelFlag, CommonConstant.DEL_FLAG_0);
-			 query.orderByAsc(SysPermission::getSortNo);
-			 query.inSql(SysPermission::getId,"select permission_id  from sys_depart_permission where depart_id='"+departId+"'");
-			 List<SysPermission> list = sysPermissionService.list(query);
+			 List<SysPermission> list = sysPermissionService.queryDepartPermissionList(departId);
 			 for(SysPermission sysPer : list) {
 				 ids.add(sysPer.getId());
 			 }
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/ISysUserService.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/ISysUserService.java
@ -140,7 +140,9 @@ public interface ISysUserService extends IService<SysUser> {
     * @param queryWrapper
     * @return
     */
-    public IPage<SysUser> getUserByDepartIdAndQueryWrapper(Page<SysUser> page, String departId, QueryWrapper<SysUser> queryWrapper);
+    //update-begin-author:taoyan date:2022-9-13 for: VUEN-2245【漏洞】发现新漏洞待处理20220906 ----sql注入 方法没有使用，注掉
+    // public IPage<SysUser> getUserByDepartIdAndQueryWrapper(Page<SysUser> page, String departId, QueryWrapper<SysUser> queryWrapper);
+	//update-end-author:taoyan date:2022-9-13 for: VUEN-2245【漏洞】发现新漏洞待处理20220906 ----sql注入 方法没有使用，注掉

 	/**
 	 * 根据 orgCode 查询用户，包括子部门下的用户
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysUserServiceImpl.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysUserServiceImpl.java
@ -306,7 +306,8 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
 		return res;
 	}

-	@Override
+	//update-begin-author:taoyan date:2022-9-13 for: VUEN-2245【漏洞】发现新漏洞待处理20220906 ----sql注入  方法没有使用，注掉
+/*	@Override
 	public IPage<SysUser> getUserByDepartIdAndQueryWrapper(Page<SysUser> page, String departId, QueryWrapper<SysUser> queryWrapper) {
 		LambdaQueryWrapper<SysUser> lambdaQueryWrapper = queryWrapper.lambda();

@ -314,7 +315,8 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
        lambdaQueryWrapper.inSql(SysUser::getId, "SELECT user_id FROM sys_user_depart WHERE dep_id = '" + departId + "'");

        return userMapper.selectPage(page, lambdaQueryWrapper);
-	}
+	}*/
+	//update-end-author:taoyan date:2022-9-13 for: VUEN-2245【漏洞】发现新漏洞待处理20220906 ----sql注入 方法没有使用，注掉

 	@Override
 	public IPage<SysUserSysDepartModel> queryUserByOrgCode(String orgCode, SysUser userParams, IPage page) {