登录验证码漏洞

jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java

@@ -17,6 +17,7 @@ import org.jeecg.common.system.util.JwtUtil;
 import org.jeecg.common.system.vo.LoginUser;
 import org.jeecg.common.util.*;
 import org.jeecg.common.util.encryption.EncryptedString;
+import org.jeecg.config.JeecgBaseConfig;
 import org.jeecg.modules.base.service.BaseCommonService;
 import org.jeecg.modules.system.entity.SysDepart;
 import org.jeecg.modules.system.entity.SysRoleIndex;
@@ -64,6 +65,9 @@ public class LoginController {
 	@Resource
 	private BaseCommonService baseCommonService;
 
+	@Autowired
+	private JeecgBaseConfig jeecgBaseConfig;
+
 	private final String BASE_CHECK_CODES = "qwertyuiplkjhgfdsazxcvbnmQWERTYUPLKJHGFDSAZXCVBNM1234567890";
 
 	@ApiOperation("登录接口")
@@ -84,7 +88,11 @@ public class LoginController {
             return result;
         }
         String lowerCaseCaptcha = captcha.toLowerCase();
-		String realKey = Md5Util.md5Encode(lowerCaseCaptcha+sysLoginModel.getCheckKey(), "utf-8");
+        //update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+		// 加入密钥作为混淆，避免简单的拼接，被外部利用，用户自定义该密钥即可
+        String origin = lowerCaseCaptcha+sysLoginModel.getCheckKey()+jeecgBaseConfig.getSignatureSecret();
+		String realKey = Md5Util.md5Encode(origin, "utf-8");
+		//update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
 		Object checkCode = redisUtil.get(realKey);
 		//当进入登录页时，有一定几率出现验证码错误 #1714
 		if(checkCode==null || !checkCode.toString().equals(lowerCaseCaptcha)) {
@@ -290,7 +298,12 @@ public class LoginController {
 			result.setSuccess(false);
 			return result;
 		}
-		Object object = redisUtil.get(mobile);
+		
+		//update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+		String redisKey = CommonConstant.PHONE_REDIS_KEY_PRE+mobile;
+		Object object = redisUtil.get(redisKey);
+		//update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+		
 		if (object != null) {
 			result.setMessage("验证码10分钟内，仍然有效！");
 			result.setSuccess(false);
@@ -342,8 +355,12 @@ public class LoginController {
 				result.setSuccess(false);
 				return result;
 			}
+			
+			//update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
 			//验证码10分钟内有效
-			redisUtil.set(mobile, captcha, 600);
+			redisUtil.set(redisKey, captcha, 600);
+			//update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+			
 			//update-begin--Author:scott  Date:20190812 for：issues#391
 			//result.setResult(captcha);
 			//update-end--Author:scott  Date:20190812 for：issues#391
@@ -378,7 +395,12 @@ public class LoginController {
 		}
 		
 		String smscode = jsonObject.getString("captcha");
-		Object code = redisUtil.get(phone);
+
+		//update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+		String redisKey = CommonConstant.PHONE_REDIS_KEY_PRE+phone;
+		Object code = redisUtil.get(redisKey);
+		//update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+
 		if (!smscode.equals(code)) {
 			result.setMessage("手机验证码错误");
 			return result;
@@ -404,7 +426,7 @@ public class LoginController {
 		String syspassword = sysUser.getPassword();
 		// 获取用户部门信息
 		JSONObject obj = new JSONObject(new LinkedHashMap<>());
-		
+
 		// 生成token
 		String token = JwtUtil.sign(username, syspassword);
 		// 设置token缓存有效时间
@@ -429,9 +451,9 @@ public class LoginController {
 			}
 		}
 		// update-end--Author:sunjianlei Date:20210802 for：获取用户租户信息
-		
+
 		obj.put("userInfo", sysUser);
-		
+
 		List<SysDepart> departs = sysDepartService.queryUserDeparts(sysUser.getId());
 		obj.put("departs", departs);
 		if (departs == null || departs.size() == 0) {
@@ -481,25 +503,29 @@ public class LoginController {
 		try {
 			//生成验证码
 			String code = RandomUtil.randomString(BASE_CHECK_CODES,4);
-
 			//存到redis中
 			String lowerCaseCode = code.toLowerCase();
-			String realKey = Md5Util.md5Encode(lowerCaseCode+key, "utf-8");
-            log.info("获取验证码，Redis checkCode = {}，key = {}", code, key);
+			
+			//update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+			// 加入密钥作为混淆，避免简单的拼接，被外部利用，用户自定义该密钥即可
+			String origin = lowerCaseCode+key+jeecgBaseConfig.getSignatureSecret();
+			String realKey = Md5Util.md5Encode(origin, "utf-8");
+			//update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+            
 			redisUtil.set(realKey, lowerCaseCode, 60);
-
+			log.info("获取验证码，Redis key = {}，checkCode = {}", realKey, code);
 			//返回前端
 			String base64 = RandImageUtil.generate(code);
 			res.setSuccess(true);
 			res.setResult(base64);
 		} catch (Exception e) {
-			res.error500("获取验证码出错"+e.getMessage());
-			e.printStackTrace();
+			log.error(e.getMessage(), e);
+			res.error500("获取验证码失败,请检查redis配置!");
+			return res;
 		}
 		return res;
 	}
 
-
 	/**
 	 * 切换菜单表为vue3的表
 	 */
@@ -592,9 +618,9 @@ public class LoginController {
 		return Result.ok();
 	}
 	/**
-	 * 获取登录二维码
+	 * 登录二维码
 	 */
-	@ApiOperation(value = "获取登录二维码", notes = "获取登录二维码")
+	@ApiOperation(value = "登录二维码", notes = "登录二维码")
 	@GetMapping("/getLoginQrcode")
 	public Result<?>  getLoginQrcode() {
 		String qrcodeId = CommonConstant.LOGIN_QRCODE_PRE+IdWorker.getIdStr();
@@ -625,7 +651,7 @@ public class LoginController {
 	/**
 	 * 获取用户扫码后保存的token
 	 */
-	@ApiOperation(value = "获取用户扫码后Token", notes = "获取用户扫码后Token")
+	@ApiOperation(value = "获取用户扫码后保存的token", notes = "获取用户扫码后保存的token")
 	@GetMapping("/getQrcodeToken")
 	public Result getQrcodeToken(@RequestParam String qrcodeId) {
 		Object token = redisUtil.get(CommonConstant.LOGIN_QRCODE_TOKEN + qrcodeId);

jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysUserController.java

@@ -933,7 +933,12 @@ public class SysUserController {
 		Result<JSONObject> result = new Result<JSONObject>();
 		String phone = jsonObject.getString("phone");
 		String smscode = jsonObject.getString("smscode");
-		Object code = redisUtil.get(phone);
+
+        //update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+		String redisKey = CommonConstant.PHONE_REDIS_KEY_PRE+phone;
+		Object code = redisUtil.get(redisKey);
+        //update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+
 		String username = jsonObject.getString("username");
 		//未设置用户名，则用手机号作为用户名
 		if(oConvertUtils.isEmpty(username)){
@@ -1042,14 +1047,18 @@ public class SysUserController {
 		Result<Map<String,String>> result = new Result<Map<String,String>>();
 		String phone = jsonObject.getString("phone");
 		String smscode = jsonObject.getString("smscode");
-		Object code = redisUtil.get(phone);
+        //update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+        String redisKey = CommonConstant.PHONE_REDIS_KEY_PRE+phone;
+		Object code = redisUtil.get(redisKey);
 		if (!smscode.equals(code)) {
 			result.setMessage("手机验证码错误");
 			result.setSuccess(false);
 			return result;
 		}
 		//设置有效时间
-		redisUtil.set(phone, smscode,600);
+		redisUtil.set(redisKey, smscode,600);
+        //update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+
 		//新增查询用户名
 		LambdaQueryWrapper<SysUser> query = new LambdaQueryWrapper<>();
         query.eq(SysUser::getPhone,phone);
@@ -1078,7 +1087,10 @@ public class SysUserController {
         }
 
         SysUser sysUser=new SysUser();
-        Object object= redisUtil.get(phone);
+        //update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+        String redisKey = CommonConstant.PHONE_REDIS_KEY_PRE+phone;
+        Object object= redisUtil.get(redisKey);
+        //update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
         if(null==object) {
         	result.setMessage("短信验证码失效！");
             result.setSuccess(false);
@@ -1396,7 +1408,7 @@ public class SysUserController {
     }
 
     /**
-     * 根据用户名修改手机号
+     * 根据用户名修改手机号[该方法未使用]
      * @param json
      * @return
      */
@@ -1412,7 +1424,10 @@ public class SysUserController {
             result.setSuccess(false);
             return result;
         }
-        Object object= redisUtil.get(phone);
+        //update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+        String redisKey = CommonConstant.PHONE_REDIS_KEY_PRE+phone;
+        Object object= redisUtil.get(redisKey);
+        //update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
         if(null==object) {
             result.setMessage("短信验证码失效！");
             result.setSuccess(false);

jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java

@@ -260,7 +260,10 @@ public class ThirdLoginController {
 		String thirdUserUuid = jsonObject.getString("thirdUserUuid");
 		// 校验验证码
 		String captcha = jsonObject.getString("captcha");
-		Object captchaCache = redisUtil.get(phone);
+		//update-begin-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
+		String redisKey = CommonConstant.PHONE_REDIS_KEY_PRE+phone;
+		Object captchaCache = redisUtil.get(redisKey);
+		//update-end-author:taoyan date:2022-9-13 for: VUEN-2245 【漏洞】发现新漏洞待处理20220906
 		if (oConvertUtils.isEmpty(captcha) || !captcha.equals(captchaCache)) {
 			result.setMessage("验证码错误");
 			result.setSuccess(false);
@@ -361,8 +364,7 @@ public class ThirdLoginController {
 			// 钉钉返回的code
 			@RequestParam(value = "authCode", required = false) String authCode,
 			@RequestParam("state") String state,
-			HttpServletResponse response
-	) {
+			HttpServletResponse response) {
         SysUser loginUser;
         if (ThirdAppConfig.WECHAT_ENTERPRISE.equalsIgnoreCase(source)) {
             log.info("【企业微信】OAuth2登录进入callback：code=" + code + ", state=" + state);