Merge branch 'hotfix/修复论坛根据图片url转base64字符串有ssrf漏洞的问题' into 'master'

hotfix/删除根据图片url转base64字符串接口，因为有ssrf漏洞的问题 See merge request o2oa/o2oa!2621

Merge branch 'hotfix/修复论坛根据图片url转base64字符串有ssrf漏洞的问题' into 'master'
hotfix/删除根据图片url转base64字符串接口，因为有ssrf漏洞的问题 See merge request o2oa/o2oa!2621
a5252b26 · NoSubject · 19d686c0 · 1fa0e93b · a5252b26 · 19d686c0
6 changed file
--- a/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/ActionApplication.java
+++ b/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/ActionApplication.java
@@ -11,7 +11,6 @@ import com.x.bbs.assemble.control.jaxrs.configsetting.BBSConfigSettingAction;
 import com.x.bbs.assemble.control.jaxrs.configsetting.BBSConfigSettingAnonymousAction;
 import com.x.bbs.assemble.control.jaxrs.foruminfo.ForumInfoAction;
 import com.x.bbs.assemble.control.jaxrs.foruminfo.ForumInfoManagerUserAction;
-import com.x.bbs.assemble.control.jaxrs.image.ImageBase64Action;
 import com.x.bbs.assemble.control.jaxrs.login.LoginAction;
 import com.x.bbs.assemble.control.jaxrs.login.LogoutAction;
 import com.x.bbs.assemble.control.jaxrs.login.MobileIndexAction;
@@ -41,7 +40,6 @@ public class ActionApplication extends AbstractActionApplication {
 		this.classes.add(SectionInfoAction.class);
 		this.classes.add(SectionInfoManagerUserAction.class);
 		this.classes.add(SubjectInfoAction.class);
-		this.classes.add(ImageBase64Action.class);
 		this.classes.add(SubjectInfoManagerUserAction.class);
 		this.classes.add(SubjectAttachmentAction.class);
 		this.classes.add(ReplyInfoAction.class);

--- a/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/ActionImageBase64.java
+++ b/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/ActionImageBase64.java
-package com.x.bbs.assemble.control.jaxrs.image;
-
-import com.google.gson.JsonElement;
-import com.x.base.core.project.annotation.FieldDescribe;
-import com.x.base.core.project.cache.Cache;
-import com.x.base.core.project.cache.CacheManager;
-import com.x.base.core.project.gson.GsonPropertyObject;
-import com.x.base.core.project.http.ActionResult;
-import com.x.base.core.project.http.EffectivePerson;
-import com.x.base.core.project.logger.Logger;
-import com.x.base.core.project.logger.LoggerFactory;
-import com.x.bbs.assemble.control.jaxrs.image.exception.ExceptionURLEmpty;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang3.StringUtils;
-import org.imgscalr.Scalr;
-
-import javax.imageio.ImageIO;
-import javax.servlet.http.HttpServletRequest;
-import java.awt.image.BufferedImage;
-import java.io.ByteArrayOutputStream;
-import java.net.URL;
-import java.util.Optional;
-
-/**
- * 图片转base64
- * @author sword
- */
-public class ActionImageBase64 extends BaseAction {
-
-	private static Logger logger = LoggerFactory.getLogger(ActionImageBase64.class);
-
-	protected ActionResult<String> execute(HttpServletRequest request, EffectivePerson effectivePerson,
-			JsonElement jsonElement) throws Exception {
-		ActionResult<String> result = new ActionResult<>();
-		Wi wrapIn = this.convertToWrapIn(jsonElement, Wi.class);
-		String wrap;
-
-		if(StringUtils.isBlank(wrapIn.getUrl())){
-			throw new ExceptionURLEmpty();
-		}
-		if(wrapIn.getSize() == null || wrapIn.getSize() < 1){
-			wrapIn.setSize(800);
-		}
-
-		Cache.CacheKey cacheKey = new Cache.CacheKey( this.getClass(), wrapIn.getUrl(), wrapIn.getSize());
-		Optional<?> optional = CacheManager.get(cacheCategory, cacheKey );
-		if( optional.isPresent() ){
-			wrap = (String) optional.get();
-			result.setData(wrap);
-		} else {
-			URL url = new URL(wrapIn.getUrl());
-			BufferedImage image = ImageIO.read(url);
-			int width = image.getWidth();
-			int height = image.getHeight();
-			if (width * height > wrapIn.getSize() * wrapIn.getSize()) {
-				image = Scalr.resize(image, wrapIn.getSize());
-			}
-			try (ByteArrayOutputStream out = new ByteArrayOutputStream()) {
-				ImageIO.write(image, "png", out);
-				wrap = Base64.encodeBase64String(out.toByteArray());
-				CacheManager.put( cacheCategory, cacheKey, wrap );
-				result.setData(wrap);
-			}
-		}
-		return result;
-	}
-
-	public static class Wi extends GsonPropertyObject {
-
-		@FieldDescribe("地址")
-		private String url;
-
-		@FieldDescribe("像素大小")
-		private Integer size;
-
-		public String getUrl() {
-			return url;
-		}
-
-		public void setUrl(String url) {
-			this.url = url;
-		}
-
-		public Integer getSize() {
-			return size;
-		}
-
-		public void setSize(Integer size) {
-			this.size = size;
-		}
-
-	}
-}
--- a/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/BaseAction.java
+++ b/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/BaseAction.java
-package com.x.bbs.assemble.control.jaxrs.image;
-
-import com.x.base.core.project.cache.Cache;
-import com.x.base.core.project.jaxrs.StandardJaxrsAction;
-import com.x.bbs.assemble.control.service.BBSForumInfoServiceAdv;
-import com.x.bbs.assemble.control.service.BBSOperationRecordService;
-import com.x.bbs.assemble.control.service.BBSPermissionInfoService;
-import com.x.bbs.assemble.control.service.BBSRoleInfoService;
-import com.x.bbs.assemble.control.service.BBSSectionInfoServiceAdv;
-import com.x.bbs.assemble.control.service.UserManagerService;
-
-public class BaseAction extends StandardJaxrsAction{
-
-	protected Cache.CacheCategory cacheCategory = new Cache.CacheCategory(BaseAction.class);
-	protected UserManagerService userManagerService = new UserManagerService();
-	protected BBSForumInfoServiceAdv forumInfoServiceAdv = new BBSForumInfoServiceAdv();
-	protected BBSPermissionInfoService permissionInfoService = new BBSPermissionInfoService();
-	protected BBSRoleInfoService roleInfoService = new BBSRoleInfoService();
-	protected BBSSectionInfoServiceAdv sectionInfoServiceAdv = new BBSSectionInfoServiceAdv();
-	protected BBSOperationRecordService operationRecordService = new BBSOperationRecordService();
-}
--- a/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/ImageBase64Action.java
+++ b/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/ImageBase64Action.java
-package com.x.bbs.assemble.control.jaxrs.image;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.POST;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.container.AsyncResponse;
-import javax.ws.rs.container.Suspended;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.MediaType;
-
-import com.google.gson.JsonElement;
-import com.x.base.core.project.annotation.JaxrsDescribe;
-import com.x.base.core.project.annotation.JaxrsMethodDescribe;
-import com.x.base.core.project.http.ActionResult;
-import com.x.base.core.project.http.EffectivePerson;
-import com.x.base.core.project.http.HttpMediaType;
-import com.x.base.core.project.jaxrs.ResponseFactory;
-import com.x.base.core.project.jaxrs.StandardJaxrsAction;
-import com.x.base.core.project.logger.Logger;
-import com.x.base.core.project.logger.LoggerFactory;
-import com.x.bbs.assemble.control.jaxrs.foruminfo.exception.ExceptionForumInfoProcess;
-
-@Path("image/encode")
-@JaxrsDescribe("图片编码服务")
-public class ImageBase64Action extends StandardJaxrsAction {
-
-	private static Logger logger = LoggerFactory.getLogger(ImageBase64Action.class);
-
-	@Path("base64")
-	@JaxrsMethodDescribe(value = "将URL指向的图片转换成base64String.", action = ActionImageBase64.class)
-	@POST
-	@Produces(HttpMediaType.APPLICATION_JSON_UTF_8)
-	@Consumes(MediaType.APPLICATION_JSON)
-	public void convert(@Suspended final AsyncResponse asyncResponse, @Context HttpServletRequest request,
-			JsonElement jsonElement) {
-		ActionResult<String> result = new ActionResult<>();
-		EffectivePerson effectivePerson = this.effectivePerson(request);
-		Boolean check = true;
-
-		if (check) {
-			try {
-				result = new ActionImageBase64().execute(request, effectivePerson, jsonElement);
-			} catch (Exception e) {
-				result = new ActionResult<>();
-				Exception exception = new ExceptionForumInfoProcess(e, "获取所有ForumInfo的信息列表时发生异常！");
-				result.error(exception);
-				logger.error(e, effectivePerson, request, null);
-			}
-		}
-
-		asyncResponse.resume(ResponseFactory.getEntityTagActionResultResponse(request, result));
-	}
-}
\ No newline at end of file
--- a/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/exception/ExceptionURLEmpty.java
+++ b/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/exception/ExceptionURLEmpty.java
-package com.x.bbs.assemble.control.jaxrs.image.exception;
-
-import com.x.base.core.project.exception.PromptException;
-
-public class ExceptionURLEmpty extends PromptException {
-
-	private static final long serialVersionUID = 1859164370743532895L;
-
-	public ExceptionURLEmpty() {
-		super("URL为空!" );
-	}
-
-	public ExceptionURLEmpty( Throwable e, String url) {
-		super("URL不合法! URL:" + url, e );
-	}
-}
--- a/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/exception/ExceptionWrapInConvert.java
+++ b/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/image/exception/ExceptionWrapInConvert.java
-package com.x.bbs.assemble.control.jaxrs.image.exception;
-
-import com.google.gson.JsonElement;
-import com.x.base.core.project.exception.PromptException;
-
-public class ExceptionWrapInConvert extends PromptException {
-
-	private static final long serialVersionUID = 1859164370743532895L;
-
-	public ExceptionWrapInConvert( Throwable e, JsonElement jsonElement) {
-		super( "系统在将JSON信息转换为对象时发生异常。JSON:" + jsonElement.toString(), e);
-	}
-}