提交 37fe6fea 编写于 作者: JEECG低代码平台's avatar JEECG低代码平台

表字典接口存在SQL注入漏洞,增加签名拦截器 自定义组件验签失败 issues/I3XNK1

上级 3fbb5ee4
package org.jeecg.config.sign.util; package org.jeecg.config.sign.util;
import com.alibaba.fastjson.JSONObject; import com.alibaba.fastjson.JSONObject;
import lombok.extern.slf4j.Slf4j;
import org.jeecg.common.util.oConvertUtils; import org.jeecg.common.util.oConvertUtils;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
...@@ -21,6 +22,7 @@ import java.util.TreeMap; ...@@ -21,6 +22,7 @@ import java.util.TreeMap;
* @author jeecg * @author jeecg
* @date 20210621 * @date 20210621
*/ */
@Slf4j
public class HttpUtils { public class HttpUtils {
/** /**
...@@ -36,7 +38,10 @@ public class HttpUtils { ...@@ -36,7 +38,10 @@ public class HttpUtils {
// 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username // 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username
String pathVariable = request.getRequestURI().substring(request.getRequestURI().lastIndexOf("/") + 1); String pathVariable = request.getRequestURI().substring(request.getRequestURI().lastIndexOf("/") + 1);
if (pathVariable.contains(",")) { if (pathVariable.contains(",")) {
result.put(SignUtil.xPathVariable, pathVariable); log.info(" pathVariable: {}",pathVariable);
String deString = URLDecoder.decode(pathVariable, "UTF-8");
log.info(" pathVariable decode: {}",deString);
result.put(SignUtil.xPathVariable, deString);
} }
// 获取URL上的参数 // 获取URL上的参数
Map<String, String> urlParams = getUrlParams(request); Map<String, String> urlParams = getUrlParams(request);
...@@ -71,7 +76,10 @@ public class HttpUtils { ...@@ -71,7 +76,10 @@ public class HttpUtils {
// 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username // 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username
String pathVariable = url.substring(url.lastIndexOf("/") + 1); String pathVariable = url.substring(url.lastIndexOf("/") + 1);
if (pathVariable.contains(",")) { if (pathVariable.contains(",")) {
result.put(SignUtil.xPathVariable, pathVariable); log.info(" pathVariable: {}",pathVariable);
String deString = URLDecoder.decode(pathVariable, "UTF-8");
log.info(" pathVariable decode: {}",deString);
result.put(SignUtil.xPathVariable, deString);
} }
// 获取URL上的参数 // 获取URL上的参数
Map<String, String> urlParams = getUrlParams(queryString); Map<String, String> urlParams = getUrlParams(queryString);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册