Merge branch '修复安全漏洞' into 'master'

修复安全漏洞同时合并到develop See merge request o2oa/o2oa!1142 (cherry picked from commit e0b6cd89) 8666e8c0 1、人员组织发送验证码无论用户是否存在都返回正常，不报用户不存在的错误； e31932b1 3、修复内容管理文档保存权限未校验的问题 1eb3b2c7 人员组织发送验证码用户不存在报发送错误；

Merge branch '修复安全漏洞' into 'master'
修复安全漏洞同时合并到develop See merge request o2oa/o2oa!1142 (cherry picked from commit e0b6cd89) 8666e8c0 1、人员组织发送验证码无论用户是否存在都返回正常，不报用户不存在的错误； e31932b1 3、修复内容管理文档保存权限未校验的问题 1eb3b2c7 人员组织发送验证码用户不存在报发送错误；
87864956 · o2null · 5e0c3506 · 87864956 · 87864956 · 87864956
6 changed file
--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/Business.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/Business.java
@@ -3,6 +3,8 @@ package com.x.cms.assemble.control;
 import java.util.ArrayList;
 import java.util.List;

+import com.x.cms.core.entity.CategoryInfo;
+import com.x.cms.core.entity.Document;
 import org.apache.commons.lang3.StringUtils;

 import com.x.base.core.container.EntityManagerContainer;
@@ -41,7 +43,7 @@ import com.x.organization.core.express.Organization;

 /**
 * 通用业务类
- * 
+ *
 * @author sword
 */
 public class Business {
@@ -304,7 +306,7 @@ public class Business {

 	/**
 	 * 判断用户是否管理员权限
-	 * 
+	 *
 	 * @param person
 	 * @return
 	 * @throws Exception
@@ -324,7 +326,7 @@ public class Business {

 	/**
 	 * 判断用户是否管理员权限
-	 * 
+	 *
 	 * @param person
 	 * @return
 	 * @throws Exception
@@ -344,7 +346,7 @@ public class Business {

 	/**
 	 * 是否是栏目管理员
-	 * 
+	 *
 	 * @param person
 	 * @param appInfo
 	 * @return
@@ -379,7 +381,7 @@ public class Business {

 	/**
 	 * 是否是栏目创建管理员
-	 * 
+	 *
 	 * @param person
 	 * @param appInfo
 	 * @return
@@ -414,6 +416,90 @@ public class Business {
 		return false;
 	}

+	/**
+	 * 是否是文档的编辑者
+	 * @param person
+	 * @param appInfo
+	 * @return
+	 * @throws Exception
+	 */
+	public boolean isDocumentEditor(EffectivePerson person, AppInfo appInfo, CategoryInfo categoryInfo, Document document) throws Exception {
+		if (isManager(person)) {
+			return true;
+		}
+		List<String> unitNames = null;
+		List<String> groupNames = null;
+		if(document!=null){
+			if( ListTools.isNotEmpty( document.getAuthorPersonList() )) {
+				if( document.getAuthorPersonList().contains( getShortTargetFlag(person.getDistinguishedName()) ) ) {
+					return true;
+				}
+			}
+			if( ListTools.isNotEmpty( document.getAuthorUnitList() )) {
+				unitNames = this.organization().unit()
+						.listWithPersonSupNested(person.getDistinguishedName());
+				if( ListTools.containsAny( getShortTargetFlag(unitNames), document.getAuthorUnitList())) {
+					return true;
+				}
+			}
+			if( ListTools.isNotEmpty( document.getAuthorGroupList() )) {
+				groupNames = this.organization().group().listWithPerson(person.getDistinguishedName());
+				if( ListTools.containsAny( getShortTargetFlag(groupNames), document.getAuthorGroupList())) {
+					return true;
+				}
+			}
+		}
+		if (categoryInfo != null) {
+			if (ListTools.isNotEmpty(categoryInfo.getManageablePersonList())) {
+				if (categoryInfo.getManageablePersonList().contains(person.getDistinguishedName())) {
+					return true;
+				}
+			}
+			if (ListTools.isNotEmpty(categoryInfo.getManageableUnitList())) {
+				if(unitNames == null) {
+					unitNames = this.organization().unit()
+							.listWithPersonSupNested(person.getDistinguishedName());
+				}
+				if (ListTools.containsAny(unitNames, categoryInfo.getManageableUnitList())) {
+					return true;
+				}
+			}
+			if (ListTools.isNotEmpty(categoryInfo.getManageableGroupList())) {
+				if(groupNames == null) {
+					groupNames = this.organization().group().listWithPerson(person.getDistinguishedName());
+				}
+				if (ListTools.containsAny(groupNames, categoryInfo.getManageableGroupList())) {
+					return true;
+				}
+			}
+		}
+		if (appInfo != null) {
+			if (ListTools.isNotEmpty(appInfo.getManageablePersonList())) {
+				if (appInfo.getManageablePersonList().contains(person.getDistinguishedName())) {
+					return true;
+				}
+			}
+			if (ListTools.isNotEmpty(appInfo.getManageableUnitList())) {
+				if(unitNames == null) {
+					unitNames = this.organization().unit()
+							.listWithPersonSupNested(person.getDistinguishedName());
+				}
+				if (ListTools.containsAny(unitNames, appInfo.getManageableUnitList())) {
+					return true;
+				}
+			}
+			if (ListTools.isNotEmpty(appInfo.getManageableGroupList())) {
+				if(groupNames == null) {
+					groupNames = this.organization().group().listWithPerson(person.getDistinguishedName());
+				}
+				if (ListTools.containsAny(groupNames, appInfo.getManageableGroupList())) {
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+
 	/**
 	 * TODO (uncomplete)判断用户是否有权限进行：[表单模板管理]操作
 	 *
@@ -481,4 +567,41 @@ public class Business {
 		}
 		return false;
 	}
+
+	public static String getShortTargetFlag(String distinguishedName) {
+		String target = null;
+		if( StringUtils.isNotEmpty( distinguishedName ) ){
+			String[] array = distinguishedName.split("@");
+			StringBuffer sb = new StringBuffer();
+			if( array.length == 3 ){
+				target = sb.append(array[1]).append("@").append(array[2]).toString();
+			}else if( array.length == 2 ){
+				//2段
+				target = sb.append(array[0]).append("@").append(array[1]).toString();
+			}else{
+				target = array[0];
+			}
+		}
+		return target;
+	}
+
+	public static List<String> getShortTargetFlag(List<String> nameList) {
+		List<String> targetList = new ArrayList<>();
+		if( ListTools.isNotEmpty( nameList ) ){
+			for(String distinguishedName : nameList) {
+				String target = distinguishedName;
+				String[] array = target.split("@");
+				StringBuffer sb = new StringBuffer();
+				if (array.length == 3) {
+					target = sb.append(array[1]).append("@").append(array[2]).toString();
+				} else if (array.length == 2) {
+					target = sb.append(array[0]).append("@").append(array[1]).toString();
+				} else {
+					target = array[0];
+				}
+				targetList.add(target);
+			}
+		}
+		return targetList;
+	}
 }
--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/ActionPersistSaveDocument.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/ActionPersistSaveDocument.java
@@ -12,7 +12,9 @@ import javax.servlet.http.HttpServletRequest;
 import com.x.base.core.entity.annotation.CheckPersistType;
 import com.x.base.core.project.config.StorageMapping;
 import com.x.base.core.project.config.Token;
+import com.x.base.core.project.exception.ExceptionAccessDenied;
 import com.x.base.core.project.exception.ExceptionWhen;
+import com.x.cms.assemble.control.Business;
 import com.x.cms.core.entity.enums.DocumentStatus;
 import com.x.cms.core.entity.query.DocumentNotify;
 import com.x.processplatform.core.entity.content.Attachment;
@@ -53,107 +55,56 @@ public class ActionPersistSaveDocument extends BaseAction {

 	protected ActionResult<Wo> execute( HttpServletRequest request, JsonElement jsonElement, EffectivePerson effectivePerson) throws Exception {
 		ActionResult<Wo> result = new ActionResult<>();
-		String identity = null;
-		AppInfo appInfo = null;
-		CategoryInfo categoryInfo = null;
-		Document document = null;
-		Form form = null;
 		Boolean check = true;
-		Wi wi = null;
-
-		try {
-			wi = this.convertToWrapIn( jsonElement, Wi.class );
-			document = Wi.copier.copy(wi);
-			document.setId( wi.getId() );
-			identity = wi.getIdentity();
-		} catch (Exception e ) {
-			check = false;
-			Exception exception = new ExceptionDocumentInfoProcess( e, "系统在将JSON信息转换为对象时发生异常。");
-			result.error( exception );
-			logger.error( e, effectivePerson, request, null);
+		Wi wi = this.convertToWrapIn( jsonElement, Wi.class );
+		Document document = Wi.copier.copy(wi);
+		document.setId( wi.getId() );
+		String identity = wi.getIdentity();
+		if( StringUtils.isBlank(identity)) {
+			identity = userManagerService.getPersonIdentity( effectivePerson.getDistinguishedName(), identity );
 		}

-		if (check) {
-			if( StringUtils.isBlank(identity)) {
-				try {
-					identity = userManagerService.getPersonIdentity( effectivePerson.getDistinguishedName(), identity );
-				} catch (Exception e) {
-					check = false;
-					Exception exception = new ExceptionDocumentInfoProcess(e, "系统在查询用户身份信息时发生异常。Name:" + identity);
-					result.error(exception);
-					logger.error(e, effectivePerson, request, null);
-				}
-			}
+		if ( StringUtils.isEmpty( wi.getCategoryId() ) ) {
+			throw new ExceptionDocumentCategoryIdEmpty();
 		}

-		if (check) {
-			if ( StringUtils.isEmpty( wi.getCategoryId() ) ) {
-				check = false;
-				Exception exception = new ExceptionDocumentCategoryIdEmpty();
-				result.error(exception);
+		CategoryInfo categoryInfo;
+		AppInfo appInfo = null;
+
+		Document oldDocument = documentQueryService.get(document.getId());
+		if(oldDocument != null){
+			categoryInfo = categoryInfoServiceAdv.get( oldDocument.getCategoryId() );
+			appInfo = appInfoServiceAdv.get(oldDocument.getAppId());
+		}else{
+			categoryInfo = categoryInfoServiceAdv.get( wi.getCategoryId() );
+			if(categoryInfo != null) {
+				appInfo = appInfoServiceAdv.get(categoryInfo.getAppId());
 			}
 		}

-		if (check) {
-			try {
-				categoryInfo = categoryInfoServiceAdv.get( wi.getCategoryId() );
-				if (categoryInfo == null) {
-					check = false;
-					Exception exception = new ExceptionCategoryInfoNotExists(wi.getCategoryId());
-					result.error(exception);
-				}
-			} catch (Exception e) {
-				check = false;
-				Exception exception = new ExceptionDocumentInfoProcess(e,
-						"系统在根据ID查询分类信息时发生异常！ID：" + wi.getCategoryId());
-				result.error(exception);
-				logger.error(e, effectivePerson, request, null);
-			}
+		if(categoryInfo == null){
+			throw new ExceptionCategoryInfoNotExists(wi.getCategoryId());
+		}
+		if (appInfo == null) {
+			throw new ExceptionAppInfoNotExists(categoryInfo.getAppId());
 		}

-		if (check) {
-			try {
-				appInfo = appInfoServiceAdv.get( categoryInfo.getAppId() );
-				if (appInfo == null) {
-					check = false;
-					Exception exception = new ExceptionAppInfoNotExists(categoryInfo.getAppId());
-					result.error(exception);
-				}
-			} catch (Exception e) {
-				check = false;
-				Exception exception = new ExceptionDocumentInfoProcess(e, "系统在根据ID查询应用栏目信息时发生异常！ID：" + categoryInfo.getAppId());
-				result.error(exception);
-				logger.error(e, effectivePerson, request, null);
-			}
+		Business business = new Business(null);
+		if(!business.isDocumentEditor(effectivePerson, appInfo, categoryInfo, oldDocument)){
+			throw new ExceptionAccessDenied(effectivePerson, document);
 		}

 		// 查询分类设置的编辑表单
-		if (check) {
-			if ( StringUtils.isEmpty(categoryInfo.getFormId() )) {
-				check = false;
-				Exception exception = new ExceptionCategoryFormIdEmpty();
-				result.error(exception);
-			}
+		if ( StringUtils.isEmpty(categoryInfo.getFormId() )) {
+			throw new ExceptionCategoryFormIdEmpty();
 		}

-		if (check) {
-			try {
-				form = formServiceAdv.get(categoryInfo.getFormId());
-				if (form == null) {
-					check = false;
-					Exception exception = new ExceptionFormForEditNotExists(categoryInfo.getFormId());
-					result.error(exception);
-				} else {
-					document.setForm(form.getId());
-					document.setFormName(form.getName());
-				}
-			} catch (Exception e) {
-				check = false;
-				Exception exception = new ExceptionDocumentInfoProcess(e,
-						"系统在根据ID查询编辑表单时发生异常！ID：" + categoryInfo.getFormId());
-				result.error(exception);
-				logger.error(e, effectivePerson, request, null);
-			}
+		Form form = formServiceAdv.get(categoryInfo.getFormId());
+		if (form == null) {
+			throw new ExceptionFormForEditNotExists(categoryInfo.getFormId());
+		} else {
+			document.setForm(form.getId());
+			document.setFormName(form.getName());
 		}

 		if (check) {

--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/DocumentAction.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/DocumentAction.java
@@ -708,7 +708,7 @@ public class DocumentAction extends StandardJaxrsAction {
 			} catch (Exception e) {
 				result = new ActionResult<>();
 				result.error(e);
-				logger.error(e, effectivePerson, request, null);
+				logger.error(e, effectivePerson, request, jsonElement);
 			}
 		}


--- a/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ActionCode.java
+++ b/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ActionCode.java
 package com.x.organization.assemble.authentication.jaxrs.authentication;

-import org.apache.commons.lang3.BooleanUtils;
-import org.apache.commons.lang3.StringUtils;
-
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.project.config.Config;
-import com.x.base.core.project.exception.ExceptionPersonNotExist;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.jaxrs.WrapBoolean;
@@ -14,8 +10,9 @@ import com.x.base.core.project.logger.Logger;
 import com.x.base.core.project.logger.LoggerFactory;
 import com.x.organization.assemble.authentication.Business;
 import com.x.organization.core.entity.Person;
-
 import io.swagger.v3.oas.annotations.media.Schema;
+import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.StringUtils;

 class ActionCode extends BaseAction {

@@ -31,18 +28,22 @@ class ActionCode extends BaseAction {
 				throw new ExceptionDisableCollect();
 			}
 			Wo wo = new Wo();
+			wo.setValue(true);
+			result.setData(wo);
 			Business business = new Business(emc);
 			String id = business.person().getWithCredential(credential);
 			if (StringUtils.isEmpty(id)) {
-				throw new ExceptionPersonNotExist(credential);
+				throw new ExceptionSendCodeError();
 			}
 			Person o = emc.find(id, Person.class);
 			if (!Config.person().isMobile(o.getMobile())) {
 				throw new ExceptionInvalidMobile(o.getMobile());
 			}
-			business.instrument().code().create(o.getMobile());
-			wo.setValue(true);
-			result.setData(wo);
+			try {
+				business.instrument().code().create(o.getMobile());
+			} catch (Exception e) {
+				throw new ExceptionSendCodeError(e);
+			}
 			return result;
 		}
 	}

--- a/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ExceptionSendCodeError.java
+++ b/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ExceptionSendCodeError.java
+package com.x.organization.assemble.authentication.jaxrs.authentication;
+
+import com.x.base.core.project.exception.PromptException;
+
+class ExceptionSendCodeError extends PromptException {
+
+	private static final long serialVersionUID = 1859164370743532895L;
+
+	public static String defaultMessage = "发送失败.";
+
+	ExceptionSendCodeError() {
+		super(defaultMessage);
+	}
+
+	ExceptionSendCodeError(Throwable cause) {
+		super(cause, defaultMessage);
+	}
+}
--- a/o2server/x_query_assemble_surface/src/main/java/com/x/query/assemble/surface/jaxrs/statement/ActionExecuteV2.java
+++ b/o2server/x_query_assemble_surface/src/main/java/com/x/query/assemble/surface/jaxrs/statement/ActionExecuteV2.java
@@ -3,6 +3,8 @@ package com.x.query.assemble.surface.jaxrs.statement;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;

 import javax.persistence.EntityManager;
 import javax.persistence.Parameter;
@@ -11,6 +13,7 @@ import javax.script.Bindings;
 import javax.script.CompiledScript;
 import javax.script.ScriptContext;

+import com.x.base.core.project.tools.StringTools;
 import org.apache.commons.collections4.list.TreeList;
 import org.apache.commons.lang3.StringUtils;

@@ -46,7 +49,7 @@ import com.x.query.core.express.statement.Runtime;
 class ActionExecuteV2 extends BaseAction {

 	private static final Logger LOGGER = LoggerFactory.getLogger(ActionExecuteV2.class);
-	
+
 	private static final String[] keys = { "group by", "GROUP BY", "order by", "ORDER BY", "limit", "LIMIT" };
 	private static final String[] pageKeys = { "GROUP BY", " COUNT(" };
 	private static final String JOIN_KEY = " JOIN ";
@@ -54,6 +57,8 @@ class ActionExecuteV2 extends BaseAction {
 	private static final String SQL_WHERE = "WHERE";
 	private static final String SQL_AND = "AND";
 	private static final String SQL_OR = "OR";
+	private static final Pattern SIMPLY_REGEX = Pattern
+			.compile("^[a-zA-Z0-9\\_\\-]*$");

 	ActionResult<Object> execute(EffectivePerson effectivePerson, String flag, String mode, Integer page, Integer size,
 			JsonElement jsonElement) throws Exception {
@@ -62,7 +67,7 @@ class ActionExecuteV2 extends BaseAction {
 				() -> page, () -> size);
 		ClassLoader classLoader = Business.getDynamicEntityClassLoader();
 		Thread.currentThread().setContextClassLoader(classLoader);
-		
+
 		Statement statement = null;
 		ActionResult<Object> result = new ActionResult<>();
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) {
@@ -317,9 +322,14 @@ class ActionExecuteV2 extends BaseAction {
 				if (size > 1) {
 					list.add("(");
 				}
+				int j = 0;
 				for (int i = 0; i < size; i++) {
 					FilterEntry filterEntry = wi.getFilterList().get(i);
-					if (i > 0) {
+					Matcher matcher = SIMPLY_REGEX.matcher(filterEntry.value);
+					if(!matcher.find()){
+						continue;
+					}
+					if (j++ > 0) {
 						String joinTag = filterEntry.logic;
 						if (StringUtils.isEmpty(joinTag) || !joinTag.equalsIgnoreCase(SQL_OR)) {
 							joinTag = SQL_AND;
@@ -330,6 +340,9 @@ class ActionExecuteV2 extends BaseAction {
 					list.add(Comparison.getMatchCom(filterEntry.comparison));
 					list.add(":" + filterEntry.value);
 				}
+				if(j == 0){
+					list.add("1=1");
+				}
 				if (size > 1) {
 					list.add(")");
 				}