From 87864956dff03829715f407a467e227c24f2afd8 Mon Sep 17 00:00:00 2001 From: o2null Date: Wed, 12 Oct 2022 08:33:46 +0000 Subject: [PATCH] =?UTF-8?q?Merge=20branch=20'=E4=BF=AE=E5=A4=8D=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E6=BC=8F=E6=B4=9E'=20into=20'master'?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修复安全漏洞 同时合并到develop See merge request o2oa/o2oa!1142 (cherry picked from commit e0b6cd895b669b89b0fe27571e3d850fd8e0be18) 8666e8c0 1、人员组织发送验证码无论用户是否存在都返回正常,不报用户不存在的错误; e31932b1 3、修复内容管理文档保存权限未校验的问题 1eb3b2c7 人员组织发送验证码用户不存在报发送错误; --- .../com/x/cms/assemble/control/Business.java | 133 +++++++++++++++++- .../document/ActionPersistSaveDocument.java | 123 +++++----------- .../jaxrs/document/DocumentAction.java | 2 +- .../jaxrs/authentication/ActionCode.java | 19 +-- .../ExceptionSendCodeError.java | 18 +++ .../jaxrs/statement/ActionExecuteV2.java | 19 ++- 6 files changed, 210 insertions(+), 104 deletions(-) create mode 100644 o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ExceptionSendCodeError.java diff --git a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/Business.java b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/Business.java index 94af421bae..71322e9c22 100644 --- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/Business.java +++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/Business.java @@ -3,6 +3,8 @@ package com.x.cms.assemble.control; import java.util.ArrayList; import java.util.List; +import com.x.cms.core.entity.CategoryInfo; +import com.x.cms.core.entity.Document; import org.apache.commons.lang3.StringUtils; import com.x.base.core.container.EntityManagerContainer; @@ -41,7 +43,7 @@ import com.x.organization.core.express.Organization; /** * 通用业务类 - * + * * @author sword */ public class Business { @@ -304,7 +306,7 @@ public class Business { /** * 判断用户是否管理员权限 - * + * * @param person * @return * @throws Exception @@ -324,7 +326,7 @@ public class Business { /** * 判断用户是否管理员权限 - * + * * @param person * @return * @throws Exception @@ -344,7 +346,7 @@ public class Business { /** * 是否是栏目管理员 - * + * * @param person * @param appInfo * @return @@ -379,7 +381,7 @@ public class Business { /** * 是否是栏目创建管理员 - * + * * @param person * @param appInfo * @return @@ -414,6 +416,90 @@ public class Business { return false; } + /** + * 是否是文档的编辑者 + * @param person + * @param appInfo + * @return + * @throws Exception + */ + public boolean isDocumentEditor(EffectivePerson person, AppInfo appInfo, CategoryInfo categoryInfo, Document document) throws Exception { + if (isManager(person)) { + return true; + } + List unitNames = null; + List groupNames = null; + if(document!=null){ + if( ListTools.isNotEmpty( document.getAuthorPersonList() )) { + if( document.getAuthorPersonList().contains( getShortTargetFlag(person.getDistinguishedName()) ) ) { + return true; + } + } + if( ListTools.isNotEmpty( document.getAuthorUnitList() )) { + unitNames = this.organization().unit() + .listWithPersonSupNested(person.getDistinguishedName()); + if( ListTools.containsAny( getShortTargetFlag(unitNames), document.getAuthorUnitList())) { + return true; + } + } + if( ListTools.isNotEmpty( document.getAuthorGroupList() )) { + groupNames = this.organization().group().listWithPerson(person.getDistinguishedName()); + if( ListTools.containsAny( getShortTargetFlag(groupNames), document.getAuthorGroupList())) { + return true; + } + } + } + if (categoryInfo != null) { + if (ListTools.isNotEmpty(categoryInfo.getManageablePersonList())) { + if (categoryInfo.getManageablePersonList().contains(person.getDistinguishedName())) { + return true; + } + } + if (ListTools.isNotEmpty(categoryInfo.getManageableUnitList())) { + if(unitNames == null) { + unitNames = this.organization().unit() + .listWithPersonSupNested(person.getDistinguishedName()); + } + if (ListTools.containsAny(unitNames, categoryInfo.getManageableUnitList())) { + return true; + } + } + if (ListTools.isNotEmpty(categoryInfo.getManageableGroupList())) { + if(groupNames == null) { + groupNames = this.organization().group().listWithPerson(person.getDistinguishedName()); + } + if (ListTools.containsAny(groupNames, categoryInfo.getManageableGroupList())) { + return true; + } + } + } + if (appInfo != null) { + if (ListTools.isNotEmpty(appInfo.getManageablePersonList())) { + if (appInfo.getManageablePersonList().contains(person.getDistinguishedName())) { + return true; + } + } + if (ListTools.isNotEmpty(appInfo.getManageableUnitList())) { + if(unitNames == null) { + unitNames = this.organization().unit() + .listWithPersonSupNested(person.getDistinguishedName()); + } + if (ListTools.containsAny(unitNames, appInfo.getManageableUnitList())) { + return true; + } + } + if (ListTools.isNotEmpty(appInfo.getManageableGroupList())) { + if(groupNames == null) { + groupNames = this.organization().group().listWithPerson(person.getDistinguishedName()); + } + if (ListTools.containsAny(groupNames, appInfo.getManageableGroupList())) { + return true; + } + } + } + return false; + } + /** * TODO (uncomplete)判断用户是否有权限进行:[表单模板管理]操作 * @@ -481,4 +567,41 @@ public class Business { } return false; } + + public static String getShortTargetFlag(String distinguishedName) { + String target = null; + if( StringUtils.isNotEmpty( distinguishedName ) ){ + String[] array = distinguishedName.split("@"); + StringBuffer sb = new StringBuffer(); + if( array.length == 3 ){ + target = sb.append(array[1]).append("@").append(array[2]).toString(); + }else if( array.length == 2 ){ + //2段 + target = sb.append(array[0]).append("@").append(array[1]).toString(); + }else{ + target = array[0]; + } + } + return target; + } + + public static List getShortTargetFlag(List nameList) { + List targetList = new ArrayList<>(); + if( ListTools.isNotEmpty( nameList ) ){ + for(String distinguishedName : nameList) { + String target = distinguishedName; + String[] array = target.split("@"); + StringBuffer sb = new StringBuffer(); + if (array.length == 3) { + target = sb.append(array[1]).append("@").append(array[2]).toString(); + } else if (array.length == 2) { + target = sb.append(array[0]).append("@").append(array[1]).toString(); + } else { + target = array[0]; + } + targetList.add(target); + } + } + return targetList; + } } diff --git a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/ActionPersistSaveDocument.java b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/ActionPersistSaveDocument.java index 6245eb825e..288ff8d046 100644 --- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/ActionPersistSaveDocument.java +++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/ActionPersistSaveDocument.java @@ -12,7 +12,9 @@ import javax.servlet.http.HttpServletRequest; import com.x.base.core.entity.annotation.CheckPersistType; import com.x.base.core.project.config.StorageMapping; import com.x.base.core.project.config.Token; +import com.x.base.core.project.exception.ExceptionAccessDenied; import com.x.base.core.project.exception.ExceptionWhen; +import com.x.cms.assemble.control.Business; import com.x.cms.core.entity.enums.DocumentStatus; import com.x.cms.core.entity.query.DocumentNotify; import com.x.processplatform.core.entity.content.Attachment; @@ -53,107 +55,56 @@ public class ActionPersistSaveDocument extends BaseAction { protected ActionResult execute( HttpServletRequest request, JsonElement jsonElement, EffectivePerson effectivePerson) throws Exception { ActionResult result = new ActionResult<>(); - String identity = null; - AppInfo appInfo = null; - CategoryInfo categoryInfo = null; - Document document = null; - Form form = null; Boolean check = true; - Wi wi = null; - - try { - wi = this.convertToWrapIn( jsonElement, Wi.class ); - document = Wi.copier.copy(wi); - document.setId( wi.getId() ); - identity = wi.getIdentity(); - } catch (Exception e ) { - check = false; - Exception exception = new ExceptionDocumentInfoProcess( e, "系统在将JSON信息转换为对象时发生异常。"); - result.error( exception ); - logger.error( e, effectivePerson, request, null); + Wi wi = this.convertToWrapIn( jsonElement, Wi.class ); + Document document = Wi.copier.copy(wi); + document.setId( wi.getId() ); + String identity = wi.getIdentity(); + if( StringUtils.isBlank(identity)) { + identity = userManagerService.getPersonIdentity( effectivePerson.getDistinguishedName(), identity ); } - if (check) { - if( StringUtils.isBlank(identity)) { - try { - identity = userManagerService.getPersonIdentity( effectivePerson.getDistinguishedName(), identity ); - } catch (Exception e) { - check = false; - Exception exception = new ExceptionDocumentInfoProcess(e, "系统在查询用户身份信息时发生异常。Name:" + identity); - result.error(exception); - logger.error(e, effectivePerson, request, null); - } - } + if ( StringUtils.isEmpty( wi.getCategoryId() ) ) { + throw new ExceptionDocumentCategoryIdEmpty(); } - if (check) { - if ( StringUtils.isEmpty( wi.getCategoryId() ) ) { - check = false; - Exception exception = new ExceptionDocumentCategoryIdEmpty(); - result.error(exception); + CategoryInfo categoryInfo; + AppInfo appInfo = null; + + Document oldDocument = documentQueryService.get(document.getId()); + if(oldDocument != null){ + categoryInfo = categoryInfoServiceAdv.get( oldDocument.getCategoryId() ); + appInfo = appInfoServiceAdv.get(oldDocument.getAppId()); + }else{ + categoryInfo = categoryInfoServiceAdv.get( wi.getCategoryId() ); + if(categoryInfo != null) { + appInfo = appInfoServiceAdv.get(categoryInfo.getAppId()); } } - if (check) { - try { - categoryInfo = categoryInfoServiceAdv.get( wi.getCategoryId() ); - if (categoryInfo == null) { - check = false; - Exception exception = new ExceptionCategoryInfoNotExists(wi.getCategoryId()); - result.error(exception); - } - } catch (Exception e) { - check = false; - Exception exception = new ExceptionDocumentInfoProcess(e, - "系统在根据ID查询分类信息时发生异常!ID:" + wi.getCategoryId()); - result.error(exception); - logger.error(e, effectivePerson, request, null); - } + if(categoryInfo == null){ + throw new ExceptionCategoryInfoNotExists(wi.getCategoryId()); + } + if (appInfo == null) { + throw new ExceptionAppInfoNotExists(categoryInfo.getAppId()); } - if (check) { - try { - appInfo = appInfoServiceAdv.get( categoryInfo.getAppId() ); - if (appInfo == null) { - check = false; - Exception exception = new ExceptionAppInfoNotExists(categoryInfo.getAppId()); - result.error(exception); - } - } catch (Exception e) { - check = false; - Exception exception = new ExceptionDocumentInfoProcess(e, "系统在根据ID查询应用栏目信息时发生异常!ID:" + categoryInfo.getAppId()); - result.error(exception); - logger.error(e, effectivePerson, request, null); - } + Business business = new Business(null); + if(!business.isDocumentEditor(effectivePerson, appInfo, categoryInfo, oldDocument)){ + throw new ExceptionAccessDenied(effectivePerson, document); } // 查询分类设置的编辑表单 - if (check) { - if ( StringUtils.isEmpty(categoryInfo.getFormId() )) { - check = false; - Exception exception = new ExceptionCategoryFormIdEmpty(); - result.error(exception); - } + if ( StringUtils.isEmpty(categoryInfo.getFormId() )) { + throw new ExceptionCategoryFormIdEmpty(); } - if (check) { - try { - form = formServiceAdv.get(categoryInfo.getFormId()); - if (form == null) { - check = false; - Exception exception = new ExceptionFormForEditNotExists(categoryInfo.getFormId()); - result.error(exception); - } else { - document.setForm(form.getId()); - document.setFormName(form.getName()); - } - } catch (Exception e) { - check = false; - Exception exception = new ExceptionDocumentInfoProcess(e, - "系统在根据ID查询编辑表单时发生异常!ID:" + categoryInfo.getFormId()); - result.error(exception); - logger.error(e, effectivePerson, request, null); - } + Form form = formServiceAdv.get(categoryInfo.getFormId()); + if (form == null) { + throw new ExceptionFormForEditNotExists(categoryInfo.getFormId()); + } else { + document.setForm(form.getId()); + document.setFormName(form.getName()); } if (check) { diff --git a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/DocumentAction.java b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/DocumentAction.java index 738e8041d1..b4a6e993fc 100644 --- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/DocumentAction.java +++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/document/DocumentAction.java @@ -708,7 +708,7 @@ public class DocumentAction extends StandardJaxrsAction { } catch (Exception e) { result = new ActionResult<>(); result.error(e); - logger.error(e, effectivePerson, request, null); + logger.error(e, effectivePerson, request, jsonElement); } } diff --git a/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ActionCode.java b/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ActionCode.java index db4455cb15..a1dff97e8b 100644 --- a/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ActionCode.java +++ b/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ActionCode.java @@ -1,12 +1,8 @@ package com.x.organization.assemble.authentication.jaxrs.authentication; -import org.apache.commons.lang3.BooleanUtils; -import org.apache.commons.lang3.StringUtils; - import com.x.base.core.container.EntityManagerContainer; import com.x.base.core.container.factory.EntityManagerContainerFactory; import com.x.base.core.project.config.Config; -import com.x.base.core.project.exception.ExceptionPersonNotExist; import com.x.base.core.project.http.ActionResult; import com.x.base.core.project.http.EffectivePerson; import com.x.base.core.project.jaxrs.WrapBoolean; @@ -14,8 +10,9 @@ import com.x.base.core.project.logger.Logger; import com.x.base.core.project.logger.LoggerFactory; import com.x.organization.assemble.authentication.Business; import com.x.organization.core.entity.Person; - import io.swagger.v3.oas.annotations.media.Schema; +import org.apache.commons.lang3.BooleanUtils; +import org.apache.commons.lang3.StringUtils; class ActionCode extends BaseAction { @@ -31,18 +28,22 @@ class ActionCode extends BaseAction { throw new ExceptionDisableCollect(); } Wo wo = new Wo(); + wo.setValue(true); + result.setData(wo); Business business = new Business(emc); String id = business.person().getWithCredential(credential); if (StringUtils.isEmpty(id)) { - throw new ExceptionPersonNotExist(credential); + throw new ExceptionSendCodeError(); } Person o = emc.find(id, Person.class); if (!Config.person().isMobile(o.getMobile())) { throw new ExceptionInvalidMobile(o.getMobile()); } - business.instrument().code().create(o.getMobile()); - wo.setValue(true); - result.setData(wo); + try { + business.instrument().code().create(o.getMobile()); + } catch (Exception e) { + throw new ExceptionSendCodeError(e); + } return result; } } diff --git a/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ExceptionSendCodeError.java b/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ExceptionSendCodeError.java new file mode 100644 index 0000000000..dae99f3462 --- /dev/null +++ b/o2server/x_organization_assemble_authentication/src/main/java/com/x/organization/assemble/authentication/jaxrs/authentication/ExceptionSendCodeError.java @@ -0,0 +1,18 @@ +package com.x.organization.assemble.authentication.jaxrs.authentication; + +import com.x.base.core.project.exception.PromptException; + +class ExceptionSendCodeError extends PromptException { + + private static final long serialVersionUID = 1859164370743532895L; + + public static String defaultMessage = "发送失败."; + + ExceptionSendCodeError() { + super(defaultMessage); + } + + ExceptionSendCodeError(Throwable cause) { + super(cause, defaultMessage); + } +} diff --git a/o2server/x_query_assemble_surface/src/main/java/com/x/query/assemble/surface/jaxrs/statement/ActionExecuteV2.java b/o2server/x_query_assemble_surface/src/main/java/com/x/query/assemble/surface/jaxrs/statement/ActionExecuteV2.java index 666d2fec26..180bd60483 100644 --- a/o2server/x_query_assemble_surface/src/main/java/com/x/query/assemble/surface/jaxrs/statement/ActionExecuteV2.java +++ b/o2server/x_query_assemble_surface/src/main/java/com/x/query/assemble/surface/jaxrs/statement/ActionExecuteV2.java @@ -3,6 +3,8 @@ package com.x.query.assemble.surface.jaxrs.statement; import java.util.ArrayList; import java.util.List; import java.util.Objects; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.persistence.EntityManager; import javax.persistence.Parameter; @@ -11,6 +13,7 @@ import javax.script.Bindings; import javax.script.CompiledScript; import javax.script.ScriptContext; +import com.x.base.core.project.tools.StringTools; import org.apache.commons.collections4.list.TreeList; import org.apache.commons.lang3.StringUtils; @@ -46,7 +49,7 @@ import com.x.query.core.express.statement.Runtime; class ActionExecuteV2 extends BaseAction { private static final Logger LOGGER = LoggerFactory.getLogger(ActionExecuteV2.class); - + private static final String[] keys = { "group by", "GROUP BY", "order by", "ORDER BY", "limit", "LIMIT" }; private static final String[] pageKeys = { "GROUP BY", " COUNT(" }; private static final String JOIN_KEY = " JOIN "; @@ -54,6 +57,8 @@ class ActionExecuteV2 extends BaseAction { private static final String SQL_WHERE = "WHERE"; private static final String SQL_AND = "AND"; private static final String SQL_OR = "OR"; + private static final Pattern SIMPLY_REGEX = Pattern + .compile("^[a-zA-Z0-9\\_\\-]*$"); ActionResult execute(EffectivePerson effectivePerson, String flag, String mode, Integer page, Integer size, JsonElement jsonElement) throws Exception { @@ -62,7 +67,7 @@ class ActionExecuteV2 extends BaseAction { () -> page, () -> size); ClassLoader classLoader = Business.getDynamicEntityClassLoader(); Thread.currentThread().setContextClassLoader(classLoader); - + Statement statement = null; ActionResult result = new ActionResult<>(); try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create()) { @@ -317,9 +322,14 @@ class ActionExecuteV2 extends BaseAction { if (size > 1) { list.add("("); } + int j = 0; for (int i = 0; i < size; i++) { FilterEntry filterEntry = wi.getFilterList().get(i); - if (i > 0) { + Matcher matcher = SIMPLY_REGEX.matcher(filterEntry.value); + if(!matcher.find()){ + continue; + } + if (j++ > 0) { String joinTag = filterEntry.logic; if (StringUtils.isEmpty(joinTag) || !joinTag.equalsIgnoreCase(SQL_OR)) { joinTag = SQL_AND; @@ -330,6 +340,9 @@ class ActionExecuteV2 extends BaseAction { list.add(Comparison.getMatchCom(filterEntry.comparison)); list.add(":" + filterEntry.value); } + if(j == 0){ + list.add("1=1"); + } if (size > 1) { list.add(")"); } -- GitLab