修复国家信息安全漏洞共享平台披露的漏洞CNVD-2024-34975，避免，通过/dataSetParam/verification;swagger-ui，方式，绕过TokenFilter，当初在开发期，为方便前后联调，引入了swagger-ui，目前前后端接口基本稳定，同时考虑目前大部分aj-report没有二开能力，我们再三斟酌，删除swagger-ui，二开的同学如有需要，自己添加。

2026-05-20 08:47:18 +08:00 · 2024-08-26 09:23:41 +08:00
parent 1f951a6127
commit af73727e40
3 changed files with 11 additions and 9 deletions
--- a/report-core/pom.xml
+++ b/report-core/pom.xml
@@ -88,6 +88,10 @@
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-data-redis</artifactId>
                </exclusion>
+                <exclusion>
+                    <groupId>com.spring4all</groupId>
+                    <artifactId>swagger-spring-boot-starter</artifactId>
+                </exclusion>
            </exclusions>
        </dependency>

--- a/report-core/src/main/java/com/anjiplus/template/gaea/business/ReportApplication.java
+++ b/report-core/src/main/java/com/anjiplus/template/gaea/business/ReportApplication.java
@@ -4,7 +4,6 @@ import com.anji.plus.gaea.annotation.enabled.EnabledGaeaConfiguration;
 import org.mybatis.spring.annotation.MapperScan;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import springfox.documentation.swagger2.annotations.EnableSwagger2;

 /**
 * 业务模板
@@ -21,7 +20,6 @@ import springfox.documentation.swagger2.annotations.EnableSwagger2;
        "com.anjiplus.template.gaea.business.modules.*.**.dao",
        "com.anji.plus.gaea.*.module.*.dao"
 })
-@EnableSwagger2
 public class ReportApplication {
    public static void main( String[] args ) {
        SpringApplication.run(ReportApplication.class);
--- a/report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java
+++ b/report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java
@@ -67,24 +67,24 @@ public class TokenFilter implements Filter {
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        String uri = request.getRequestURI();

-        // TODO 暂时先不校验 直接放行
-        /*if (true) {
-            filterChain.doFilter(request, response);
-            return;
-        }*/
-
        //OPTIONS直接放行
        if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
            filterChain.doFilter(request, response);
            return;
        }

+        /** 修复 国家信息安全漏洞共享平台披露的漏洞 CNVD-2024-34975
+         * 避免，通过/dataSetParam/verification;swagger-ui，方式，绕过TokenFilter
+         * 当初在开发期，为方便前后联调，引入了swagger-ui，目前前后端接口基本稳定，同时考虑目前大部分aj-report没有二开能力，
+         * 我们再三斟酌，删除swagger-ui，二开的同学如有需要，自己添加。
+         */
        // swagger相关的直接放行
+        /*
        if (uri.contains("swagger-ui") || uri.contains("swagger-resources")) {
            filterChain.doFilter(request, response);
            return;
        }
-
+        */

        if (SLASH.equals(uri) || SLASH.concat(BusinessConstant.SLASH).equals(uri)) {
            if (BusinessConstant.SLASH.equals(uri)) {