lxm_front/AJ-Report
1
0
Fork 0
mirror of https://gitee.com/anji-plus/report.git synced 2026-05-20 08:47:18 +08:00
Code Issues Projects Releases Wiki Activity

修复国家信息安全漏洞共享平台披露的漏洞CNVD-2024-34975,避免,通过/dataSetParam/verification;swagger-ui,方式,绕过TokenFilter,当初在开发期,为方便前后联调,引入了swagger-ui,目前前后端接口基本稳定,同时考虑目前大部分aj-report没有二开能力,我们再三斟酌,删除swagger-ui,二开的同学如有需要,自己添加。

Browse Source
This commit is contained in:
Devli
2024-08-26 09:23:41 +08:00
parent 1f951a6127
commit af73727e40
3 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
report-core/pom.xml
View File

@@ -88,6 +88,10 @@
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId> <artifactId>spring-boot-starter-data-redis</artifactId>
</exclusion> </exclusion>
<exclusion>
<groupId>com.spring4all</groupId>
<artifactId>swagger-spring-boot-starter</artifactId>
</exclusion>
</exclusions> </exclusions>
</dependency> </dependency>

2
report-core/src/main/java/com/anjiplus/template/gaea/business/ReportApplication.java
View File

@@ -4,7 +4,6 @@ import com.anji.plus.gaea.annotation.enabled.EnabledGaeaConfiguration;
import org.mybatis.spring.annotation.MapperScan; import org.mybatis.spring.annotation.MapperScan;
import org.springframework.boot.SpringApplication; import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication; import org.springframework.boot.autoconfigure.SpringBootApplication;
import springfox.documentation.swagger2.annotations.EnableSwagger2;
/** /**
* 业务模板 * 业务模板
@@ -21,7 +20,6 @@ import springfox.documentation.swagger2.annotations.EnableSwagger2;
"com.anjiplus.template.gaea.business.modules.*.**.dao", "com.anjiplus.template.gaea.business.modules.*.**.dao",
"com.anji.plus.gaea.*.module.*.dao" "com.anji.plus.gaea.*.module.*.dao"
}) })
@EnableSwagger2
public class ReportApplication { public class ReportApplication {
public static void main( String[] args ) { public static void main( String[] args ) {
SpringApplication.run(ReportApplication.class); SpringApplication.run(ReportApplication.class);

14
report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java
View File

@@ -67,24 +67,24 @@ public class TokenFilter implements Filter {
HttpServletResponse response = (HttpServletResponse) servletResponse; HttpServletResponse response = (HttpServletResponse) servletResponse;
String uri = request.getRequestURI(); String uri = request.getRequestURI();
// TODO 暂时先不校验 直接放行
/*if (true) {
filterChain.doFilter(request, response);
return;
}*/
//OPTIONS直接放行 //OPTIONS直接放行
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) { if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
return; return;
} }
/** 修复 国家信息安全漏洞共享平台披露的漏洞 CNVD-2024-34975
* 避免,通过/dataSetParam/verification;swagger-ui方式绕过TokenFilter
* 当初在开发期为方便前后联调引入了swagger-ui目前前后端接口基本稳定同时考虑目前大部分aj-report没有二开能力
* 我们再三斟酌删除swagger-ui二开的同学如有需要自己添加。
*/
// swagger相关的直接放行 // swagger相关的直接放行
/*
if (uri.contains("swagger-ui") || uri.contains("swagger-resources")) { if (uri.contains("swagger-ui") || uri.contains("swagger-resources")) {
filterChain.doFilter(request, response); filterChain.doFilter(request, response);
return; return;
} }
*/
if (SLASH.equals(uri) || SLASH.concat(BusinessConstant.SLASH).equals(uri)) { if (SLASH.equals(uri) || SLASH.concat(BusinessConstant.SLASH).equals(uri)) {
if (BusinessConstant.SLASH.equals(uri)) { if (BusinessConstant.SLASH.equals(uri)) {