From 13c770b6beedaee905d99d44bcd5c3378eeda0da Mon Sep 17 00:00:00 2001 From: Awen <39176130+yu1183688986@users.noreply.github.com> Date: Wed, 27 Oct 2021 19:03:29 +0800 Subject: [PATCH 1/6] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=B8=80=E4=BA=9B?= =?UTF-8?q?=E5=B8=83=E5=B0=94=E5=88=A4=E6=96=AD=E8=AF=AD=E6=B3=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../main/java/com/ruoyi/common/utils/html/HTMLFilter.java | 2 +- .../src/main/java/com/ruoyi/common/utils/uuid/UUID.java | 8 ++++---- .../com/ruoyi/system/service/impl/SysDeptServiceImpl.java | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java index 415acbab2..d3b211a48 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/HTMLFilter.java @@ -332,7 +332,7 @@ public final class HTMLFilter final String name = m.group(1).toLowerCase(); if (allowed(name)) { - if (false == inArray(name, vSelfClosingTags)) + if (!inArray(name, vSelfClosingTags)) { if (vTagCounts.containsKey(name)) { diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/uuid/UUID.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/uuid/UUID.java index eef72ee0b..c0c18af01 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/uuid/UUID.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/uuid/UUID.java @@ -343,25 +343,25 @@ public final class UUID implements java.io.Serializable, Comparable final StringBuilder builder = new StringBuilder(isSimple ? 32 : 36); // time_low builder.append(digits(mostSigBits >> 32, 8)); - if (false == isSimple) + if (!isSimple) { builder.append('-'); } // time_mid builder.append(digits(mostSigBits >> 16, 4)); - if (false == isSimple) + if (!isSimple) { builder.append('-'); } // time_high_and_version builder.append(digits(mostSigBits, 4)); - if (false == isSimple) + if (!isSimple) { builder.append('-'); } // variant_and_sequence builder.append(digits(leastSigBits >> 48, 4)); - if (false == isSimple) + if (!isSimple) { builder.append('-'); } diff --git a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysDeptServiceImpl.java b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysDeptServiceImpl.java index a2c3b5b1e..9bf8fe0e1 100644 --- a/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysDeptServiceImpl.java +++ b/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysDeptServiceImpl.java @@ -140,7 +140,7 @@ public class SysDeptServiceImpl implements ISysDeptService public boolean hasChildByDeptId(Long deptId) { int result = deptMapper.hasChildByDeptId(deptId); - return result > 0 ? true : false; + return result > 0; } /** @@ -153,7 +153,7 @@ public class SysDeptServiceImpl implements ISysDeptService public boolean checkDeptExistUser(Long deptId) { int result = deptMapper.checkDeptExistUser(deptId); - return result > 0 ? true : false; + return result > 0; } /** @@ -325,6 +325,6 @@ public class SysDeptServiceImpl implements ISysDeptService */ private boolean hasChild(List list, SysDept t) { - return getChildList(list, t).size() > 0 ? true : false; + return getChildList(list, t).size() > 0; } } From 3ae5ec92a530e5f14720a8b7d490959430399b11 Mon Sep 17 00:00:00 2001 From: RuoYi Date: Mon, 1 Nov 2021 13:29:27 +0800 Subject: [PATCH 2/6] =?UTF-8?q?=E7=99=BB=E5=BD=95/=E9=AA=8C=E8=AF=81?= =?UTF-8?q?=E7=A0=81=E8=AF=B7=E6=B1=82headers=E4=B8=8D=E8=AE=BE=E7=BD=AEto?= =?UTF-8?q?ken?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ruoyi-ui/src/api/login.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ruoyi-ui/src/api/login.js b/ruoyi-ui/src/api/login.js index 224561606..26742e79c 100644 --- a/ruoyi-ui/src/api/login.js +++ b/ruoyi-ui/src/api/login.js @@ -10,6 +10,9 @@ export function login(username, password, code, uuid) { } return request({ url: '/login', + headers: { + isToken: false + }, method: 'post', data: data }) @@ -47,6 +50,9 @@ export function logout() { export function getCodeImg() { return request({ url: '/captchaImage', + headers: { + isToken: false + }, method: 'get', timeout: 20000 }) From 181f62c15ead24c5e56b77dde3bbf443430691bf Mon Sep 17 00:00:00 2001 From: RuoYi Date: Mon, 1 Nov 2021 14:40:00 +0800 Subject: [PATCH 3/6] =?UTF-8?q?=E5=9B=9E=E6=98=BE=E6=95=B0=E6=8D=AE?= =?UTF-8?q?=E5=AD=97=E5=85=B8=E9=94=AE=E5=80=BC=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ruoyi-ui/src/utils/ruoyi.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ruoyi-ui/src/utils/ruoyi.js b/ruoyi-ui/src/utils/ruoyi.js index 63bd379b7..440bf4cd8 100644 --- a/ruoyi-ui/src/utils/ruoyi.js +++ b/ruoyi-ui/src/utils/ruoyi.js @@ -85,8 +85,8 @@ export function selectDictLabels(datas, value, separator) { var temp = value.split(currentSeparator); Object.keys(value.split(currentSeparator)).some((val) => { Object.keys(datas).some((key) => { - if (datas[key].dictValue == ('' + temp[val])) { - actions.push(datas[key].dictLabel + currentSeparator); + if (datas[key].value == ('' + temp[val])) { + actions.push(datas[key].label + currentSeparator); } }) }) From bd09e5b11ccb425d2b280c96b98dc110b1bb2c59 Mon Sep 17 00:00:00 2001 From: RuoYi Date: Mon, 1 Nov 2021 15:02:47 +0800 Subject: [PATCH 4/6] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E5=AD=97=E7=AC=A6?= =?UTF-8?q?=E4=B8=B2=E6=97=A0=E6=B3=95=E8=A2=AB=E5=8F=8D=E8=BD=AC=E4=B9=89?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ruoyi/common/utils/html/EscapeUtil.java | 34 +++++++++++++------ 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java index 65fd7920f..dda96c32f 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/html/EscapeUtil.java @@ -69,26 +69,37 @@ public class EscapeUtil */ private static String encode(String text) { - int len; - if ((text == null) || ((len = text.length()) == 0)) + if (StringUtils.isEmpty(text)) { return StringUtils.EMPTY; } - StringBuilder buffer = new StringBuilder(len + (len >> 2)); + + final StringBuilder tmp = new StringBuilder(text.length() * 6); char c; - for (int i = 0; i < len; i++) + for (int i = 0; i < text.length(); i++) { c = text.charAt(i); - if (c < 64) + if (c < 256) { - buffer.append(TEXT[c]); + tmp.append("%"); + if (c < 16) + { + tmp.append("0"); + } + tmp.append(Integer.toString(c, 16)); } else { - buffer.append(c); + tmp.append("%u"); + if (c <= 0xfff) + { + // issue#I49JU8@Gitee + tmp.append("0"); + } + tmp.append(Integer.toString(c, 16)); } } - return buffer.toString(); + return tmp.toString(); } /** @@ -145,11 +156,12 @@ public class EscapeUtil public static void main(String[] args) { String html = ""; + String escape = EscapeUtil.escape(html); // String html = "ipt>alert(\"XSS\")ipt>"; // String html = "<123"; // String html = "123>"; - System.out.println(EscapeUtil.clean(html)); - System.out.println(EscapeUtil.escape(html)); - System.out.println(EscapeUtil.unescape(html)); + System.out.println("clean: " + EscapeUtil.clean(html)); + System.out.println("escape: " + escape); + System.out.println("unescape: " + EscapeUtil.unescape(escape)); } } From cc4c52c998f5ffd6adc63d62d870ce76ffa9ae61 Mon Sep 17 00:00:00 2001 From: RuoYi Date: Mon, 1 Nov 2021 15:03:06 +0800 Subject: [PATCH 5/6] =?UTF-8?q?=E4=BB=BB=E5=8A=A1=E5=B1=8F=E8=94=BD?= =?UTF-8?q?=E8=BF=9D=E8=A7=84=E5=AD=97=E7=AC=A6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../main/java/com/ruoyi/common/constant/Constants.java | 8 +++++++- .../com/ruoyi/quartz/controller/SysJobController.java | 8 ++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java b/ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java index 9f55771bf..9e770c812 100644 --- a/ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java +++ b/ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java @@ -148,4 +148,10 @@ public class Constants * LDAP 远程方法调用 */ public static final String LOOKUP_LDAP = "ldap://"; -} + + /** + * 定时任务违规的字符 + */ + public static final String[] JOB_ERROR_STR = { "java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", + "org.springframework.jndi" }; +} \ No newline at end of file diff --git a/ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java b/ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java index c9616c2f6..2f3ddab6f 100644 --- a/ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java +++ b/ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java @@ -96,6 +96,10 @@ public class SysJobController extends BaseController { return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用"); } + else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR)) + { + return error("新增任务'" + job.getJobName() + "'失败,目标字符串存在违规"); + } job.setCreateBy(getUsername()); return toAjax(jobService.insertJob(job)); } @@ -124,6 +128,10 @@ public class SysJobController extends BaseController { return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用"); } + else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR)) + { + return error("修改任务'" + job.getJobName() + "'失败,目标字符串存在违规"); + } job.setUpdateBy(getUsername()); return toAjax(jobService.updateJob(job)); } From bbbe83b737bb39804967a23502cbf9af135db164 Mon Sep 17 00:00:00 2001 From: RuoYi Date: Tue, 2 Nov 2021 14:40:21 +0800 Subject: [PATCH 6/6] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E6=96=B0=E7=BE=A4?= =?UTF-8?q?=E5=8F=B7=EF=BC=9A101539465?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 2 +- ruoyi-ui/src/views/index.vue | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f1ec311a8..0c10287a4 100644 --- a/README.md +++ b/README.md @@ -82,4 +82,4 @@ ## 若依前后端分离交流群 -QQ群: [![加入QQ群](https://img.shields.io/badge/已满-937441-blue.svg)](https://jq.qq.com/?_wv=1027&k=5bVB1og) [![加入QQ群](https://img.shields.io/badge/已满-887144332-blue.svg)](https://jq.qq.com/?_wv=1027&k=5eiA4DH) [![加入QQ群](https://img.shields.io/badge/已满-180251782-blue.svg)](https://jq.qq.com/?_wv=1027&k=5AxMKlC) [![加入QQ群](https://img.shields.io/badge/已满-104180207-blue.svg)](https://jq.qq.com/?_wv=1027&k=51G72yr) [![加入QQ群](https://img.shields.io/badge/已满-186866453-blue.svg)](https://jq.qq.com/?_wv=1027&k=VvjN2nvu) [![加入QQ群](https://img.shields.io/badge/已满-201396349-blue.svg)](https://jq.qq.com/?_wv=1027&k=5vYAqA05) [![加入QQ群](https://img.shields.io/badge/101456076-blue.svg)](https://jq.qq.com/?_wv=1027&k=kOIINEb5) 点击按钮入群。 \ No newline at end of file +QQ群: [![加入QQ群](https://img.shields.io/badge/已满-937441-blue.svg)](https://jq.qq.com/?_wv=1027&k=5bVB1og) [![加入QQ群](https://img.shields.io/badge/已满-887144332-blue.svg)](https://jq.qq.com/?_wv=1027&k=5eiA4DH) [![加入QQ群](https://img.shields.io/badge/已满-180251782-blue.svg)](https://jq.qq.com/?_wv=1027&k=5AxMKlC) [![加入QQ群](https://img.shields.io/badge/已满-104180207-blue.svg)](https://jq.qq.com/?_wv=1027&k=51G72yr) [![加入QQ群](https://img.shields.io/badge/已满-186866453-blue.svg)](https://jq.qq.com/?_wv=1027&k=VvjN2nvu) [![加入QQ群](https://img.shields.io/badge/已满-201396349-blue.svg)](https://jq.qq.com/?_wv=1027&k=5vYAqA05) [![加入QQ群](https://img.shields.io/badge/已满-101456076-blue.svg)](https://jq.qq.com/?_wv=1027&k=kOIINEb5) [![加入QQ群](https://img.shields.io/badge/101539465-blue.svg)](https://jq.qq.com/?_wv=1027&k=UKtX5jhs) 点击按钮入群。 \ No newline at end of file diff --git a/ruoyi-ui/src/views/index.vue b/ruoyi-ui/src/views/index.vue index 46811841b..4609c136e 100644 --- a/ruoyi-ui/src/views/index.vue +++ b/ruoyi-ui/src/views/index.vue @@ -120,9 +120,9 @@

QQ群:满937441 满887144332 满180251782 满104180207 - 满186866453 满201396349 - - 101456076满186866453 满201396349 满101456076 + + 101539465