ZIP条目覆盖,补充

modules/boe-module-idconfig/src/main/java/com/xboe/module/idconfig/IdGeneratorAutoConfig.java

@@ -3,6 +3,7 @@ package com.xboe.module.idconfig;
 import java.net.InetAddress;
 import java.net.NetworkInterface;
 import java.net.SocketException;
+import java.security.SecureRandom;
 import java.util.Enumeration;
 
 import javax.annotation.Resource;
@@ -50,8 +51,10 @@ public class IdGeneratorAutoConfig {
 			dataCenterId=ipm.getDcNum();
 		}else {
 			log.warn("无IP【"+ip+"】的配置的workNum和DataCenterNum,系统自动生成随机数");
-			workServerId=RandomUtils.nextInt(0,31);
+			SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
-			dataCenterId=RandomUtils.nextInt(0,31);
+			workServerId = random.nextInt(31);
+			dataCenterId = random.nextInt(31);
+
 			ipm=new IPMapping();
 			ipm.setId(md5);
 			ipm.setIp(ip);

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ContentPackageGenerator.java

@@ -1,6 +1,8 @@
 package com.xboe.module.scorm.cam.load;
 
 import java.io.File;
+import java.io.IOException;
+import java.io.StringReader;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -85,6 +87,9 @@ import com.xboe.module.scorm.cam.model.datatype.NonNegativeInteger;
 import com.xboe.module.scorm.cam.model.datatype.Token;
 import com.xboe.module.scorm.cam.model.datatype.VCard;
 import com.xboe.module.scorm.common.CommonUtils;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 @Slf4j
 public class ContentPackageGenerator {
@@ -119,6 +124,10 @@ public class ContentPackageGenerator {
     private String scormPkgDir;
 
     public  ContentPackage generateContentPackageFromFile(String scormPkgDir) {
+        if (scormPkgDir.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (scormPkgDir == null) {
             log.error("scorm package directory is null");
             return contentPackage;
@@ -141,6 +150,15 @@ public class ContentPackageGenerator {
         Document manifestXml;
         try {
         	SAXReader reader = new SAXReader();
+
+            reader.setEntityResolver(new EntityResolver() {
+                @Override
+                public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+                    // 总是返回空的InputSource来忽略外部实体
+                    return new InputSource(new StringReader(""));
+                }
+            });
+
             manifestXml = reader.read(manifestXmlFile);
             
         } catch (DocumentException e) {

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/FileUtils.java

@@ -44,6 +44,10 @@ public class FileUtils {
     }
 
     public static File createFile(String dstPath, String fileName) throws IOException {
+        if (dstPath.contains("..") || fileName.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         String[] dirs = fileName.split("/");
         File file = new File(dstPath);
 

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/SCORMPackageManager.java

@@ -119,6 +119,11 @@ public class SCORMPackageManager {
             return null;
         }
 
+        if (packagePath.contains("..")) {
+//            throw new SecurityException("输入路径包含不安全的字符");
+            return null;
+        }
+
         // step 1: uncompress
         File f=new File(packagePath);
         if(!f.exists()) {

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ZipUtils.java

@@ -60,6 +60,10 @@ public class ZipUtils {
     }
 
     public static boolean decompressZip(String zipFilePath, String saveFileDir) {
+        if (zipFilePath.contains("..") || saveFileDir.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (!isEndWithZip(zipFilePath)) {
             return false;
         }

servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java

@@ -66,6 +66,10 @@ public class ExcelToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath)  throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             FileOutputStream fileOS=null;
             String previewPath = null;

servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java

@@ -65,6 +65,10 @@ public class PPTToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath) throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             InputStream slides=null;
             Presentation pres=null;

servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java

@@ -69,6 +69,10 @@ public class WordToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath) throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             File pdfFile=null;
             FileOutputStream fileOS=null;

servers/boe-server-all/src/main/java/com/xboe/module/boecase/api/CasesRecommendApi.java

@@ -26,6 +26,7 @@ import com.xboe.module.boecase.vo.BrowseDurationVo;
 import com.xboe.module.boecase.vo.CasesRecommendLaunchVo;
 import com.xboe.module.boecase.vo.CasesRecommendPushVo;
 import com.xboe.module.boecase.vo.CasesRecommendVo;
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.poi.xssf.streaming.SXSSFSheet;
@@ -117,6 +118,7 @@ public class CasesRecommendApi extends ApiBaseController {
      * @return
      * @throws Exception
      */
+    @FileFormatVerification(whites = {"xlsx", "xls"})
     @PostMapping("/import")
     public JsonResponse<ImportData> excelImport(@RequestParam("file") MultipartFile file) throws Exception {
         ExcelReader reader = ExcelUtil.getReader(file.getInputStream());

servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java

@@ -227,6 +227,10 @@ public class CourseFileApi extends ApiBaseController {
         	return badRequest("请先选择资源归属");
         }
 
+        if (file.getFilePath().contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         // 重设文件类型为小写
         file.setFileType(file.getFileType().toLowerCase());
 
@@ -396,7 +400,14 @@ public class CourseFileApi extends ApiBaseController {
 			return;
 		}
 
-		String cfPath=null;
+        if (cf.contains("..")) {
+            log.error("参数错误");
+//            throw new SecurityException("输入路径包含不安全的字符");
+            return;
+        }
+
+
+        String cfPath=null;
 		String fileName ="";
 		if(StringUtils.isNotBlank(cf)) {
 			cfPath=cf;
@@ -436,6 +447,11 @@ public class CourseFileApi extends ApiBaseController {
             response.reset();
             //由于火狐和其他浏览器显示名称的方式不相同，需要进行不同的编码处理
             if (agent.indexOf("FIREFOX") != -1) {//火狐浏览器
+                // 检查文件名中是否包含不允许的字符
+                if (fileName.matches(".*[\n\r;%].*")) {
+                    throw new IllegalArgumentException("Filename contains illegal characters");
+                }
+
                 response.addHeader("Content-Disposition", "attachment;filename=" + new String(fileName.getBytes("GB2312"), "ISO-8859-1"));
             } else {//其他浏览器
                 response.addHeader("Content-Disposition", "attachment;filename=" + URLEncoder.encode(fileName, "UTF-8"));

servers/boe-server-all/src/main/java/com/xboe/module/exam/api/ExamQuestionApi.java

@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.annotation.Resource;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.apache.poi.ss.usermodel.Cell;
@@ -148,6 +149,7 @@ public class ExamQuestionApi extends ApiBaseController {
     /**
      * 导入
      * */
+    @FileFormatVerification(whites = {"xls","xlsx"})
     @PostMapping("/import")
     public JsonResponse<QuestionDto> importQuestion(@RequestParam MultipartFile file){
         //获取输入流

servers/boe-server-all/src/main/java/com/xboe/module/filecloud/api/XFileBaseApi.java

@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -281,6 +282,7 @@ public class XFileBaseApi extends ApiBaseController{
 		return wrap(list);
 	}
 
+	@FileFormatVerification(whites = {"zip","png","jpg","jpeg","gif","svg","bmp"})
 	@ApiAccess(path="xfile.file.upload")
 	@RequestMapping(value="/file/upload", method={RequestMethod.POST})
 	public JsonResponse<ListViewItem> fileUpload(HttpServletRequest request,String folderId) {

servers/boe-server-all/src/main/java/com/xboe/module/usergroup/api/UserGroupApi.java

@@ -11,6 +11,7 @@ import java.util.Set;
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -198,6 +199,7 @@ public class UserGroupApi extends ApiBaseController {
      * 不直接导入到数据库，而是解析文件并查询相应数据返回
      * @return
      */
+    @FileFormatVerification(whites = {"xlsx","xls"})
     @PostMapping("/import")
     public JsonResponse<Iterable<UserImportDto>> importUserGroup(@RequestParam MultipartFile file) {
 

servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java

@@ -14,8 +14,10 @@ import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
@@ -44,6 +46,9 @@ public class SysUploaderApi  extends ApiBaseController{
 	@Autowired
 	XFileUploader uploader;
 
+	@Value(value = "${boe.domain}")
+	String domain;
+	
 	private static Set<String> fileTypeSet=new HashSet<>();
 	static {
 		fileTypeSet.add("mp3");
@@ -62,6 +67,7 @@ public class SysUploaderApi  extends ApiBaseController{
 		fileTypeSet.add("zip");
 	}
 
+	@FileFormatVerification(whites = {"mp3","wmv","mp4","jpg","png","gif","doc","docx","xls","xlsx","ppt","pptx","pdf","zip"})
 	@RequestMapping(value = "/file/upload", method = RequestMethod.POST)
 	public JsonResponse<XUploadResult> save(HttpServletRequest request, String name,String dir) throws IOException {
 		//以下三项用于回调
@@ -150,6 +156,7 @@ public class SysUploaderApi  extends ApiBaseController{
     public void urlDownload(HttpServletResponse res,String urlStr,String fileName) throws IOException {
 
 		URL url = new URL(urlStr);
+		downloadLimitation(url);
         HttpURLConnection conn = (HttpURLConnection)url.openConnection();    
                 //设置超时间为3秒  
         conn.setConnectTimeout(3*1000);  
@@ -193,4 +200,19 @@ public class SysUploaderApi  extends ApiBaseController{
 		  //System.out.println("success");
     }
 
+	private void downloadLimitation(URL url) {
+		String allowedDomain = domain;
+		String allowedPathPrefix = "/upload/xfile/";
+
+		// 检查域名是否正确
+		if (!url.getHost().equals(allowedDomain)) {
+			throw new SecurityException("Download from this domain is not allowed.");
+		}
+
+		// 检查路径是否以允许的路径前缀开始
+		if (!url.getPath().startsWith(allowedPathPrefix)) {
+			throw new SecurityException("Download from this path is not allowed.");
+		}
+	}
+
 }

servers/boe-server-all/src/main/java/com/xboe/system/aspectj/UploadAspect.java

@@ -0,0 +1,91 @@
+package com.xboe.system.aspectj;
+
+import com.xboe.system.aspectj.anno.FileFormatVerification;
+import lombok.extern.slf4j.Slf4j;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.annotation.Pointcut;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.stereotype.Component;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.multipart.MultipartHttpServletRequest;
+
+import javax.servlet.http.HttpServletRequest;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.List;
+
+
+/**
+ * @author admin
+ */
+@Aspect
+@Slf4j
+@Component
+public class UploadAspect {
+
+
+    @Pointcut("@annotation(com.xboe.system.aspectj.anno.FileFormatVerification)")
+    private void fileUpload() {
+    }
+
+    @Before("fileUpload()")
+    public void fileFormatVerifies(JoinPoint joinPoint) {
+        List<String> whiteList = getWhiteList(joinPoint);
+
+
+        String[] FILE_UPLOAD_BLACKLIST = {"exe", "sh", "py", "html", "xhtml", "php", "php5", "dat", "dbf", "dev", "asp", "aspx", "asa", "aspx", "ashx", "asmx", "asax", "ascx", "jsp", "jspx", "jspf", "cgi", "war", "ini", "js"};
+        List<String> blackList = Arrays.asList(FILE_UPLOAD_BLACKLIST);
+
+        // 在目标方法执行前执行的代码
+        Object[] args = joinPoint.getArgs(); // 获取被调用方法的参数
+
+        // 处理MultipartFile
+        Arrays.stream(args)
+                .filter(arg -> arg instanceof MultipartFile)
+                .map(arg -> (MultipartFile) arg)
+                .forEach(file -> {
+                    String name = file.getOriginalFilename();
+                    String fileSuffix = name.substring(name.lastIndexOf(".") + 1);
+                    if (blackList.contains(fileSuffix) || !whiteList.contains(fileSuffix)) {
+                        throw new RuntimeException("文件格式不支持");
+                    }
+                });
+
+        // 处理HttpServletRequest中的文件名
+        Arrays.stream(args)
+                .filter(arg -> arg instanceof HttpServletRequest)
+                .map(arg -> (HttpServletRequest) arg)
+                .filter(req -> req instanceof MultipartHttpServletRequest)
+                .map(req -> (MultipartHttpServletRequest) req)
+                .forEach(req -> {
+                    req.getFileMap().forEach((k, v) -> {
+                        String fileSuffix = v.getOriginalFilename().substring(v.getOriginalFilename().lastIndexOf(".") + 1);
+                        if (blackList.contains(fileSuffix) || !whiteList.contains(fileSuffix)) {
+                            throw new RuntimeException("文件格式不支持");
+                        }
+                    });
+                });
+
+
+        int i = 1 / 0;
+
+
+    }
+
+    private static List<String> getWhiteList(JoinPoint joinPoint) {
+        MethodSignature methodSignature = (MethodSignature) joinPoint.getSignature();
+        Method method = methodSignature.getMethod();
+
+        // 获取FileFormatVerification注解
+        FileFormatVerification annotation = method.getAnnotation(FileFormatVerification.class);
+
+        // 获取whiteList属性
+        String[] whites = annotation.whites();
+        List<String> whiteList = Arrays.asList(whites);
+        return whiteList;
+    }
+
+
+}

servers/boe-server-all/src/main/java/com/xboe/system/aspectj/anno/FileFormatVerification.java

@@ -0,0 +1,15 @@
+package com.xboe.system.aspectj.anno;
+
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+
+@Target(ElementType.METHOD) // 注解目标为方法
+@Retention(RetentionPolicy.RUNTIME) // 注解在运行时有效
+public @interface FileFormatVerification {
+    String[] whites() default {};
+
+}

servers/boe-server-all/src/main/resources/application-dev.properties

@@ -4,7 +4,7 @@ spring.redis.database=1
 #spring.redis.password=ENC(zA5LNV8xw3yEx6LMwdGGBGgNsOaD3Cg+)
 #spring.redis.port=6379
 spring.redis.host=124.70.92.162
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 
 # cloud nacos config
@@ -20,7 +20,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 #spring.datasource.password=ENC(lAoFOYuc8CAypPtigTNLYg==)
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=DEBUG
 logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE

servers/boe-server-all/src/main/resources/application-pre.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 #spring.redis.database=3
 #spring.redis.host=10.251.129.122
@@ -17,7 +17,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.129.126:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=ERROR
 #logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE

servers/boe-server-all/src/main/resources/application-pro.properties

@@ -4,7 +4,7 @@ spring.cloud.nacos.discovery.server-addr=10.251.129.51:8848
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.129.122
-spring.redis.password=qwert!W588
+spring.redis.password=ENC(e1k00MMRGU0DUHvLX8JSOuDkCX0CWNif)
 spring.redis.port=6379
 
 
@@ -18,7 +18,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 #spring.datasource.password=ocYMC>!{8G
 spring.datasource.url=jdbc:mysql://10.251.129.126:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 ## 使用 hikari 连接池
 spring.datasource.type=com.zaxxer.hikari.HikariDataSource

servers/boe-server-all/src/main/resources/application-test.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(oXmZ5HIrhizHQ/DWPNv/S/1hUNJbbRjv)
 spring.redis.port=6379
 
 # cloud nacos config
@@ -13,7 +13,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 ## 使用 hikari 连接池
 spring.datasource.type=com.zaxxer.hikari.HikariDataSource
@@ -72,7 +72,7 @@ jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGenerator
 xboe.elasticsearch.server.ip=10.251.129.25
 xboe.elasticsearch.server.port=9200
 xboe.elasticsearch.server.user=elastic
-xboe.elasticsearch.server.password=Boe@es123
+xboe.elasticsearch.server.password=ENC(903xqMcg31J+OhmZ0AoinYqvzLoAt8UZ)
 
 ## 邮件的配置
 xboe.email.url=https://u-pre.boe.com/api/b1/email/send

servers/boe-server-all/src/main/resources/application-test135.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=2
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 
 ## datasource config
@@ -10,7 +10,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=DEBUG
 logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE
@@ -60,7 +60,7 @@ jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGenerator
 xboe.elasticsearch.server.ip=10.251.129.25
 xboe.elasticsearch.server.port=9200
 xboe.elasticsearch.server.user=elastic
-xboe.elasticsearch.server.password=Boe@es123
+xboe.elasticsearch.server.password=ENC(903xqMcg31J+OhmZ0AoinYqvzLoAt8UZ)
 
 ## 邮件的配置
 xboe.email.url=https://10.251.160.135/api/b1/email/send