ZIP条目覆盖,补充

新在线课逻辑删除库名

See merge request !115

modules/boe-module-idconfig/src/main/java/com/xboe/module/idconfig/IdGeneratorAutoConfig.java

@@ -3,6 +3,7 @@ package com.xboe.module.idconfig;
 import java.net.InetAddress;
 import java.net.NetworkInterface;
 import java.net.SocketException;
+import java.security.SecureRandom;
 import java.util.Enumeration;
 
 import javax.annotation.Resource;
@@ -50,8 +51,10 @@ public class IdGeneratorAutoConfig {
 			dataCenterId=ipm.getDcNum();
 		}else {
 			log.warn("无IP【"+ip+"】的配置的workNum和DataCenterNum,系统自动生成随机数");
-			workServerId=RandomUtils.nextInt(0,31);
-			dataCenterId=RandomUtils.nextInt(0,31);
+			SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+			workServerId = random.nextInt(31);
+			dataCenterId = random.nextInt(31);
+
 			ipm=new IPMapping();
 			ipm.setId(md5);
 			ipm.setIp(ip);

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ContentPackageGenerator.java

@@ -1,6 +1,8 @@
 package com.xboe.module.scorm.cam.load;
 
 import java.io.File;
+import java.io.IOException;
+import java.io.StringReader;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -85,6 +87,9 @@ import com.xboe.module.scorm.cam.model.datatype.NonNegativeInteger;
 import com.xboe.module.scorm.cam.model.datatype.Token;
 import com.xboe.module.scorm.cam.model.datatype.VCard;
 import com.xboe.module.scorm.common.CommonUtils;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 @Slf4j
 public class ContentPackageGenerator {
@@ -119,6 +124,10 @@ public class ContentPackageGenerator {
     private String scormPkgDir;
 
     public  ContentPackage generateContentPackageFromFile(String scormPkgDir) {
+        if (scormPkgDir.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (scormPkgDir == null) {
             log.error("scorm package directory is null");
             return contentPackage;
@@ -141,6 +150,15 @@ public class ContentPackageGenerator {
         Document manifestXml;
         try {
         	SAXReader reader = new SAXReader();
+
+            reader.setEntityResolver(new EntityResolver() {
+                @Override
+                public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+                    // 总是返回空的InputSource来忽略外部实体
+                    return new InputSource(new StringReader(""));
+                }
+            });
+
             manifestXml = reader.read(manifestXmlFile);
             
         } catch (DocumentException e) {

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/FileUtils.java

@@ -44,6 +44,10 @@ public class FileUtils {
     }
 
     public static File createFile(String dstPath, String fileName) throws IOException {
+        if (dstPath.contains("..") || fileName.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         String[] dirs = fileName.split("/");
         File file = new File(dstPath);
 

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/SCORMPackageManager.java

@@ -119,6 +119,11 @@ public class SCORMPackageManager {
             return null;
         }
 
+        if (packagePath.contains("..")) {
+//            throw new SecurityException("输入路径包含不安全的字符");
+            return null;
+        }
+
         // step 1: uncompress
         File f=new File(packagePath);
         if(!f.exists()) {

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ZipUtils.java

@@ -60,6 +60,10 @@ public class ZipUtils {
     }
 
     public static boolean decompressZip(String zipFilePath, String saveFileDir) {
+        if (zipFilePath.contains("..") || saveFileDir.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (!isEndWithZip(zipFilePath)) {
             return false;
         }

servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java

@@ -66,6 +66,10 @@ public class ExcelToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath)  throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             FileOutputStream fileOS=null;
             String previewPath = null;

servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java

@@ -65,6 +65,10 @@ public class PPTToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath) throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             InputStream slides=null;
             Presentation pres=null;

servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java

@@ -69,6 +69,10 @@ public class WordToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath) throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             File pdfFile=null;
             FileOutputStream fileOS=null;

servers/boe-server-all/src/main/java/com/xboe/data/dto/UserOrgIds.java

@@ -17,5 +17,7 @@ public class UserOrgIds {
 	private Map<String,Boolean> permissions=new HashMap<String,Boolean>(); 
 	
 	private List<String> ids;
+	//hrbp只读权限
+	private List<String> readIds;
 	
 }

servers/boe-server-all/src/main/java/com/xboe/data/outside/OutSideDataServiceImpl.java

@@ -229,8 +229,10 @@ public class OutSideDataServiceImpl implements IOutSideDataService {
 	public UserOrgIds getOrgIds() {
 		UserOrgIds uids=new UserOrgIds();
 		List<String> orgIds = new ArrayList<>();
+		List<String> readIds = new ArrayList<>();
 
 		uids.setIds(orgIds);
+		uids.setReadIds(readIds);
 		String token = TokenProxy.getToken(request);
 		String type="application/json";
 		String[] headers=new String[] {"token",token,"Content-Type",type};
@@ -281,7 +283,8 @@ public class OutSideDataServiceImpl implements IOutSideDataService {
 					while (elements.hasNext()){
 						String oid=elements.next().asText();
 						if(!orgSetIds.contains(oid)) {
-							orgIds.add(oid);
+//							orgIds.add(oid);
+							readIds.add(oid);
 						}
 					}
 				}

servers/boe-server-all/src/main/java/com/xboe/module/boecase/api/CasesRecommendApi.java

@@ -26,6 +26,7 @@ import com.xboe.module.boecase.vo.BrowseDurationVo;
 import com.xboe.module.boecase.vo.CasesRecommendLaunchVo;
 import com.xboe.module.boecase.vo.CasesRecommendPushVo;
 import com.xboe.module.boecase.vo.CasesRecommendVo;
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.poi.xssf.streaming.SXSSFSheet;
@@ -117,6 +118,7 @@ public class CasesRecommendApi extends ApiBaseController {
      * @return
      * @throws Exception
      */
+    @FileFormatVerification(whites = {"xlsx", "xls"})
     @PostMapping("/import")
     public JsonResponse<ImportData> excelImport(@RequestParam("file") MultipartFile file) throws Exception {
         ExcelReader reader = ExcelUtil.getReader(file.getInputStream());

servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java

@@ -227,6 +227,10 @@ public class CourseFileApi extends ApiBaseController {
         	return badRequest("请先选择资源归属");
         }
 
+        if (file.getFilePath().contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         // 重设文件类型为小写
         file.setFileType(file.getFileType().toLowerCase());
 
@@ -396,6 +400,13 @@ public class CourseFileApi extends ApiBaseController {
 			return;
 		}
 
+        if (cf.contains("..")) {
+            log.error("参数错误");
+//            throw new SecurityException("输入路径包含不安全的字符");
+            return;
+        }
+
+
         String cfPath=null;
 		String fileName ="";
 		if(StringUtils.isNotBlank(cf)) {
@@ -436,6 +447,11 @@ public class CourseFileApi extends ApiBaseController {
             response.reset();
             //由于火狐和其他浏览器显示名称的方式不相同，需要进行不同的编码处理
             if (agent.indexOf("FIREFOX") != -1) {//火狐浏览器
+                // 检查文件名中是否包含不允许的字符
+                if (fileName.matches(".*[\n\r;%].*")) {
+                    throw new IllegalArgumentException("Filename contains illegal characters");
+                }
+
                 response.addHeader("Content-Disposition", "attachment;filename=" + new String(fileName.getBytes("GB2312"), "ISO-8859-1"));
             } else {//其他浏览器
                 response.addHeader("Content-Disposition", "attachment;filename=" + URLEncoder.encode(fileName, "UTF-8"));

servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseManageApi.java

@@ -1,11 +1,7 @@
 	package com.xboe.module.course.api;
 
 import java.io.OutputStream;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
@@ -134,7 +130,6 @@ public class CourseManageApi extends ApiBaseController{
 	        }else {
 	        	dto.setIsSystemAdmin(false);
 	        }
-	        
 	        String ids="";
 	        if(userOrgIds.getIds()!=null && !userOrgIds.getIds().isEmpty())
 	        {
@@ -142,12 +137,14 @@ public class CourseManageApi extends ApiBaseController{
 	        }
 	        //log.info("获取到的用户的组织机构权限ids",ids);
 	        String aid=getCurrent().getAccountId();
+//			String aid="1706272694871445506";
 	        //如果前端查询当前人的，这里去掉
 	        if(StringUtils.isNotBlank(dto.getAid())) {
 	        	dto.setAid(null);
 	        }
 	        dto.setOrgAid(aid);
 	        dto.setOrgIds(ids);
+			dto.setReadIds(userOrgIds.getReadIds());
 	        PageList<Course> coursePageList = courseService.findPage(pager.getPageIndex(), pager.getPageSize(),dto);
 			return success(coursePageList);
         }catch(Exception e) {

servers/boe-server-all/src/main/java/com/xboe/module/course/dto/CourseQueryDto.java

@@ -2,6 +2,8 @@ package com.xboe.module.course.dto;
 
 import lombok.Data;
 
+import java.util.List;
+
 /**
  * 课程查询的条件对象
  */
@@ -102,6 +104,9 @@ public class CourseQueryDto {
      * */
     private String orgIds;
 
+    //hrpb只读
+    private List<String> readIds;
+
     /**用户权限的查询*/
     private String orgAid;
 
@@ -110,6 +115,11 @@ public class CourseQueryDto {
      */
     private Boolean isSystemAdmin;
 
+    /**
+     * 是否是新建在线可
+     */
+    private Boolean isCreateCourse;
+
     private Boolean visible;
 
     private String refId;
@@ -129,4 +139,5 @@ public class CourseQueryDto {
      * 登录人id
      */
     private String userId;
+
 }

servers/boe-server-all/src/main/java/com/xboe/module/course/entity/Course.java

@@ -371,6 +371,9 @@ public class Course extends BaseEntity {
     @Column(name = "ref_type",length=32,columnDefinition="varchar(32) comment '反向关联的类型'")
     private String refType;
 
+    @Transient
+    private Boolean isPermission=true;
+    
     @Transient
     private String orgName;
     

servers/boe-server-all/src/main/java/com/xboe/module/course/service/impl/CourseServiceImpl.java

@@ -3,17 +3,26 @@ package com.xboe.module.course.service.impl;
 import java.time.LocalDate;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.concurrent.TimeUnit;
+import java.util.function.Function;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import javax.annotation.Resource;
+import javax.management.Query;
 
+import com.xboe.api.ThirdApi;
+import com.xboe.core.orm.*;
+import com.xboe.data.dto.UserData;
+import com.xboe.school.study.dao.StudyCourseDao;
+import com.xboe.school.study.entity.StudyCourse;
 import org.apache.commons.lang3.StringUtils;
 import org.hibernate.mapping.IdGenerator;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.StringRedisTemplate;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Propagation;
 import org.springframework.transaction.annotation.Transactional;
@@ -26,11 +35,6 @@ import com.xboe.common.beans.KeyValue;
 import com.xboe.common.utils.IDGenerator;
 import com.xboe.common.utils.StringUtil;
 import com.xboe.core.event.IEventDataSender;
-import com.xboe.core.orm.FieldFilters;
-import com.xboe.core.orm.IFieldFilter;
-import com.xboe.core.orm.LikeMatchMode;
-import com.xboe.core.orm.QueryBuilder;
-import com.xboe.core.orm.UpdateBuilder;
 import com.xboe.module.course.dao.CourseContentDao;
 import com.xboe.module.course.dao.CourseCrowdDao;
 import com.xboe.module.course.dao.CourseDao;
@@ -112,8 +116,11 @@ public class CourseServiceImpl implements ICourseService {
     @Autowired(required = false)
     private IEventDataSender eventSender;
 
+
+  
     /**
      * 生成过滤条件
+     *
      * @param dto
      * @return
      */
@@ -254,36 +261,133 @@ public class CourseServiceImpl implements ICourseService {
         return courseDao.findList(query.builder());
     }
 
+
+    //	public PageList<Course> findPage(int pageIndex, int pageSize, CourseQueryDto dto) {
+//		List<IFieldFilter> filters = createFilters(dto);
+//		List<IFieldFilter> filters1 = createFilters(dto);
+//		List<IFieldFilter> filters2 = createFilters(dto);
+////		String s = redisTemplate.opsForValue().get("course_search");
+////		Set<String>list=new HashSet<>();
+////		if(s!=null&&!s.isEmpty()){
+////			list=Arrays.stream(s.split(",")).collect(Collectors.toSet());
+////		}else {
+////			Set<String> ss = getSeache(dto);
+////			String courseSearch=String.join(",",ss);
+////			redisTemplate.opsForValue().set("course_search",courseSearch);
+////			//设置过期时间为1分钟
+////			redisTemplate.expire("course_search", 1, TimeUnit.MINUTES);
+////		}
+//		Set<String> list = getSeache(dto);
+//		//有权限的查询，也同时查询出创建人的数据，在权限上
+//        if(TempFilterConfig.Manager_CourseFile_ByOrgIds) {
+//        	if(dto.getIsSystemAdmin()==null || !dto.getIsSystemAdmin()) {
+//        		if(StringUtil.isNotBlank(dto.getOrgIds())){
+//        			//log.info("【"+dto.getOrgAid()+"】 按机构过滤和自己创建的课程");
+//        			//log.info(" orgids  "+dto.getOrgIds());
+//     	        	if(dto.getOrgIds().contains(",")){
+//     					String[] split = dto.getOrgIds().split(",");
+//     					List<String> strings = Arrays.asList(split);
+////     					filters.add(FieldFilters.or(FieldFilters.in("orgId",strings),FieldFilters.eq("sysCreateAid",dto.getOrgAid())));
+//						filters.add(FieldFilters.in("orgId",strings));
+//						filters1.add(FieldFilters.eq("sysCreateAid",dto.getOrgAid()));
+//						if(!list.isEmpty()){
+//							filters2.add(FieldFilters.in("id",list));
+//						}
+//     				}else {
+////     	        		filters.add(FieldFilters.or(FieldFilters.eq("orgId",dto.getOrgIds()),FieldFilters.eq("sysCreateAid",dto.getOrgAid())));
+//						filters.add(FieldFilters.eq("orgId",dto.getOrgIds()));
+//						filters1.add(FieldFilters.eq("sysCreateAid",dto.getOrgAid()));
+//						if(!list.isEmpty()){
+//							filters2.add(FieldFilters.in("id",list));
+//						}
+//     				}
+//     			}
+//				if (!StringUtil.isNotBlank(dto.getOrgIds())){
+//     				//log.info("【"+dto.getOrgAid()+"】 机构ids没有， 只查询自己创建的课程");
+//     				//没有机构权限，只能查出自己创建的
+////     				filters.add(FieldFilters.eq("sysCreateAid",dto.getOrgAid()));
+//					filters1.add(FieldFilters.eq("sysCreateAid",dto.getOrgAid()));
+//					if(!list.isEmpty()){
+//						filters2.add(FieldFilters.in("id",list));
+//					}
+//     			}
+//        	}else {
+//        		//log.info("【"+dto.getOrgAid()+"】IsSystemAdmin is true 不过机构过滤，查询全部");
+//        	}
+//	    }
+//
+//		//自动添加过滤已删除
+//		filters.add(FieldFilters.eq("deleted",false));
+//		filters1.add(FieldFilters.eq("deleted",false));
+//		filters2.add(FieldFilters.eq("deleted",false));
+//		//同时查出所有项目内课程
+//		OrderCondition oc=null;
+//		if(StringUtils.isNotBlank(dto.getOrderField())) {
+//			if(dto.getOrderAsc()||dto.getOrderAsc()==null) {
+//				oc=OrderCondition.asc(dto.getOrderField());
+//			}else {
+//				oc=OrderCondition.desc(dto.getOrderField());
+//			}
+//		}else {
+//			oc=OrderCondition.desc("id");
+//		}
+//		List<Course> listByFilters = new ArrayList<>();
+//		//根据组织筛选
+//		if(StringUtil.isNotBlank(dto.getOrgIds())){
+//			listByFilters = courseDao.findListByFilters(oc, filters);
+//		}
+//		//根据创建人筛选
+//		List<Course> listByFilters1;
+//		if(!list.isEmpty()){
+//		   listByFilters1 = courseDao.findListByFilters(oc, filters1);
+//		} else {
+//            listByFilters1 = new ArrayList<>();
+//        }
+//        //根据list筛选
+////		List<Course> listByFilters2 = courseDao.findListByFilters(oc, filters2);
+//		//去除根据组织和创建人筛选的课程id
+//		List<Course> finalListByFilters = listByFilters;
+////		List<Course> collect = list.stream()
+////				.filter(element -> !finalListByFilters.contains(element))
+////				.filter(element -> !listByFilters1.contains(element)).collect(Collectors.toList());
+////		List<String> courseIds = collect.stream().map(Course::getId).collect(Collectors.toList());
+//		//合并
+//		List<Course> mergedList = Stream.concat(listByFilters.stream(), listByFilters1.stream())
+//				// 使用distinct()配合自定义的去重条件
+//				.filter(distinctByKey(c -> c.getId()))
+//				.collect(Collectors.toList());
+////		PageList<Course> rs=courseDao.findPage(pageIndex, pageSize, filters, oc);
+////		long endTime = System.nanoTime();
+//		//log.info("查询出的条数:"+rs.getCount());
+//		if(!mergedList.isEmpty()){
+//			//去掉未发布的课程
+//			mergedList.removeIf(e->{
+//				if(!e.getPublished()&&courseIds.contains(e.getId())){
+//					return true;
+//				}
+//				return false;
+//			});
+//			//
+//			//将需要隐藏的做标记
+//			mergedList.forEach(e->{
+//				if(courseIds.contains(e.getId())){
+//					e.setIsPermission(false);
+//				}else {
+//					e.setIsPermission(true);
+//				}
+//			});
+//		}
+//		List<Course> paginate = paginate(mergedList, pageIndex, pageSize);
+//		PageList<Course> rs=new PageList<>();
+//		rs.setCount(mergedList.size());
+//		rs.setList(paginate);
+//		return rs;
+//	}
     @Override
     public PageList<Course> findPage(int pageIndex, int pageSize, CourseQueryDto dto) {
-		List<IFieldFilter> filters = createFilters(dto);
-		
-		//有权限的查询，也同时查询出创建人的数据，在权限上		
-        if(TempFilterConfig.Manager_CourseFile_ByOrgIds) {
-        	if(dto.getIsSystemAdmin()==null || !dto.getIsSystemAdmin()) {
-        		
-        		if(StringUtil.isNotBlank(dto.getOrgIds())){
-        			//log.info("【"+dto.getOrgAid()+"】 按机构过滤和自己创建的课程");
-        			//log.info(" orgids  "+dto.getOrgIds());
-     	        	if(dto.getOrgIds().contains(",")){
-     					String[] split = dto.getOrgIds().split(",");
-     					List<String> strings = Arrays.asList(split);
-     					filters.add(FieldFilters.or(FieldFilters.in("orgId",strings),FieldFilters.eq("sysCreateAid",dto.getOrgAid())));
-     				}else {
-     	        		filters.add(FieldFilters.or(FieldFilters.eq("orgId",dto.getOrgIds()),FieldFilters.eq("sysCreateAid",dto.getOrgAid())));
-     				}
-     			}else {
-     				//log.info("【"+dto.getOrgAid()+"】 机构ids没有， 只查询自己创建的课程");
-     				//没有机构权限，只能查出自己创建的
-     				filters.add(FieldFilters.eq("sysCreateAid",dto.getOrgAid()));
-     			}
-        	}else {
-        		//log.info("【"+dto.getOrgAid()+"】IsSystemAdmin is true 不过机构过滤，查询全部");
-        	}
-	    }
-		
-		//自动添加过滤已删除
-		filters.add(FieldFilters.eq("deleted",false));
+        List<IFieldFilter> filters2 = createFilters(dto);
+        filters2.add(FieldFilters.eq("deleted", false));
+        //同时查出所有项目内课程
         OrderCondition oc = null;
         if (StringUtils.isNotBlank(dto.getOrderField())) {
             if (dto.getOrderAsc() || dto.getOrderAsc() == null) {
@@ -294,11 +398,225 @@ public class CourseServiceImpl implements ICourseService {
         } else {
             oc = OrderCondition.desc("id");
         }
-
-		PageList<Course>  rs=courseDao.findPage(pageIndex, pageSize, filters, oc);
-		//log.info("查询出的条数:"+rs.getCount());
+        //组织id
+        List<String> strings = new ArrayList<>();
+        if (StringUtil.isNotBlank(dto.getOrgIds())) {
+            if (dto.getOrgIds().contains(",")) {
+                String[] split = dto.getOrgIds().split(",");
+                strings = Arrays.asList(split);
+            } else {
+                strings.add(dto.getOrgIds());
+            }
+        }
+        Set<String> seache = getSeache(dto);
+        //查出全部的课程
+        List<Course> listByFilters2 = courseDao.findListByFilters(oc, filters2);
+        if (TempFilterConfig.Manager_CourseFile_ByOrgIds) {
+            if (dto.getIsSystemAdmin() == null || !dto.getIsSystemAdmin()) {
+                List<String> finalStrings = strings;
+                log.info("dto为"+dto);
+                if(dto.getIsCreateCourse()!=null&&dto.getIsCreateCourse()){
+                    listByFilters2.removeIf(e -> {
+                        //去掉未发布的课程
+                        if (!e.getPublished() && seache.contains(e.getId()) && !finalStrings.contains(e.getOrgId()) && !dto.getOrgAid().equals(e.getSysCreateAid())) {
+                            return true;
+                        }
+                        //去掉所有条件都不符合的课程
+                        if(!seache.contains(e.getId())&&!dto.getReadIds().contains(e.getId())&& !finalStrings.contains(e.getOrgId()) && !dto.getOrgAid().equals(e.getSysCreateAid())){
+                            return true;
+                        }
+                        return false;
+                    });
+                    //将需要隐藏的做标记
+                    listByFilters2.forEach(e -> {
+                        if ((seache.contains(e.getId())||dto.getReadIds().contains(e.getOrgId())) && !finalStrings.contains(e.getOrgId()) && !dto.getOrgAid().equals(e.getSysCreateAid())) {
+                            e.setIsPermission(false);
+                        } else {
+                            e.setIsPermission(true);
+                        }
+                    });
+                    listByFilters2.sort(Comparator.comparing(Course::getIsPermission).reversed());
+                }else{
+                    List<Course> collect = listByFilters2.stream().filter(e ->dto.getReadIds().contains(e.getOrgId())||dto.getOrgAid().equals(e.getSysCreateAid())||finalStrings.contains(e.getOrgId())).collect(Collectors.toList());
+                    List<Course> paginate = paginate(collect, pageIndex, pageSize);
+                    PageList<Course> rs = new PageList<>();
+                    rs.setCount(collect.size());
+                    rs.setList(paginate);
                     return rs;
                 }
+            }
+        }
+        List<Course> paginate = paginate(listByFilters2, pageIndex, pageSize);
+        PageList<Course> rs = new PageList<>();
+        rs.setCount(listByFilters2.size());
+        rs.setList(paginate);
+        return rs;
+    }
+
+    private Set<String> getSeache(CourseQueryDto dto) {
+        //需要设置为隐藏的课程id
+        Set<String> list = new HashSet<>();
+        List<String> list1 = getProject(dto);
+        List<String> list2 = getRouter(dto);
+//		//有受众权限的课程
+        if (dto.getAudiences() != null && !dto.getAudiences().isEmpty()) {
+            List<String> audiences = getAudiences(dto);
+            list.addAll(audiences);
+        }
+//		//没有受众的课程
+        List<String> noAudiences = getNoAudiences(dto);
+        list.addAll(noAudiences);
+//		//成长路径的课
+//        List<String> grow = getGrow(dto);
+//		//已报名的课
+        List<String> enroll = getEnroll(dto);
+//        list.addAll(grow);
+        list.addAll(enroll);
+        list.addAll(list1);
+        list.addAll(list2);
+        return list;
+    }
+
+    private List<String> getRouter(CourseQueryDto dto) {
+        String sql = "SELECT DISTINCT\n" +
+                "rt.course_id\n" +
+                "FROM\n" +
+                "boe_new.student s INNER JOIN boe_new.router_task rt on s.pid=rt.router_id inner join boe_course c on c.id=rt.course_id\n" +
+                "\n" +
+                "WHERE\n" +
+                "\n" +
+                "s.deleted = 0 \n" +
+                "and rt.deleted=0\n" +
+                "and rt.type=1\n" +
+                "and c.deleted=0\n" +
+                "AND s.type =2 \n" +
+                "AND s.student_id = ?1";
+        List<String> list = courseTeacherDao.sqlFindList(sql, dto.getOrgAid());
+        List<String> list1 = new ArrayList<>();
+        for (Object obj : list) {
+            list1.add(obj.toString());
+        }
+
+        return list1;
+    }
+
+    private List<String> getProject(CourseQueryDto dto) {
+        String sql = "SELECT DISTINCT\n" +
+                "pt.course_id\n" +
+                "FROM\n" +
+                "boe_new.student s INNER JOIN boe_new.project_task pt on s.pid=pt.project_id inner join boe_course c on c.id=pt.course_id\n" +
+                "\n" +
+                "WHERE\n" +
+                "\n" +
+                "s.deleted = 0 \n" +
+                "and pt.deleted=0\n" +
+                "and pt.type=1\n" +
+                "and c.deleted=0\n" +
+                "AND s.type =1 \n" +
+                "AND s.student_id = ?1\n";
+        List<Long> list = courseTeacherDao.sqlFindList(sql, dto.getOrgAid());
+        List<String> list1 = new ArrayList<>();
+        for (Object obj : list) {
+            list1.add(obj.toString());
+        }
+        return list1;
+    }
+
+    private List<String> getAudiences(CourseQueryDto dto) {
+        List<String> s = Arrays.asList(dto.getAudiences().split(","));
+        String sql = "SELECT DISTINCT\n" +
+                "\tcc.course_id \n" +
+                "FROM\n" +
+                "\t`boe_course_crowd` cc\n" +
+                "\tINNER JOIN boe_course c ON cc.course_id = c.id \n" +
+                "WHERE\n" +
+                "\tcc.group_id IN (?1) \n" +
+                "\tAND c.deleted =0 ";
+        List<Long> list = courseTeacherDao.sqlFindList(sql, s);
+        List<String> list1 = new ArrayList<>();
+        for (Object obj : list) {
+            list1.add(obj.toString());
+        }
+
+        return list1;
+    }
+
+    private List<String> getNoAudiences(CourseQueryDto dto) {
+        String sql = "SELECT\n" +
+                "\tc.id \n" +
+                "FROM\n" +
+                "\tboe_course c \n" +
+                "WHERE\n" +
+                "\t NOT EXISTS ( SELECT 1 FROM boe_course_crowd cc where cc.course_id = c.id  ) \n" +
+                "\tAND c.deleted =0 \n";
+        List<Course> list = courseDao.sqlFindList(sql);
+        List<String> list1 = new ArrayList<>();
+        for (Object obj : list) {
+            list1.add(obj.toString());
+        }
+        return list1;
+    }
+
+    private List<String> getGrow(CourseQueryDto dto) {
+        String sql = "SELECT DISTINCT\n" +
+                "\tc.id \n" +
+                "FROM\n" +
+                "\tboe_new.student s\n" +
+                "\tINNER JOIN boe_new.grow_task gt ON s.pid = gt.grow_id\n" +
+                "\tINNER JOIN boe_course c ON gt.course_id = c.id \n" +
+                "WHERE\n" +
+                "\ts.type = 14 \n" +
+                "\tAND gt.type = 1 \n" +
+                "\tAND s.deleted = 0 \n" +
+                "\tAND gt.deleted = 0 \n" +
+                "\tAND c.deleted = 0\n" +
+                "\tAND s.student_id = ?1\n";
+        List<Long> list = courseTeacherDao.sqlFindList(sql, dto.getOrgAid());
+        List<String> list1 = new ArrayList<>();
+        for (Object obj : list) {
+            list1.add(obj.toString());
+        }
+        return list1;
+    }
+
+    private List<String> getEnroll(CourseQueryDto dto) {
+        String sql = "SELECT DISTINCT\n" +
+                "\tsc.course_id \n" +
+                "FROM\n" +
+                "\tboe_study_course sc\n" +
+                "\tINNER JOIN boe_course c ON sc.course_id = c.id \n" +
+                "WHERE\n" +
+                "\tsc.aid = ?1 \n" +
+                "\tAND c.deleted =0";
+        List<Long> list = courseTeacherDao.sqlFindList(sql, dto.getOrgAid());
+        List<String> list1 = new ArrayList<>();
+        for (Object obj : list) {
+            list1.add(obj.toString());
+        }
+
+        return list1;
+    }
+
+    public static <T> List<T> paginate(List<T> list, int pageNumber, int pageSize) {
+        if (list == null || list.isEmpty() || pageNumber <= 0 || pageSize <= 0) {
+            return null;
+        }
+
+        int fromIndex = (pageNumber - 1) * pageSize;
+        int toIndex = Math.min(fromIndex + pageSize, list.size());
+
+        if (fromIndex >= list.size()) {
+            // 请求的页码超过了最大页数，返回空列表
+            return null;
+        }
+
+        return list.subList(fromIndex, toIndex);
+    }
+
+    private static <T> Predicate<T> distinctByKey(Function<? super T, ?> keyExtractor) {
+        Set<Object> seen = ConcurrentHashMap.newKeySet();
+        return t -> seen.add(keyExtractor.apply(t));
+    }
 
     @Override
     public List<Course> findList(CourseQueryDto dto) {
@@ -543,6 +861,7 @@ public class CourseServiceImpl implements ICourseService {
         //记录删除日志信息
 
     }
+
     @Override
     public Course get(String id) {
         Course c = courseDao.get(id);
@@ -599,6 +918,7 @@ public class CourseServiceImpl implements ICourseService {
 
     /**
      * 追加修改日志，共用方法，在其它的修改的地方也可能调用
+     *
      * @param old
      * @param now
      */
@@ -882,7 +1202,6 @@ public class CourseServiceImpl implements ICourseService {
 //			log.error("课程发布全文检索失败",e);
 //		}
 //	}
-
     @Override
     public void audit(String auditId, String courseId, Boolean pass, String aid, String name, String remark, boolean publish, Integer from) {
 
@@ -1028,9 +1347,10 @@ public class CourseServiceImpl implements ICourseService {
 
         }
     }
+
     /**
      * 赋值赞踩数
-	 * */
+     */
     @Override
     public void updateTrampleCount(String id, Integer trampleCount) {
         courseDao.updateMultiFieldById(id, UpdateBuilder.create("trampleCount", trampleCount));
@@ -1039,7 +1359,7 @@ public class CourseServiceImpl implements ICourseService {
 
     /**
      * 赋值点赞数
-	 * */
+     */
 
     @Override
     public List<CourseTeacher> findTeachersByCourseId(String courseId) {
@@ -1096,7 +1416,6 @@ public class CourseServiceImpl implements ICourseService {
     }
 
 
-
     @Override
     public List<RankingDto> scoreList(int num, int index) {
         QueryBuilder builder = QueryBuilder.from(Course.class);
@@ -1250,7 +1569,6 @@ public class CourseServiceImpl implements ICourseService {
     }
 
 
-
     @Override
     public int countWaitAudit(String aid) {
         //查询待审核的课程
@@ -1490,7 +1808,7 @@ public class CourseServiceImpl implements ICourseService {
 
     /**
      * 返回当前课程名字
-	 * */
+     */
     private String courseName(String id) {
         Course course = courseDao.get(id);
         return course.getName();
@@ -1637,8 +1955,7 @@ public class CourseServiceImpl implements ICourseService {
                     "teacher_name from boe_course_teacher where course_id=?1";
             courseTeacherDao.sqlUpdate(sqlTeacher, id);
 
-		}
-		else{
+        } else {
             mess = "长度超出范围";
         }
         return mess;
@@ -1663,6 +1980,4 @@ public class CourseServiceImpl implements ICourseService {
     }
 
 
-
-
 }

servers/boe-server-all/src/main/java/com/xboe/module/exam/api/ExamQuestionApi.java

@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.annotation.Resource;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.apache.poi.ss.usermodel.Cell;
@@ -148,6 +149,7 @@ public class ExamQuestionApi extends ApiBaseController {
     /**
      * 导入
      * */
+    @FileFormatVerification(whites = {"xls","xlsx"})
     @PostMapping("/import")
     public JsonResponse<QuestionDto> importQuestion(@RequestParam MultipartFile file){
         //获取输入流

servers/boe-server-all/src/main/java/com/xboe/module/filecloud/api/XFileBaseApi.java

@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -281,6 +282,7 @@ public class XFileBaseApi extends ApiBaseController{
 		return wrap(list);
 	}
 
+	@FileFormatVerification(whites = {"zip","png","jpg","jpeg","gif","svg","bmp"})
 	@ApiAccess(path="xfile.file.upload")
 	@RequestMapping(value="/file/upload", method={RequestMethod.POST})
 	public JsonResponse<ListViewItem> fileUpload(HttpServletRequest request,String folderId) {

servers/boe-server-all/src/main/java/com/xboe/module/usergroup/api/UserGroupApi.java

@@ -11,6 +11,7 @@ import java.util.Set;
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -198,6 +199,7 @@ public class UserGroupApi extends ApiBaseController {
      * 不直接导入到数据库，而是解析文件并查询相应数据返回
      * @return
      */
+    @FileFormatVerification(whites = {"xlsx","xls"})
     @PostMapping("/import")
     public JsonResponse<Iterable<UserImportDto>> importUserGroup(@RequestParam MultipartFile file) {
 

servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java

@@ -14,8 +14,10 @@ import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
@@ -44,6 +46,9 @@ public class SysUploaderApi  extends ApiBaseController{
 	@Autowired
 	XFileUploader uploader;
 
+	@Value(value = "${boe.domain}")
+	String domain;
+	
 	private static Set<String> fileTypeSet=new HashSet<>();
 	static {
 		fileTypeSet.add("mp3");
@@ -62,6 +67,7 @@ public class SysUploaderApi  extends ApiBaseController{
 		fileTypeSet.add("zip");
 	}
 
+	@FileFormatVerification(whites = {"mp3","wmv","mp4","jpg","png","gif","doc","docx","xls","xlsx","ppt","pptx","pdf","zip"})
 	@RequestMapping(value = "/file/upload", method = RequestMethod.POST)
 	public JsonResponse<XUploadResult> save(HttpServletRequest request, String name,String dir) throws IOException {
 		//以下三项用于回调
@@ -150,6 +156,7 @@ public class SysUploaderApi  extends ApiBaseController{
     public void urlDownload(HttpServletResponse res,String urlStr,String fileName) throws IOException {
 
 		URL url = new URL(urlStr);
+		downloadLimitation(url);
         HttpURLConnection conn = (HttpURLConnection)url.openConnection();    
                 //设置超时间为3秒  
         conn.setConnectTimeout(3*1000);  
@@ -193,4 +200,19 @@ public class SysUploaderApi  extends ApiBaseController{
 		  //System.out.println("success");
     }
 
+	private void downloadLimitation(URL url) {
+		String allowedDomain = domain;
+		String allowedPathPrefix = "/upload/xfile/";
+
+		// 检查域名是否正确
+		if (!url.getHost().equals(allowedDomain)) {
+			throw new SecurityException("Download from this domain is not allowed.");
+		}
+
+		// 检查路径是否以允许的路径前缀开始
+		if (!url.getPath().startsWith(allowedPathPrefix)) {
+			throw new SecurityException("Download from this path is not allowed.");
+		}
+	}
+
 }

servers/boe-server-all/src/main/java/com/xboe/system/aspectj/UploadAspect.java

@@ -0,0 +1,91 @@
+package com.xboe.system.aspectj;
+
+import com.xboe.system.aspectj.anno.FileFormatVerification;
+import lombok.extern.slf4j.Slf4j;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.annotation.Pointcut;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.stereotype.Component;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.multipart.MultipartHttpServletRequest;
+
+import javax.servlet.http.HttpServletRequest;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.List;
+
+
+/**
+ * @author admin
+ */
+@Aspect
+@Slf4j
+@Component
+public class UploadAspect {
+
+
+    @Pointcut("@annotation(com.xboe.system.aspectj.anno.FileFormatVerification)")
+    private void fileUpload() {
+    }
+
+    @Before("fileUpload()")
+    public void fileFormatVerifies(JoinPoint joinPoint) {
+        List<String> whiteList = getWhiteList(joinPoint);
+
+
+        String[] FILE_UPLOAD_BLACKLIST = {"exe", "sh", "py", "html", "xhtml", "php", "php5", "dat", "dbf", "dev", "asp", "aspx", "asa", "aspx", "ashx", "asmx", "asax", "ascx", "jsp", "jspx", "jspf", "cgi", "war", "ini", "js"};
+        List<String> blackList = Arrays.asList(FILE_UPLOAD_BLACKLIST);
+
+        // 在目标方法执行前执行的代码
+        Object[] args = joinPoint.getArgs(); // 获取被调用方法的参数
+
+        // 处理MultipartFile
+        Arrays.stream(args)
+                .filter(arg -> arg instanceof MultipartFile)
+                .map(arg -> (MultipartFile) arg)
+                .forEach(file -> {
+                    String name = file.getOriginalFilename();
+                    String fileSuffix = name.substring(name.lastIndexOf(".") + 1);
+                    if (blackList.contains(fileSuffix) || !whiteList.contains(fileSuffix)) {
+                        throw new RuntimeException("文件格式不支持");
+                    }
+                });
+
+        // 处理HttpServletRequest中的文件名
+        Arrays.stream(args)
+                .filter(arg -> arg instanceof HttpServletRequest)
+                .map(arg -> (HttpServletRequest) arg)
+                .filter(req -> req instanceof MultipartHttpServletRequest)
+                .map(req -> (MultipartHttpServletRequest) req)
+                .forEach(req -> {
+                    req.getFileMap().forEach((k, v) -> {
+                        String fileSuffix = v.getOriginalFilename().substring(v.getOriginalFilename().lastIndexOf(".") + 1);
+                        if (blackList.contains(fileSuffix) || !whiteList.contains(fileSuffix)) {
+                            throw new RuntimeException("文件格式不支持");
+                        }
+                    });
+                });
+
+
+        int i = 1 / 0;
+
+
+    }
+
+    private static List<String> getWhiteList(JoinPoint joinPoint) {
+        MethodSignature methodSignature = (MethodSignature) joinPoint.getSignature();
+        Method method = methodSignature.getMethod();
+
+        // 获取FileFormatVerification注解
+        FileFormatVerification annotation = method.getAnnotation(FileFormatVerification.class);
+
+        // 获取whiteList属性
+        String[] whites = annotation.whites();
+        List<String> whiteList = Arrays.asList(whites);
+        return whiteList;
+    }
+
+
+}

servers/boe-server-all/src/main/java/com/xboe/system/aspectj/anno/FileFormatVerification.java

@@ -0,0 +1,15 @@
+package com.xboe.system.aspectj.anno;
+
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+
+@Target(ElementType.METHOD) // 注解目标为方法
+@Retention(RetentionPolicy.RUNTIME) // 注解在运行时有效
+public @interface FileFormatVerification {
+    String[] whites() default {};
+
+}

servers/boe-server-all/src/main/resources/application-dev.properties

@@ -4,7 +4,7 @@ spring.redis.database=1
 #spring.redis.password=ENC(zA5LNV8xw3yEx6LMwdGGBGgNsOaD3Cg+)
 #spring.redis.port=6379
 spring.redis.host=124.70.92.162
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 
 # cloud nacos config
@@ -20,7 +20,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 #spring.datasource.password=ENC(lAoFOYuc8CAypPtigTNLYg==)
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=DEBUG
 logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE

servers/boe-server-all/src/main/resources/application-pre.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 #spring.redis.database=3
 #spring.redis.host=10.251.129.122
@@ -17,7 +17,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.129.126:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=ERROR
 #logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE

servers/boe-server-all/src/main/resources/application-pro.properties

@@ -4,7 +4,7 @@ spring.cloud.nacos.discovery.server-addr=10.251.129.51:8848
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.129.122
-spring.redis.password=qwert!W588
+spring.redis.password=ENC(e1k00MMRGU0DUHvLX8JSOuDkCX0CWNif)
 spring.redis.port=6379
 
 
@@ -18,7 +18,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 #spring.datasource.password=ocYMC>!{8G
 spring.datasource.url=jdbc:mysql://10.251.129.126:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 ## 使用 hikari 连接池
 spring.datasource.type=com.zaxxer.hikari.HikariDataSource

servers/boe-server-all/src/main/resources/application-test.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(oXmZ5HIrhizHQ/DWPNv/S/1hUNJbbRjv)
 spring.redis.port=6379
 
 # cloud nacos config
@@ -13,7 +13,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 ## 使用 hikari 连接池
 spring.datasource.type=com.zaxxer.hikari.HikariDataSource
@@ -72,7 +72,7 @@ jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGenerator
 xboe.elasticsearch.server.ip=10.251.129.25
 xboe.elasticsearch.server.port=9200
 xboe.elasticsearch.server.user=elastic
-xboe.elasticsearch.server.password=Boe@es123
+xboe.elasticsearch.server.password=ENC(903xqMcg31J+OhmZ0AoinYqvzLoAt8UZ)
 
 ## 邮件的配置
 xboe.email.url=https://u-pre.boe.com/api/b1/email/send

servers/boe-server-all/src/main/resources/application-test135.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=2
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 
 ## datasource config
@@ -10,7 +10,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=DEBUG
 logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE
@@ -60,7 +60,7 @@ jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGenerator
 xboe.elasticsearch.server.ip=10.251.129.25
 xboe.elasticsearch.server.port=9200
 xboe.elasticsearch.server.user=elastic
-xboe.elasticsearch.server.password=Boe@es123
+xboe.elasticsearch.server.password=ENC(903xqMcg31J+OhmZ0AoinYqvzLoAt8UZ)
 
 ## 邮件的配置
 xboe.email.url=https://10.251.160.135/api/b1/email/send