ZIP条目覆盖,补充

modules/boe-module-idconfig/src/main/java/com/xboe/module/idconfig/IdGeneratorAutoConfig.java

@@ -3,6 +3,7 @@ package com.xboe.module.idconfig;
 import java.net.InetAddress;
 import java.net.NetworkInterface;
 import java.net.SocketException;
+import java.security.SecureRandom;
 import java.util.Enumeration;
 
 import javax.annotation.Resource;
@@ -50,8 +51,10 @@ public class IdGeneratorAutoConfig {
 			dataCenterId=ipm.getDcNum();
 		}else {
 			log.warn("无IP【"+ip+"】的配置的workNum和DataCenterNum,系统自动生成随机数");
-			workServerId=RandomUtils.nextInt(0,31);
+			SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
-			dataCenterId=RandomUtils.nextInt(0,31);
+			workServerId = random.nextInt(31);
+			dataCenterId = random.nextInt(31);
+
 			ipm=new IPMapping();
 			ipm.setId(md5);
 			ipm.setIp(ip);

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ContentPackageGenerator.java

@@ -1,6 +1,8 @@
 package com.xboe.module.scorm.cam.load;
 
 import java.io.File;
+import java.io.IOException;
+import java.io.StringReader;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -85,6 +87,9 @@ import com.xboe.module.scorm.cam.model.datatype.NonNegativeInteger;
 import com.xboe.module.scorm.cam.model.datatype.Token;
 import com.xboe.module.scorm.cam.model.datatype.VCard;
 import com.xboe.module.scorm.common.CommonUtils;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 @Slf4j
 public class ContentPackageGenerator {
@@ -119,6 +124,10 @@ public class ContentPackageGenerator {
     private String scormPkgDir;
 
     public  ContentPackage generateContentPackageFromFile(String scormPkgDir) {
+        if (scormPkgDir.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (scormPkgDir == null) {
             log.error("scorm package directory is null");
             return contentPackage;
@@ -140,7 +149,16 @@ public class ContentPackageGenerator {
 
         Document manifestXml;
         try {
-        	SAXReader reader = new SAXReader();       
+        	SAXReader reader = new SAXReader();
+
+            reader.setEntityResolver(new EntityResolver() {
+                @Override
+                public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+                    // 总是返回空的InputSource来忽略外部实体
+                    return new InputSource(new StringReader(""));
+                }
+            });
+
             manifestXml = reader.read(manifestXmlFile);
             
         } catch (DocumentException e) {

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/FileUtils.java

@@ -44,6 +44,10 @@ public class FileUtils {
     }
 
     public static File createFile(String dstPath, String fileName) throws IOException {
+        if (dstPath.contains("..") || fileName.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         String[] dirs = fileName.split("/");
         File file = new File(dstPath);
 

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/SCORMPackageManager.java

@@ -119,6 +119,11 @@ public class SCORMPackageManager {
             return null;
         }
 
+        if (packagePath.contains("..")) {
+//            throw new SecurityException("输入路径包含不安全的字符");
+            return null;
+        }
+
         // step 1: uncompress
         File f=new File(packagePath);
         if(!f.exists()) {

modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ZipUtils.java

@@ -60,6 +60,10 @@ public class ZipUtils {
     }
 
     public static boolean decompressZip(String zipFilePath, String saveFileDir) {
+        if (zipFilePath.contains("..") || saveFileDir.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (!isEndWithZip(zipFilePath)) {
             return false;
         }

servers/boe-server-all/pom.xml

@@ -84,6 +84,7 @@
 			<artifactId>xboe-module-es</artifactId>
 			<version>1.0.0</version>
 		</dependency>
+
 		<dependency>
 			<groupId>it.sauronsoftware</groupId>
 			<artifactId>jave</artifactId>

servers/boe-server-all/src/main/java/com/xboe/api/ThirdApi.java

@@ -12,10 +12,13 @@ import com.xboe.module.dict.entity.DictDto;
 import com.xboe.module.exam.entity.ExamTest;
 import com.xboe.school.study.entity.StudyCourse;
 import com.xboe.system.user.dao.UserDao;
+import com.xboe.system.user.entity.User;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.data.domain.Page;
 import org.springframework.stereotype.Service;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
 import java.util.Optional;

servers/boe-server-all/src/main/java/com/xboe/constants/CacheName.java

@@ -133,6 +133,4 @@ public interface CacheName {
      * 字典缓存key
      * */
     String KEY_DICT="dict";
-
-    String STUDY_KEY = "StudyKey:";
 }

servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java

@@ -66,6 +66,10 @@ public class ExcelToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath)  throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             FileOutputStream fileOS=null;
             String previewPath = null;

servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java

@@ -65,6 +65,10 @@ public class PPTToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath) throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             InputStream slides=null;
             Presentation pres=null;

servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java

@@ -69,6 +69,10 @@ public class WordToPdfConverter implements ICourseFileConverter {
 
     @Override
     public String convert(String fileType, String filePath) throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         if (this.getLicense()) {
             File pdfFile=null;
             FileOutputStream fileOS=null;

servers/boe-server-all/src/main/java/com/xboe/module/boecase/api/CasesRecommendApi.java

@@ -26,6 +26,7 @@ import com.xboe.module.boecase.vo.BrowseDurationVo;
 import com.xboe.module.boecase.vo.CasesRecommendLaunchVo;
 import com.xboe.module.boecase.vo.CasesRecommendPushVo;
 import com.xboe.module.boecase.vo.CasesRecommendVo;
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.poi.xssf.streaming.SXSSFSheet;
@@ -117,6 +118,7 @@ public class CasesRecommendApi extends ApiBaseController {
      * @return
      * @throws Exception
      */
+    @FileFormatVerification(whites = {"xlsx", "xls"})
     @PostMapping("/import")
     public JsonResponse<ImportData> excelImport(@RequestParam("file") MultipartFile file) throws Exception {
         ExcelReader reader = ExcelUtil.getReader(file.getInputStream());

servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java

@@ -227,6 +227,10 @@ public class CourseFileApi extends ApiBaseController {
         	return badRequest("请先选择资源归属");
         }
 
+        if (file.getFilePath().contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
         // 重设文件类型为小写
         file.setFileType(file.getFileType().toLowerCase());
 
@@ -395,8 +399,15 @@ public class CourseFileApi extends ApiBaseController {
 			//return badRequest("参数错误");
 			return;
 		}
-		
+
-		String cfPath=null;
+        if (cf.contains("..")) {
+            log.error("参数错误");
+//            throw new SecurityException("输入路径包含不安全的字符");
+            return;
+        }
+
+
+        String cfPath=null;
 		String fileName ="";
 		if(StringUtils.isNotBlank(cf)) {
 			cfPath=cf;
@@ -436,6 +447,11 @@ public class CourseFileApi extends ApiBaseController {
             response.reset();
             //由于火狐和其他浏览器显示名称的方式不相同，需要进行不同的编码处理
             if (agent.indexOf("FIREFOX") != -1) {//火狐浏览器
+                // 检查文件名中是否包含不允许的字符
+                if (fileName.matches(".*[\n\r;%].*")) {
+                    throw new IllegalArgumentException("Filename contains illegal characters");
+                }
+
                 response.addHeader("Content-Disposition", "attachment;filename=" + new String(fileName.getBytes("GB2312"), "ISO-8859-1"));
             } else {//其他浏览器
                 response.addHeader("Content-Disposition", "attachment;filename=" + URLEncoder.encode(fileName, "UTF-8"));

servers/boe-server-all/src/main/java/com/xboe/module/course/entity/CourseContent.java

@@ -83,13 +83,8 @@ public class CourseContent extends BaseEntity {
      * */
     @Column(name = "duration")
     private Integer duration;
-
+    
-    /**
+    
-     * 视频播放进度
-     * */
-    @Column(name = "progress_video")
-    private Float progressVideo;
-
     /**用于学习时的状态显示，非存储字段*/
     @Transient
     private Integer status;

servers/boe-server-all/src/main/java/com/xboe/module/course/service/ICourseContentService.java

@@ -82,7 +82,4 @@ public interface ICourseContentService{
 	 * @return
 	 */
 	CourseAssess getAssess(String ccid);
-
-	void updateProcessVideo(String contentId, String courseId, Float processVideo);
-
 }

servers/boe-server-all/src/main/java/com/xboe/module/course/service/impl/CourseContentServiceImpl.java

@@ -1,7 +1,5 @@
 package com.xboe.module.course.service.impl;
 
-import java.sql.PreparedStatement;
-import java.sql.SQLException;
 import java.util.List;
 
 import javax.annotation.Resource;
@@ -143,17 +141,6 @@ public class CourseContentServiceImpl implements ICourseContentService {
 		return assess;
 	}
 
-	@Override
-	@Transactional
-	public void updateProcessVideo(String id, String courseId, Float progressVideo) {
-		// 处理 processVideo 为 null 的情况
-		if (progressVideo == null) {
-			progressVideo = 0.00f;
-		}
-		String sql = "UPDATE boe_course_content SET progress_video = "+ progressVideo+" WHERE id = "+ id+" AND course_id = "+ courseId+" ";
-		ccDao.sqlUpdate(sql);
-	}
-
 	@Override
 	@Transactional
 	public void updateName(String id, String name) {

servers/boe-server-all/src/main/java/com/xboe/module/exam/api/ExamQuestionApi.java

@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.annotation.Resource;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.apache.poi.ss.usermodel.Cell;
@@ -148,6 +149,7 @@ public class ExamQuestionApi extends ApiBaseController {
     /**
      * 导入
      * */
+    @FileFormatVerification(whites = {"xls","xlsx"})
     @PostMapping("/import")
     public JsonResponse<QuestionDto> importQuestion(@RequestParam MultipartFile file){
         //获取输入流

servers/boe-server-all/src/main/java/com/xboe/module/exam/entity/ExamTest.java

@@ -28,7 +28,7 @@ public class ExamTest extends BaseEntity {
     /**
     * 考试名称
      * */
-    @Column(name = "test_name",length = 50)
+    @Column(name = "test_name",nullable = false,length = 50)
     private String testName;
     
     /**
@@ -46,7 +46,7 @@ public class ExamTest extends BaseEntity {
     /**
     * 考试时长    分钟
      * */
-    @Column(name = "test_duration")
+    @Column(name = "test_duration",nullable = false)
     private Integer testDuration;
     /**
      * 显示解析
@@ -107,13 +107,13 @@ public class ExamTest extends BaseEntity {
     /**
      * 考试的类型
      * */
-    @Column(name = "test_type")
+    @Column(name = "test_type",nullable = false)
     private Integer testType;
     
     /**
      * 发布状态 ，是否已发布
      */
-    @Column(name = "published",length = 1)
+    @Column(name = "published",length = 1,nullable = false)
     private Boolean published;
     /**
      * 发布时间
@@ -154,7 +154,7 @@ public class ExamTest extends BaseEntity {
     /**
      * 范围，1表独立使用，2表课程内部
      * */
-    @Column(name = "range_type")
+    @Column(name = "range_type",nullable = false)
     private Integer rangeType;
 
     /**

servers/boe-server-all/src/main/java/com/xboe/module/exam/service/impl/ExamTestServiceImpl.java

@@ -95,7 +95,7 @@ public class ExamTestServiceImpl implements IExamTestService {
 
     @Override
     public Boolean has(String paperId) {
-    	ExamTest et=examTestDao.findOne(FieldFilters.eq("paperId", paperId),FieldFilters.eq("deleted", false));
+    	ExamTest et=examTestDao.findOne(FieldFilters.eq("paperId", paperId));
     	//String etId= (String)examTestDao.findField("id", FieldFilters.eq("paperId", paperId));
         if(et==null){
             return true;

servers/boe-server-all/src/main/java/com/xboe/module/filecloud/api/XFileBaseApi.java

@@ -8,6 +8,7 @@ import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -280,7 +281,8 @@ public class XFileBaseApi extends ApiBaseController{
 		
 		return wrap(list);
 	}
-	
+
+	@FileFormatVerification(whites = {"zip","png","jpg","jpeg","gif","svg","bmp"})
 	@ApiAccess(path="xfile.file.upload")
 	@RequestMapping(value="/file/upload", method={RequestMethod.POST})
 	public JsonResponse<ListViewItem> fileUpload(HttpServletRequest request,String folderId) {

servers/boe-server-all/src/main/java/com/xboe/module/usergroup/api/UserGroupApi.java

@@ -11,6 +11,7 @@ import java.util.Set;
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletResponse;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -198,6 +199,7 @@ public class UserGroupApi extends ApiBaseController {
      * 不直接导入到数据库，而是解析文件并查询相应数据返回
      * @return
      */
+    @FileFormatVerification(whites = {"xlsx","xls"})
     @PostMapping("/import")
     public JsonResponse<Iterable<UserImportDto>> importUserGroup(@RequestParam MultipartFile file) {
 

servers/boe-server-all/src/main/java/com/xboe/school/study/api/StudyCourseApi.java

@@ -3,12 +3,15 @@ package com.xboe.school.study.api;
 import java.time.LocalDateTime;
 import java.util.*;
 import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
 
-import com.alibaba.nacos.shaded.com.google.common.util.concurrent.RateLimiter;
+import cn.hutool.core.util.ArrayUtil;
 import com.xboe.api.ThirdApi;
-import com.xboe.constants.CacheName;
+import com.xboe.api.vo.*;
 import com.xboe.module.course.vo.TeacherVo;
+import com.xboe.module.usergroup.entity.UserGroupItem;
 import com.xboe.module.usergroup.service.IUserGroupService;
+import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.redis.core.StringRedisTemplate;
@@ -92,6 +95,7 @@ public class StudyCourseApi extends ApiBaseController{
 
 	@Autowired
 	StringRedisTemplate redisTemplate;
+
 	/**
 	 * 用于查询课程的学习记录
 	 * @param pager
@@ -283,7 +287,11 @@ public class StudyCourseApi extends ApiBaseController{
 	}
 
 	
-
+	/**
+	 * 记录学习信息，在学习每个资源时都要记录.前端用户打开课程资源按规则调用带着课程及学习信息调用此接口。
+	 * @param
+	 * @return 返回学习条目的id
+	 */
 	@PostMapping("/study")
 	public JsonResponse<String> study(@RequestBody StudyContentDto sci, HttpServletRequest request){
 		
@@ -313,34 +321,20 @@ public class StudyCourseApi extends ApiBaseController{
 		if (StringUtils.isEmpty(token)) {
 			token = request.getHeader("token");
 		}
+		//检查是否已存在
 		StudyCourseItem item = studyService.checkHas(sci.getStudyId(),sci.getContentId());
 		if(item!=null) {
-			String studyKey = CacheName.NAME_AUTH + ":" + CacheName.STUDY_KEY + item.getCourseId()+":"+cuser.getAccountId()+":"+item.getContentId();
+			//如果记录存在，但是进度不100无成情况，就更新进度，一期不会有这种情况
-			String studyKey2 = CacheName.NAME_AUTH + ":" + CacheName.STUDY_KEY + sci.getCourseId()+":"+cuser.getAccountId()+":"+sci.getContentId();
+			if(item.getProgress()<100 && sci.getProgress()>item.getProgress()) {
-			redisTemplate.opsForValue().set(studyKey,
+				studyService.updateProcess(item.getId(), sci.getStudyId(), sci.getCourseId(), sci.getContentTotal(), sci.getProgress(),token);
-					String.valueOf(item.getProgress()), 2, TimeUnit.HOURS);
-			String progressStr = redisTemplate.opsForValue().get(studyKey2);
-			if (progressStr != null && !progressStr.isEmpty()) {
-				// 尝试将 Redis 中的字符串转换为整数
-				int redisProgress = Integer.parseInt(progressStr);
-				// 假设 item.getProgress() 返回的是 int 类型
-				int sciProgress = sci.getProgress();
-
-				if (redisProgress < sciProgress && redisProgress < 100) {
-					// 执行一些操作
-//					if(item.getProgress()<100 && sci.getProgress()>item.getProgress()) {
-//					}
-					studyService.updateProcess(item.getId(), sci.getStudyId(), sci.getCourseId(), sci.getContentTotal(), sci.getProgress(),token);
-				}
 			}
 			//追加学习时长
 			studyService.appendStudyDuration(sci.getStudyId(),item.getId(),sci.getContentId(),sci.getDuration());
 			List<StudyCourse> allUserList = thirdApi.getStudyCourseList(sci.getStudyId() ,sci.getCourseId(), token);
 			log.info("在线课学习记录"+allUserList);
 			return success(item.getId());
-			//如果记录存在，但是进度不100无成情况，就更新进度，一期不会有这种情况
 		}
-
+		
 		if(StringUtils.isBlank(sci.getCourseId())){
 			return error("无课程信息");
 		}
@@ -535,7 +529,7 @@ public class StudyCourseApi extends ApiBaseController{
 	 * @return
 	 */
 	@PostMapping("/study-video-time")
-	public JsonResponse<Boolean> study(String itemId,Integer videoTime,String contentId , String courseId,Float progressVideo){
+	public JsonResponse<Boolean> study(String studyId,String itemId,Integer videoTime){
 		
 		if(StringUtils.isBlank(itemId)){
 			return error("参数错误");
@@ -545,10 +539,7 @@ public class StudyCourseApi extends ApiBaseController{
 		}
 		//检查是否已存在
 		try {
-			studyService.updateLastTime(itemId,videoTime, getCurrent().getAccountId());
+			studyService.updateLastTime(itemId,videoTime,getCurrent().getAccountId());
-			if (contentId != null && courseId != null && progressVideo != null){
-				contentService.updateProcessVideo(contentId, courseId, progressVideo);
-			}
 			return success(true);
 		}catch(Exception e) {
 			log.error("记录最后学习时间错误",e);

servers/boe-server-all/src/main/java/com/xboe/school/study/service/impl/StudyAssessServiceImpl.java

@@ -44,7 +44,7 @@ public class StudyAssessServiceImpl implements IStudyAssessService{
 			LocalDateTime ldt=LocalDateTime.now();
 			sci.setStudyId(assess.getStudyId());
 			sci.setContentId(assess.getContentId());
-			sci.setContentName("评估");
+			//sci.setContentName(homework.getContentName());
 			sci.setCourseId(assess.getCourseId());
 			//sci.setCsectionId(homework.getCsectionId());
 			sci.setProgress(100);//直接设置为学习完成

servers/boe-server-all/src/main/java/com/xboe/school/study/service/impl/StudyExamServiceImpl.java

@@ -82,7 +82,7 @@ public class StudyExamServiceImpl implements IStudyExamService{
 			LocalDateTime ldt=LocalDateTime.now();
 			sci.setStudyId(exam.getStudyId());
 			sci.setContentId(exam.getContentId());
-			sci.setContentName("考试");
+			//sci.setContentName(homework.getContentName());
 			sci.setCourseId(exam.getCourseId());
 			//sci.setCsectionId(homework.getCsectionId());
 			sci.setProgress(prog);//直接设置为学习完成

servers/boe-server-all/src/main/java/com/xboe/school/study/service/impl/StudyHomeWorkServiceImpl.java

@@ -46,7 +46,7 @@ public class StudyHomeWorkServiceImpl implements IStudyHomeWorkService{
 			LocalDateTime ldt=LocalDateTime.now();
 			sci.setStudyId(homework.getStudyId());
 			sci.setContentId(homework.getContentId());
-			sci.setContentName(homework.getHwName());
+			//sci.setContentName(homework.getContentName());
 			sci.setCourseId(homework.getCourseId());
 			//sci.setCsectionId(homework.getCsectionId());
 			sci.setProgress(100);//直接设置为学习完成
@@ -67,7 +67,7 @@ public class StudyHomeWorkServiceImpl implements IStudyHomeWorkService{
 			//只是保留一条作业记录，不再保存多条记录了
 			//dao.save(homework);
 			//设置id。然后进行悠
-			homework.setId(homework.getStudyItemId());
+			homework.setId(obj.toString());
 			dao.update(homework);
 		}
 	}

servers/boe-server-all/src/main/java/com/xboe/school/study/service/impl/StudyServiceImpl.java

@@ -98,12 +98,8 @@ public class StudyServiceImpl implements IStudyService{
 		//sci.setProgress(100);//直接设置为学习完成
 		sci.setLastTime(ldt);
 		scItemDao.saveOrUpdate(sci);
-		if (sci.getId() != null){
+		
-			dto.setStudyItemId(sci.getId());
+		dto.setStudyItemId(sci.getId());
-		}else {
-			log.info("学习记录插入失败"+sci.getId());
-			throw new IllegalArgumentException("学习记录插入失败");
-		}
 		//检查是否全部学习完成
 		scDao.finishCheck(dto.getStudyId(),dto.getCourseId(),dto.getContentTotal(),token);
 		
@@ -186,7 +182,7 @@ public class StudyServiceImpl implements IStudyService{
 		if(StringUtils.isNotBlank(name)) {
 			query.addFilter(FieldFilters.eq("aname", name));
 		}
-		int pageIndex2 = (pageIndex-1)*10;
+		int pageIndex2 = pageIndex-1;
 		if(status!=null) {
 			if(status==3) {
 				query.addFilter(FieldFilters.eq("status", 2));
@@ -197,16 +193,16 @@ public class StudyServiceImpl implements IStudyService{
 			}else if (status == 1) {
 				String sql = "select bsc.id,bsc.course_id,bsc.course_name,bsc.aname,item.content_id,0 as progress,1 as status from boe_study_course bsc " +
 						" left join boe_study_course_item item on bsc.course_id = item.course_id and bsc.id = item.study_id" +
-						" where bsc.course_id = '"+courseId+"' and bsc.aname like '%"+name+"%' and bsc.id not in(" +
+						" where bsc.course_id = '"+courseId+"' and bsc.id not in(" +
 						" select item.study_id from boe_study_course_item item " +
-						" where item.course_id = '" + courseId + "' and item.content_id = '"+ contentId+"' and item.aname like '%"+name+"%' group by item.study_id" +
+						" where item.course_id = '" + courseId + "' and item.content_id = '"+ contentId+"' group by item.study_id" +
 						" ) group by bsc.id limit "+ pageIndex2+","+ pageSize+";";
 
 				String sql2 = "select count(*) as total from (select bsc.id,bsc.course_id,bsc.course_name,bsc.aname,item.content_id,0 as progress,1 as status from boe_study_course bsc " +
 						" left join boe_study_course_item item on bsc.course_id = item.course_id and bsc.id = item.study_id" +
-						" where bsc.course_id = '"+courseId+"' and bsc.aname like '%"+name+"%' and bsc.id not in(" +
+						" where bsc.course_id = '"+courseId+"' and bsc.id not in(" +
 						" select item.study_id from boe_study_course_item item " +
-						" where item.course_id = '" + courseId + "' and item.content_id = '"+ contentId+"' and item.aname like '%"+name+"%' group by item.study_id" +
+						" where item.course_id = '" + courseId + "' and item.content_id = '"+ contentId+"' group by item.study_id" +
 						" ) group by bsc.id) as total";
 				log.info("资源完成情况未开始sql"+sql);
 				List<Object[]> list = scDao.sqlFindList(sql);
@@ -228,22 +224,46 @@ public class StudyServiceImpl implements IStudyService{
 				return pageList;
 			}
 		}
+//		String sql = "select * from (select bsc.id,bsc.course_id,bsc.course_name,bsc.aname,item.progress,item.status from boe_study_course bsc left join " +
+//				"boe_study_course_item item on item.course_id = bsc.course_id and item.study_id = bsc.id " +
+//				"where bsc.`status` in (2,9) and bsc.course_id = '"+ courseId+"' group by bsc.id " +
+//				" UNION ALL " +
+//				" select bsc.id,bsc.course_id,bsc.course_name,bsc.aname,0 as progress,1 as status from boe_study_course bsc " +
+//				" LEFT JOIN boe_study_course_item item on item.course_id = bsc.course_id " +
+//				" where bsc.course_id = '"+courseId+"' and bsc.id not in (" +
+//				" select bsc.id from boe_study_course bsc " +
+//				" left join boe_study_course_item item on item.course_id = bsc.course_id and item.study_id = bsc.id " +
+//				" where bsc.course_id = '" + courseId + "' and item.content_id = '"+ contentId+"' group by bsc.id" +
+//				" )group by bsc.id) a group by a.id limit "+ pageIndex+","+ pageSize+";";
+
+//		String sql2 = "select count(*) from (select bsc.id,bsc.course_id,bsc.course_name,bsc.aname,item.progress,item.status from boe_study_course bsc left join " +
+//				"boe_study_course_item item on item.course_id = bsc.course_id and item.study_id = bsc.id " +
+//				"where bsc.`status` in (2,9) and bsc.course_id = '"+ courseId+"' group by bsc.id " +
+//				" UNION ALL " +
+//				" select bsc.id,bsc.course_id,bsc.course_name,bsc.aname,0 as progress,1 as status from boe_study_course bsc " +
+//				" LEFT JOIN boe_study_course_item item on item.course_id = bsc.course_id " +
+//				" where bsc.course_id = '"+courseId+"' and bsc.id not in (" +
+//				" select bsc.id from boe_study_course bsc " +
+//				" left join boe_study_course_item item on item.course_id = bsc.course_id and item.study_id = bsc.id " +
+//				" where bsc.course_id = '" + courseId + "' and item.content_id = '"+ contentId+"' group by bsc.id" +
+//				" )group by bsc.id) a group by a.id";
+
 		String sql = "select a.id, a.course_id, a.course_name, a.aname, " +
 				"IFNULL(b.finish_time, '0') as finish_time, IFNULL(b.progress, 0) as progress, IFNULL(b.status, 1) as status " +
-				"from (select id, course_id, course_name, aname, 0, 1 from boe_study_course where course_id = '" + courseId + "' and aname like '%"+name+"%') a " +
+				"from (select id, course_id, course_name, aname, 0, 1 from boe_study_course where course_id = '" + courseId + "') a " +
 				"left join " +
 				"(select bsc.id, bsc.course_id, bsc.course_name, bsc.aname, item.finish_time, item.progress, item.status " +
 				"from boe_study_course bsc left join boe_study_course_item item on item.course_id = bsc.course_id and item.study_id = bsc.id " +
-				"where bsc.course_id = '" + courseId + "' and item.content_id = '" + contentId + "' and item.aname like '%"+name+"%' group by bsc.id) b " +
+				"where bsc.course_id = '" + courseId + "' and item.content_id = '" + contentId + "' group by bsc.id) b " +
 				"on a.course_id = b.course_id and a.id = b.id " +
 				"group by a.id limit "+ pageIndex2+","+ pageSize+";";
 		String sql2 = "select count(*) as total from (select a.id, a.course_id, a.course_name, a.aname, " +
 				"IFNULL(b.finish_time, 0) as finish_time, IFNULL(b.progress, 0) as progress, IFNULL(b.status, 1) as status " +
-				"from (select id, course_id, course_name, aname, 0, 1 from boe_study_course where course_id = '" + courseId + "' and aname like '%"+name+"%') a " +
+				"from (select id, course_id, course_name, aname, 0, 1 from boe_study_course where course_id = '" + courseId + "') a " +
 				"left join " +
 				"(select bsc.id, bsc.course_id, bsc.course_name, bsc.aname, item.finish_time, item.progress, item.status " +
 				"from boe_study_course bsc left join boe_study_course_item item on item.course_id = bsc.course_id and item.study_id = bsc.id " +
-				"where bsc.course_id = '" + courseId + "' and item.content_id = '" + contentId + "' and item.aname like '%"+name+"%' group by bsc.id) b " +
+				"where bsc.course_id = '" + courseId + "' and item.content_id = '" + contentId + "' group by bsc.id) b " +
 				"on a.course_id = b.course_id and a.id = b.id " +
 				"group by a.id) as total";
 		log.info("资源完成情况全部sql"+sql);

servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java

@@ -14,8 +14,10 @@ import java.util.Set;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import com.xboe.system.aspectj.anno.FileFormatVerification;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
@@ -43,6 +45,9 @@ public class SysUploaderApi  extends ApiBaseController{
 	
 	@Autowired
 	XFileUploader uploader;
+
+	@Value(value = "${boe.domain}")
+	String domain;
 	
 	private static Set<String> fileTypeSet=new HashSet<>();
 	static {
@@ -61,7 +66,8 @@ public class SysUploaderApi  extends ApiBaseController{
 		fileTypeSet.add("pdf");
 		fileTypeSet.add("zip");
 	}
-	
+
+	@FileFormatVerification(whites = {"mp3","wmv","mp4","jpg","png","gif","doc","docx","xls","xlsx","ppt","pptx","pdf","zip"})
 	@RequestMapping(value = "/file/upload", method = RequestMethod.POST)
 	public JsonResponse<XUploadResult> save(HttpServletRequest request, String name,String dir) throws IOException {
 		//以下三项用于回调
@@ -149,7 +155,8 @@ public class SysUploaderApi  extends ApiBaseController{
 	@RequestMapping(value = "/url/download", method = RequestMethod.GET)
     public void urlDownload(HttpServletResponse res,String urlStr,String fileName) throws IOException {
 
-		URL url = new URL(urlStr);    
+		URL url = new URL(urlStr);
+		downloadLimitation(url);
         HttpURLConnection conn = (HttpURLConnection)url.openConnection();    
                 //设置超时间为3秒  
         conn.setConnectTimeout(3*1000);  
@@ -193,4 +200,19 @@ public class SysUploaderApi  extends ApiBaseController{
 		  //System.out.println("success");
     }
 
+	private void downloadLimitation(URL url) {
+		String allowedDomain = domain;
+		String allowedPathPrefix = "/upload/xfile/";
+
+		// 检查域名是否正确
+		if (!url.getHost().equals(allowedDomain)) {
+			throw new SecurityException("Download from this domain is not allowed.");
+		}
+
+		// 检查路径是否以允许的路径前缀开始
+		if (!url.getPath().startsWith(allowedPathPrefix)) {
+			throw new SecurityException("Download from this path is not allowed.");
+		}
+	}
+
 }

servers/boe-server-all/src/main/java/com/xboe/system/aspectj/UploadAspect.java

@@ -0,0 +1,91 @@
+package com.xboe.system.aspectj;
+
+import com.xboe.system.aspectj.anno.FileFormatVerification;
+import lombok.extern.slf4j.Slf4j;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.annotation.Pointcut;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.stereotype.Component;
+import org.springframework.web.multipart.MultipartFile;
+import org.springframework.web.multipart.MultipartHttpServletRequest;
+
+import javax.servlet.http.HttpServletRequest;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.List;
+
+
+/**
+ * @author admin
+ */
+@Aspect
+@Slf4j
+@Component
+public class UploadAspect {
+
+
+    @Pointcut("@annotation(com.xboe.system.aspectj.anno.FileFormatVerification)")
+    private void fileUpload() {
+    }
+
+    @Before("fileUpload()")
+    public void fileFormatVerifies(JoinPoint joinPoint) {
+        List<String> whiteList = getWhiteList(joinPoint);
+
+
+        String[] FILE_UPLOAD_BLACKLIST = {"exe", "sh", "py", "html", "xhtml", "php", "php5", "dat", "dbf", "dev", "asp", "aspx", "asa", "aspx", "ashx", "asmx", "asax", "ascx", "jsp", "jspx", "jspf", "cgi", "war", "ini", "js"};
+        List<String> blackList = Arrays.asList(FILE_UPLOAD_BLACKLIST);
+
+        // 在目标方法执行前执行的代码
+        Object[] args = joinPoint.getArgs(); // 获取被调用方法的参数
+
+        // 处理MultipartFile
+        Arrays.stream(args)
+                .filter(arg -> arg instanceof MultipartFile)
+                .map(arg -> (MultipartFile) arg)
+                .forEach(file -> {
+                    String name = file.getOriginalFilename();
+                    String fileSuffix = name.substring(name.lastIndexOf(".") + 1);
+                    if (blackList.contains(fileSuffix) || !whiteList.contains(fileSuffix)) {
+                        throw new RuntimeException("文件格式不支持");
+                    }
+                });
+
+        // 处理HttpServletRequest中的文件名
+        Arrays.stream(args)
+                .filter(arg -> arg instanceof HttpServletRequest)
+                .map(arg -> (HttpServletRequest) arg)
+                .filter(req -> req instanceof MultipartHttpServletRequest)
+                .map(req -> (MultipartHttpServletRequest) req)
+                .forEach(req -> {
+                    req.getFileMap().forEach((k, v) -> {
+                        String fileSuffix = v.getOriginalFilename().substring(v.getOriginalFilename().lastIndexOf(".") + 1);
+                        if (blackList.contains(fileSuffix) || !whiteList.contains(fileSuffix)) {
+                            throw new RuntimeException("文件格式不支持");
+                        }
+                    });
+                });
+
+
+        int i = 1 / 0;
+
+
+    }
+
+    private static List<String> getWhiteList(JoinPoint joinPoint) {
+        MethodSignature methodSignature = (MethodSignature) joinPoint.getSignature();
+        Method method = methodSignature.getMethod();
+
+        // 获取FileFormatVerification注解
+        FileFormatVerification annotation = method.getAnnotation(FileFormatVerification.class);
+
+        // 获取whiteList属性
+        String[] whites = annotation.whites();
+        List<String> whiteList = Arrays.asList(whites);
+        return whiteList;
+    }
+
+
+}

servers/boe-server-all/src/main/java/com/xboe/system/aspectj/anno/FileFormatVerification.java

@@ -0,0 +1,15 @@
+package com.xboe.system.aspectj.anno;
+
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+
+@Target(ElementType.METHOD) // 注解目标为方法
+@Retention(RetentionPolicy.RUNTIME) // 注解在运行时有效
+public @interface FileFormatVerification {
+    String[] whites() default {};
+
+}

servers/boe-server-all/src/main/resources/application-dev.properties

@@ -4,7 +4,7 @@ spring.redis.database=1
 #spring.redis.password=ENC(zA5LNV8xw3yEx6LMwdGGBGgNsOaD3Cg+)
 #spring.redis.port=6379
 spring.redis.host=124.70.92.162
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 
 # cloud nacos config
@@ -20,7 +20,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 #spring.datasource.password=ENC(lAoFOYuc8CAypPtigTNLYg==)
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=DEBUG
 logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE

servers/boe-server-all/src/main/resources/application-pre.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 #spring.redis.database=3
 #spring.redis.host=10.251.129.122
@@ -17,7 +17,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.129.126:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=ERROR
 #logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE

servers/boe-server-all/src/main/resources/application-pro.properties

@@ -4,7 +4,7 @@ spring.cloud.nacos.discovery.server-addr=10.251.129.51:8848
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.129.122
-spring.redis.password=qwert!W588
+spring.redis.password=ENC(e1k00MMRGU0DUHvLX8JSOuDkCX0CWNif)
 spring.redis.port=6379
 
 
@@ -18,7 +18,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 #spring.datasource.password=ocYMC>!{8G
 spring.datasource.url=jdbc:mysql://10.251.129.126:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 ## 使用 hikari 连接池
 spring.datasource.type=com.zaxxer.hikari.HikariDataSource

servers/boe-server-all/src/main/resources/application-test.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=1
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(oXmZ5HIrhizHQ/DWPNv/S/1hUNJbbRjv)
 spring.redis.port=6379
 
 # cloud nacos config
@@ -13,7 +13,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 ## 使用 hikari 连接池
 spring.datasource.type=com.zaxxer.hikari.HikariDataSource
@@ -72,7 +72,7 @@ jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGenerator
 xboe.elasticsearch.server.ip=10.251.129.25
 xboe.elasticsearch.server.port=9200
 xboe.elasticsearch.server.user=elastic
-xboe.elasticsearch.server.password=Boe@es123
+xboe.elasticsearch.server.password=ENC(903xqMcg31J+OhmZ0AoinYqvzLoAt8UZ)
 
 ## 邮件的配置
 xboe.email.url=https://u-pre.boe.com/api/b1/email/send

servers/boe-server-all/src/main/resources/application-test135.properties

@@ -1,7 +1,7 @@
 ## redis
 spring.redis.database=2
 spring.redis.host=10.251.160.38
-spring.redis.password=qwert!W577
+spring.redis.password=ENC(5oXfdmgE2DDHUFhrGkS/UzUCxr7s8stV)
 spring.redis.port=6379
 
 ## datasource config
@@ -10,7 +10,7 @@ spring.datasource.driverClassName=com.mysql.jdbc.Driver
 # spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
 spring.datasource.url=jdbc:mysql://10.251.160.40:3306/boe_base?useSSL=false&useUnicode=true&characterEncoding=UTF8&zeroDateTimeBehavior=convertToNull
 spring.datasource.username=admin
-spring.datasource.password=boeRds01
+spring.datasource.password=ENC(GrOwKqgCAlYEZYjiDYWEjVcKho+5TLgc)
 
 logging.level.org.hibernate.SQL=DEBUG
 logging.level.org.hibernate.type.descriptor.sql.BasicBinder=TRACE
@@ -60,7 +60,7 @@ jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGenerator
 xboe.elasticsearch.server.ip=10.251.129.25
 xboe.elasticsearch.server.port=9200
 xboe.elasticsearch.server.user=elastic
-xboe.elasticsearch.server.password=Boe@es123
+xboe.elasticsearch.server.password=ENC(903xqMcg31J+OhmZ0AoinYqvzLoAt8UZ)
 
 ## 邮件的配置
 xboe.email.url=https://10.251.160.135/api/b1/email/send