From bc11ec0e6b09d1da34abd970a2acf7b461127eca Mon Sep 17 00:00:00 2001
From: Pu Zhibing <393733352@qq.com>
Date: 星期二, 16 九月 2025 15:19:12 +0800
Subject: [PATCH] 修改安全漏洞
---
management/guns-admin/src/main/java/com/stylefeng/guns/config/web/ShiroConfig.java | 5
management/guns-admin/src/main/webapp/WEB-INF/view/login.html | 10 +-
management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TCarController.java | 23 ++++-
management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/util/AESUtil.java | 90 ++++++++++++++++++++++
management/guns-admin/src/main/webapp/static/modular/system/tDriver/tDriver.js | 18 +++
management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TAppUserController.java | 10 ++
management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/system/LoginController.java | 2
management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TDriverController.java | 38 +++++++++
management/guns-admin/src/main/webapp/WEB-INF/view/common/_container.html | 29 +++++++
9 files changed, 210 insertions(+), 15 deletions(-)
diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/config/web/ShiroConfig.java b/management/guns-admin/src/main/java/com/stylefeng/guns/config/web/ShiroConfig.java
index 2047dae..eb64df0 100644
--- a/management/guns-admin/src/main/java/com/stylefeng/guns/config/web/ShiroConfig.java
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/config/web/ShiroConfig.java
@@ -102,7 +102,7 @@
@Bean
public CookieRememberMeManager rememberMeManager(SimpleCookie rememberMeCookie) {
CookieRememberMeManager manager = new CookieRememberMeManager();
- manager.setCipherKey(Base64.decode("Z3VucwAAAAAAAAAAAAAAAA=="));
+// manager.setCipherKey(Base64.decode("Z3VucwAAAAAAAAAAAAAAAA=="));
manager.setCookie(rememberMeCookie);
return manager;
}
@@ -112,7 +112,8 @@
*/
@Bean
public SimpleCookie rememberMeCookie() {
- SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
+// SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
+ SimpleCookie simpleCookie = new SimpleCookie("");
simpleCookie.setHttpOnly(true);
simpleCookie.setMaxAge(7 * 24 * 60 * 60);//7天
return simpleCookie;
diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TAppUserController.java b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TAppUserController.java
index 3c22173..adab694 100644
--- a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TAppUserController.java
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TAppUserController.java
@@ -2,7 +2,9 @@
import com.baomidou.mybatisplus.mapper.EntityWrapper;
import com.stylefeng.guns.core.base.controller.BaseController;
+import com.stylefeng.guns.core.base.tips.SuccessTip;
import com.stylefeng.guns.core.log.LogObjectHolder;
+import com.stylefeng.guns.core.util.ToolUtil;
import com.stylefeng.guns.modular.system.controller.resp.TAppUserResp;
import com.stylefeng.guns.modular.system.controller.util.ExcelUtil;
import com.stylefeng.guns.modular.system.enums.CouponStatusEnum;
@@ -214,6 +216,10 @@
@RequestMapping(value = "/add")
@ResponseBody
public Object add(TAppUser tAppUser) {
+ String avatar = tAppUser.getAvatar();
+ if(ToolUtil.isNotEmpty(avatar) && !avatar.contains("png") && !avatar.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的头像照片!");
+ }
tAppUserService.insert(tAppUser);
return SUCCESS_TIP;
}
@@ -257,6 +263,10 @@
@RequestMapping(value = "/update")
@ResponseBody
public Object update(TAppUser tAppUser) {
+ String avatar = tAppUser.getAvatar();
+ if(ToolUtil.isNotEmpty(avatar) && !avatar.contains("png") && !avatar.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的头像照片!");
+ }
tAppUserService.updateById(tAppUser);
return SUCCESS_TIP;
}
diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TCarController.java b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TCarController.java
index 2f13bf5..014330d 100644
--- a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TCarController.java
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TCarController.java
@@ -4,12 +4,10 @@
import com.baomidou.mybatisplus.plugins.Page;
import com.stylefeng.guns.core.base.controller.BaseController;
import com.stylefeng.guns.core.base.tips.ErrorTip;
+import com.stylefeng.guns.core.base.tips.SuccessTip;
import com.stylefeng.guns.core.common.constant.factory.PageFactory;
import com.stylefeng.guns.core.shiro.ShiroKit;
-import com.stylefeng.guns.core.util.DateUtil;
-import com.stylefeng.guns.core.util.ExcelExportUtil;
-import com.stylefeng.guns.core.util.SinataUtil;
-import com.stylefeng.guns.core.util.WoUtil;
+import com.stylefeng.guns.core.util.*;
import com.stylefeng.guns.modular.system.dao.CarInsuranceMapper;
import com.stylefeng.guns.modular.system.model.*;
import com.stylefeng.guns.modular.system.service.*;
@@ -361,6 +359,14 @@
@RequestMapping(value = "/add")
@ResponseBody
public Object add(TCar tCar,@RequestParam String serverBox,Integer roleType,Integer companyType,Integer oneId,Integer twoId,Integer franchiseeId,String zcModel,String kcModel) {
+ String carPhoto = tCar.getCarPhoto();
+ if(ToolUtil.isNotEmpty(carPhoto) && !carPhoto.contains("png") && !carPhoto.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的车辆照片!");
+ }
+ String drivingLicensePhoto = tCar.getDrivingLicensePhoto();
+ if(ToolUtil.isNotEmpty(drivingLicensePhoto) && !drivingLicensePhoto.contains("png") && !drivingLicensePhoto.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的行驶证照片!");
+ }
if (1 == roleType){ //平台
if (2 == companyType.intValue()){
if (SinataUtil.isNotEmpty(oneId)){
@@ -400,6 +406,7 @@
}
tCar.setInsertTime(new Date());
tCar.setState(1);
+
tCarService.insert(tCar);
//添加经营业务
@@ -443,6 +450,14 @@
@RequestMapping(value = "/update")
@ResponseBody
public Object update(TCar tCar,@RequestParam String serverBox,Integer roleType,Integer companyType,Integer oneId,Integer twoId,Integer franchiseeId,String zcModel,String kcModel) {
+ String carPhoto = tCar.getCarPhoto();
+ if(ToolUtil.isNotEmpty(carPhoto) && !carPhoto.contains("png") && !carPhoto.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的车辆照片!");
+ }
+ String drivingLicensePhoto = tCar.getDrivingLicensePhoto();
+ if(ToolUtil.isNotEmpty(drivingLicensePhoto) && !drivingLicensePhoto.contains("png") && !drivingLicensePhoto.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的行驶证照片!");
+ }
if (1 == roleType){ //平台
if (2 == companyType.intValue()){
if (SinataUtil.isNotEmpty(oneId)){
diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TDriverController.java b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TDriverController.java
index 2eac5a1..37cb1d2 100644
--- a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TDriverController.java
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/general/TDriverController.java
@@ -9,6 +9,7 @@
import com.stylefeng.guns.core.log.LogObjectHolder;
import com.stylefeng.guns.core.shiro.ShiroKit;
import com.stylefeng.guns.core.shiro.ShiroUser;
+import com.stylefeng.guns.core.util.ToolUtil;
import com.stylefeng.guns.modular.system.controller.resp.TDriverCommissionResp;
import com.stylefeng.guns.modular.system.controller.resp.TDriverResp;
import com.stylefeng.guns.modular.system.controller.util.ExcelUtil;
@@ -19,6 +20,7 @@
import com.stylefeng.guns.modular.system.enums.UserTypeEnum;
import com.stylefeng.guns.modular.system.model.*;
import com.stylefeng.guns.modular.system.service.*;
+import com.stylefeng.guns.modular.system.util.AESUtil;
import com.stylefeng.guns.modular.system.util.DateUtil;
import com.stylefeng.guns.modular.system.util.RedisUtil;
//import com.stylefeng.guns.modular.system.util.bank.BankUtil;
@@ -360,6 +362,9 @@
List<TDriver> tDrivers = tDriverService.selectList(wrapper);
List<TDriverResp> tDriverResp = tDriverService.getTDriverResp(tDrivers);
for (TDriverResp driverResp : tDriverResp) {
+ driverResp.setIdcard(AESUtil.encrypt(driverResp.getIdcard()));
+ driverResp.setName(AESUtil.encrypt(driverResp.getName()));
+ driverResp.setPhone(AESUtil.encrypt(driverResp.getPhone()));
TDriverWork tDriverWork = tDriverWorkService.selectOne(new EntityWrapper<TDriverWork>()
.eq("driverId", driverResp.getId())
.orderBy("workTime", false)
@@ -575,7 +580,22 @@
@RequestMapping(value = "/add")
@ResponseBody
public Object add(TDriver tDriver) {
-
+ String avatar = tDriver.getAvatar();
+ if(ToolUtil.isNotEmpty(avatar) && !avatar.contains("png") && !avatar.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的头像图片!");
+ }
+ String driverLicense = tDriver.getDriverLicense();
+ if(ToolUtil.isNotEmpty(driverLicense) && !driverLicense.contains("png") && !driverLicense.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的驾驶证照片!");
+ }
+ String idcardFront = tDriver.getIdcardFront();
+ if(ToolUtil.isNotEmpty(idcardFront) && !idcardFront.contains("png") && !idcardFront.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的身份证正面照!");
+ }
+ String idcardBack = tDriver.getIdcardBack();
+ if(ToolUtil.isNotEmpty(idcardBack) && !idcardBack.contains("png") && !idcardBack.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的身份证背面照!");
+ }
int count = tDriverService.selectCount(new EntityWrapper<TDriver>().eq("phone", tDriver.getPhone()));
if(count>0){
return new SuccessTip(500,"该司机已存在!");
@@ -677,6 +697,22 @@
@RequestMapping(value = "/update")
@ResponseBody
public Object update(TDriver tDriver) {
+ String avatar = tDriver.getAvatar();
+ if(ToolUtil.isNotEmpty(avatar) && !avatar.contains("png") && !avatar.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的头像图片!");
+ }
+ String driverLicense = tDriver.getDriverLicense();
+ if(ToolUtil.isNotEmpty(driverLicense) && !driverLicense.contains("png") && !driverLicense.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的驾驶证照片!");
+ }
+ String idcardFront = tDriver.getIdcardFront();
+ if(ToolUtil.isNotEmpty(idcardFront) && !idcardFront.contains("png") && !idcardFront.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的身份证正面照!");
+ }
+ String idcardBack = tDriver.getIdcardBack();
+ if(ToolUtil.isNotEmpty(idcardBack) && !idcardBack.contains("png") && !idcardBack.contains("jpg")){
+ return new SuccessTip(500,"请上传png/jpg格式的身份证背面照!");
+ }
TDriver driver = tDriverService.selectOne(new EntityWrapper<TDriver>().eq("phone", tDriver.getPhone())
.last("LIMIT 1"));
if(Objects.nonNull(driver) && !tDriver.getId().equals(driver.getId())){
diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/system/LoginController.java b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/system/LoginController.java
index 1c19d87..33d3b0e 100644
--- a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/system/LoginController.java
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/system/LoginController.java
@@ -18,6 +18,7 @@
import com.stylefeng.guns.modular.system.model.User;
import com.stylefeng.guns.modular.system.service.IMenuService;
import com.stylefeng.guns.modular.system.service.IUserService;
+import com.stylefeng.guns.modular.system.util.AESUtil;
import com.stylefeng.guns.modular.system.util.AESUtils;
import com.stylefeng.guns.modular.system.util.RedisUtil;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
@@ -121,6 +122,7 @@
*/
@RequestMapping(value = "/login", method = RequestMethod.POST)
public String loginVali(String username, String password,String sms_code, String remember, Model model, HttpServletRequest request) {
+ password = AESUtil.decrypt(password);
Integer f = loginFailures.get(username);
f = f == null ? 0 : f;
// 校验账号,密码是否正确,如果错误,对次数进行加1
diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/util/AESUtil.java b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/util/AESUtil.java
new file mode 100644
index 0000000..cc8bc3d
--- /dev/null
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/util/AESUtil.java
@@ -0,0 +1,90 @@
+package com.stylefeng.guns.modular.system.util;
+
+
+import com.stylefeng.guns.core.util.ToolUtil;
+import org.springframework.util.Base64Utils;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * 定义AES加密解密工具类
+ */
+public class AESUtil {
+
+ private static final String KEY_ALGORITHM = "AES";//加密方式
+
+ private static final String DEFAULT_CIPHER_ALGORITHM = "AES/CBC/PKCS5Padding";//默认的加密算法
+
+ private static final String KEY = "xqT86jictTPpHMem";//密码
+
+ private static final String IV_PARAMETER = "xqT86jicxqT86jic";//偏移量
+
+ private static final String CHARSET = "UTF-8";//编码
+
+
+
+
+ /**
+ * 加密操作
+ * @param content 待加密内容
+ * @return
+ * @throws Exception
+ */
+ public static String encrypt(String content) {
+ try {
+ if(ToolUtil.isEmpty(content)){
+ return content;
+ }
+ Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER_ALGORITHM);
+ byte[] raw = KEY.getBytes(CHARSET);
+ SecretKeySpec skeySpec = new SecretKeySpec(raw, KEY_ALGORITHM);
+ IvParameterSpec iv = new IvParameterSpec(IV_PARAMETER.getBytes());
+ cipher.init(Cipher.ENCRYPT_MODE, skeySpec, iv);
+ byte[] encrypted = cipher.doFinal(content.getBytes(CHARSET));
+ return Base64Utils.encodeToString(encrypted);
+ }catch (Exception e){
+ e.printStackTrace();
+ }
+ return content;
+ }
+
+ /**
+ *解密操作
+ * @param content 待解密内容
+ * @return
+ * @throws Exception
+ */
+ public static String decrypt(String content) {
+ try {
+ if(ToolUtil.isEmpty(content)){
+ return content;
+ }
+ byte[] raw = KEY.getBytes(CHARSET);
+ SecretKeySpec skeySpec = new SecretKeySpec(raw, KEY_ALGORITHM);
+ Cipher cipher = Cipher.getInstance(DEFAULT_CIPHER_ALGORITHM);
+ IvParameterSpec iv = new IvParameterSpec(IV_PARAMETER.getBytes());
+ cipher.init(Cipher.DECRYPT_MODE, skeySpec, iv);
+
+ byte[] encrypted1 = Base64Utils.decodeFromString(content);
+ byte[] original = cipher.doFinal(encrypted1);
+ String originalString = new String(original, CHARSET);
+ return originalString;
+ } catch (Exception ex) {
+ ex.printStackTrace();
+ }
+ return content;
+ }
+
+
+ public static void main(String[] ages){
+// String encrypt = AESUtil.encrypt("19167181339");
+// System.err.println(encrypt);
+ String travel = AESUtil.decrypt("tw1pslwtyVl58hz4A9HauCmgWtML1DKJKGIOxVhv9KE=");
+ System.err.println(travel);
+
+// String decrypt = DESUtil.decrypt("xqT86jictTPpHMem", "uFT7jx9P7+t8n1IVQsxn7A==");
+// System.err.println(decrypt);
+ }
+}
diff --git a/management/guns-admin/src/main/webapp/WEB-INF/view/common/_container.html b/management/guns-admin/src/main/webapp/WEB-INF/view/common/_container.html
index 1c500bf..00b43a7 100644
--- a/management/guns-admin/src/main/webapp/WEB-INF/view/common/_container.html
+++ b/management/guns-admin/src/main/webapp/WEB-INF/view/common/_container.html
@@ -66,6 +66,7 @@
<script type="text/javascript" charset="utf-8" src="${ctxPath}/djadmin/static/js/ueditor/jsp/ueditor.config.js"></script>
<script type="text/javascript" charset="utf-8" src="${ctxPath}/djadmin/static/js/ueditor/jsp/ueditor.all.js"></script>
<script type="text/javascript" charset="utf-8" src="${ctxPath}/djadmin/static/js/ueditor/jsp/lang/zh-cn/zh-cn.js"></script>
+ <script src="${ctxPath}/djadmin/static/crypto-js/crypto-js.js"></script>
<!--<style type="text/css">
table{
width:100px;
@@ -288,7 +289,35 @@
}
});
}
+ var key = CryptoJS.enc.Utf8.parse("xqT86jictTPpHMem");
+ var iv = CryptoJS.enc.Utf8.parse("xqT86jicxqT86jic");
+ //aes加密
+ function encrypt(context) {
+ var encrypted = '';
+ if (typeof(context) == 'string') {
+
+ }else if(typeof(context) == 'object'){
+ context = JSON.stringify(context);
+ }
+ var srcs = CryptoJS.enc.Utf8.parse(context);
+ encrypted = CryptoJS.AES.encrypt(srcs, key, {
+ iv: iv,
+ mode: CryptoJS.mode.CBC,
+ padding: CryptoJS.pad.Pkcs7
+ });
+ return encrypted.toString();
+ }
+ // aes解密
+ function decrypt(context) {
+ var decrypt = CryptoJS.AES.decrypt(context, key, {
+ iv: iv,
+ mode: CryptoJS.mode.CBC,
+ padding: CryptoJS.pad.Pkcs7
+ });
+ var decryptedStr = decrypt.toString(CryptoJS.enc.Utf8);
+ return decryptedStr.toString();
+ }
// 页面加载完成后启动轮询
$(document).ready(function() {
// 延迟5秒后开始轮询,避免页面加载时的性能影响
diff --git a/management/guns-admin/src/main/webapp/WEB-INF/view/login.html b/management/guns-admin/src/main/webapp/WEB-INF/view/login.html
index ef17a18..b216912 100644
--- a/management/guns-admin/src/main/webapp/WEB-INF/view/login.html
+++ b/management/guns-admin/src/main/webapp/WEB-INF/view/login.html
@@ -115,8 +115,8 @@
$("#kaptcha").attr('src', '${ctxPath}/djadmin/kaptcha?' + Math.floor(Math.random() * 100)).fadeIn();
});
});
- var key = CryptoJS.enc.Utf8.parse("c53fd327353a09a1");
- var iv = CryptoJS.enc.Utf8.parse("3a0565e3b1d8ae3d");
+ var key = CryptoJS.enc.Utf8.parse("xqT86jictTPpHMem");
+ var iv = CryptoJS.enc.Utf8.parse("xqT86jicxqT86jic");
//aes加密
function encrypt(context) {
@@ -145,9 +145,9 @@
return decryptedStr.toString();
}
function login(){
- // let password = $('#password').val();
- // password = encrypt(password);
- // $('#password').val(password);
+ let password = $('#password').val();
+ password = encrypt(password);
+ $('#password').val(password);
$('#submit').submit();
}
diff --git a/management/guns-admin/src/main/webapp/static/modular/system/tDriver/tDriver.js b/management/guns-admin/src/main/webapp/static/modular/system/tDriver/tDriver.js
index e431fdc..9eead40 100644
--- a/management/guns-admin/src/main/webapp/static/modular/system/tDriver/tDriver.js
+++ b/management/guns-admin/src/main/webapp/static/modular/system/tDriver/tDriver.js
@@ -16,8 +16,16 @@
{field: 'selectItem', radio: true},
{title: '主键', field: 'id', visible: true, align: 'center', valign: 'middle'},
{title: '编号', field: 'code', visible: true, align: 'center', valign: 'middle'},
- {title: '姓名', field: 'name', visible: true, align: 'center', valign: 'middle'},
- {title: '手机号', field: 'phone', visible: true, align: 'center', valign: 'middle'},
+ {title: '姓名', field: 'name', visible: true, align: 'center', valign: 'middle',
+ formatter: function (value, row) {
+ return decrypt(value);
+ }
+ },
+ {title: '手机号', field: 'phone', visible: true, align: 'center', valign: 'middle',
+ formatter: function (value, row) {
+ return decrypt(value);
+ }
+ },
{title: '性别', field: 'sex', visible: true, align: 'center', valign: 'middle',
formatter: function (value, row) {
if (row.sex === 1){
@@ -29,7 +37,11 @@
}
}},
{title: '驾驶证号码', field: 'driverLicenseNumber', visible: true, align: 'center', valign: 'middle'},
- {title: '身份证号码', field: 'idcard', visible: true, align: 'center', valign: 'middle'},
+ {title: '身份证号码', field: 'idcard', visible: true, align: 'center', valign: 'middle',
+ formatter: function (value, row) {
+ return decrypt(value);
+ }
+ },
{title: '身份证', field: 'source', visible: true, align: 'center', valign: 'middle',
formatter: function (value, row) {
if (null != row.idcardFront){
--
Gitblit v1.7.1