From 0dc26533584ea2269917d00aebc5b12a1017d121 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期四, 06 一月 2022 14:51:09 +0800
Subject: [PATCH] 定时任务目标字符串验证包名白名单
---
src/main/java/com/ruoyi/common/constant/Constants.java | 12 +++++++++++-
src/main/java/com/ruoyi/common/utils/job/ScheduleUtils.java | 24 +++++++++++++++++++++++-
src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java | 17 +++++++++++++----
3 files changed, 47 insertions(+), 6 deletions(-)
diff --git a/src/main/java/com/ruoyi/common/constant/Constants.java b/src/main/java/com/ruoyi/common/constant/Constants.java
index 20429f8..dc3e59c 100644
--- a/src/main/java/com/ruoyi/common/constant/Constants.java
+++ b/src/main/java/com/ruoyi/common/constant/Constants.java
@@ -150,8 +150,18 @@
public static final String LOOKUP_LDAP = "ldap:";
/**
+ * LDAPS 杩滅▼鏂规硶璋冪敤
+ */
+ public static final String LOOKUP_LDAPS = "ldaps:";
+
+ /**
+ * 瀹氭椂浠诲姟鐧藉悕鍗曢厤缃紙浠呭厑璁歌闂殑鍖呭悕锛屽鍏朵粬闇�瑕佸彲浠ヨ嚜琛屾坊鍔狅級
+ */
+ public static final String[] JOB_WHITELIST_STR = { "com.ruoyi" };
+
+ /**
* 瀹氭椂浠诲姟杩濊鐨勫瓧绗�
*/
public static final String[] JOB_ERROR_STR = { "java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml",
- "org.springframework" };
+ "org.springframework", "org.apache" };
}
diff --git a/src/main/java/com/ruoyi/common/utils/job/ScheduleUtils.java b/src/main/java/com/ruoyi/common/utils/job/ScheduleUtils.java
index bfadce2..66b1ac9 100644
--- a/src/main/java/com/ruoyi/common/utils/job/ScheduleUtils.java
+++ b/src/main/java/com/ruoyi/common/utils/job/ScheduleUtils.java
@@ -10,9 +10,11 @@
import org.quartz.SchedulerException;
import org.quartz.TriggerBuilder;
import org.quartz.TriggerKey;
+import com.ruoyi.common.constant.Constants;
import com.ruoyi.common.constant.ScheduleConstants;
import com.ruoyi.common.exception.job.TaskException;
import com.ruoyi.common.exception.job.TaskException.Code;
+import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.project.monitor.domain.SysJob;
/**
@@ -110,4 +112,24 @@
+ "' cannot be used in cron schedule tasks", Code.CONFIG_ERROR);
}
}
-}
\ No newline at end of file
+
+ /**
+ * 妫�鏌ュ寘鍚嶆槸鍚︿负鐧藉悕鍗曢厤缃�
+ *
+ * @param invokeTarget 鐩爣瀛楃涓�
+ * @return 缁撴灉
+ */
+ public static boolean whiteList(String invokeTarget)
+ {
+ String packageName = StringUtils.substringBefore(invokeTarget, ")");
+ int count = StringUtils.countMatches(packageName, ".");
+ if (count > 1)
+ {
+ if (!StringUtils.containsAnyIgnoreCase(invokeTarget, Constants.JOB_WHITELIST_STR))
+ {
+ return false;
+ }
+ }
+ return true;
+ }
+}
diff --git a/src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java b/src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java
index f4744f6..3cb2ab4 100644
--- a/src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java
+++ b/src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java
@@ -17,6 +17,7 @@
import com.ruoyi.common.exception.job.TaskException;
import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.job.CronUtils;
+import com.ruoyi.common.utils.job.ScheduleUtils;
import com.ruoyi.common.utils.poi.ExcelUtil;
import com.ruoyi.framework.aspectj.lang.annotation.Log;
import com.ruoyi.framework.aspectj.lang.enums.BusinessType;
@@ -89,17 +90,21 @@
{
return error("鏂板浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅厑璁�'rmi:'璋冪敤");
}
- else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP))
+ else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS }))
{
return error("鏂板浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅厑璁�'ldap:'璋冪敤");
}
else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
{
- return error("鏂板浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅厑璁�'http(s)//'璋冪敤");
+ return error("鏂板浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅厑璁�'http(s)'璋冪敤");
}
else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
{
return error("鏂板浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆瀛樺湪杩濊");
+ }
+ else if (!ScheduleUtils.whiteList(job.getInvokeTarget()))
+ {
+ return error("鏂板浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅湪鐧藉悕鍗曞唴");
}
job.setCreateBy(getUsername());
return toAjax(jobService.insertJob(job));
@@ -121,18 +126,22 @@
{
return error("淇敼浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅厑璁�'rmi'璋冪敤");
}
- else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP))
+ else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS }))
{
return error("淇敼浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅厑璁�'ldap'璋冪敤");
}
else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
{
- return error("淇敼浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅厑璁�'http(s)//'璋冪敤");
+ return error("淇敼浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅厑璁�'http(s)'璋冪敤");
}
else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
{
return error("淇敼浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆瀛樺湪杩濊");
}
+ else if (!ScheduleUtils.whiteList(job.getInvokeTarget()))
+ {
+ return error("鏂板浠诲姟'" + job.getJobName() + "'澶辫触锛岀洰鏍囧瓧绗︿覆涓嶅湪鐧藉悕鍗曞唴");
+ }
job.setUpdateBy(getUsername());
return toAjax(jobService.updateJob(job));
}
--
Gitblit v1.9.3