From ce3298b9b01d83aea11bd144ccdc2e890a75cd97 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期三, 26 六月 2024 19:52:25 +0800
Subject: [PATCH] 升级spring-security到安全版本,防止漏洞风险
---
src/main/java/com/ruoyi/framework/aspectj/LogAspect.java | 64 +++++++++++++++++++++++++------
1 files changed, 51 insertions(+), 13 deletions(-)
diff --git a/src/main/java/com/ruoyi/framework/aspectj/LogAspect.java b/src/main/java/com/ruoyi/framework/aspectj/LogAspect.java
index eb3f9a0..19a857f 100644
--- a/src/main/java/com/ruoyi/framework/aspectj/LogAspect.java
+++ b/src/main/java/com/ruoyi/framework/aspectj/LogAspect.java
@@ -4,18 +4,21 @@
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.lang3.ArrayUtils;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.AfterReturning;
import org.aspectj.lang.annotation.AfterThrowing;
import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.springframework.core.NamedThreadLocal;
import org.springframework.stereotype.Component;
import org.springframework.validation.BindingResult;
import org.springframework.web.multipart.MultipartFile;
-import org.springframework.web.servlet.HandlerMapping;
-import com.alibaba.fastjson.JSON;
+import com.alibaba.fastjson2.JSON;
import com.ruoyi.common.enums.HttpMethod;
+import com.ruoyi.common.filter.PropertyPreExcludeFilter;
import com.ruoyi.common.utils.SecurityUtils;
import com.ruoyi.common.utils.ServletUtils;
import com.ruoyi.common.utils.StringUtils;
@@ -26,6 +29,7 @@
import com.ruoyi.framework.manager.factory.AsyncFactory;
import com.ruoyi.framework.security.LoginUser;
import com.ruoyi.project.monitor.domain.SysOperLog;
+import com.ruoyi.project.system.domain.SysUser;
/**
* 鎿嶄綔鏃ュ織璁板綍澶勭悊
@@ -37,6 +41,21 @@
public class LogAspect
{
private static final Logger log = LoggerFactory.getLogger(LogAspect.class);
+
+ /** 鎺掗櫎鏁忔劅灞炴�у瓧娈� */
+ public static final String[] EXCLUDE_PROPERTIES = { "password", "oldPassword", "newPassword", "confirmPassword" };
+
+ /** 璁$畻鎿嶄綔娑堣�楁椂闂� */
+ private static final ThreadLocal<Long> TIME_THREADLOCAL = new NamedThreadLocal<Long>("Cost Time");
+
+ /**
+ * 澶勭悊璇锋眰鍓嶆墽琛�
+ */
+ @Before(value = "@annotation(controllerLog)")
+ public void boBefore(JoinPoint joinPoint, Log controllerLog)
+ {
+ TIME_THREADLOCAL.set(System.currentTimeMillis());
+ }
/**
* 澶勭悊瀹岃姹傚悗鎵ц
@@ -72,12 +91,17 @@
SysOperLog operLog = new SysOperLog();
operLog.setStatus(BusinessStatus.SUCCESS.ordinal());
// 璇锋眰鐨勫湴鍧�
- String ip = IpUtils.getIpAddr(ServletUtils.getRequest());
+ String ip = IpUtils.getIpAddr();
operLog.setOperIp(ip);
- operLog.setOperUrl(ServletUtils.getRequest().getRequestURI());
+ operLog.setOperUrl(StringUtils.substring(ServletUtils.getRequest().getRequestURI(), 0, 255));
if (loginUser != null)
{
operLog.setOperName(loginUser.getUsername());
+ SysUser currentUser = loginUser.getUser();
+ if (StringUtils.isNotNull(currentUser) && StringUtils.isNotNull(currentUser.getDept()))
+ {
+ operLog.setDeptName(currentUser.getDept().getDeptName());
+ }
}
if (e != null)
@@ -93,15 +117,20 @@
operLog.setRequestMethod(ServletUtils.getRequest().getMethod());
// 澶勭悊璁剧疆娉ㄨВ涓婄殑鍙傛暟
getControllerMethodDescription(joinPoint, controllerLog, operLog, jsonResult);
+ // 璁剧疆娑堣�楁椂闂�
+ operLog.setCostTime(System.currentTimeMillis() - TIME_THREADLOCAL.get());
// 淇濆瓨鏁版嵁搴�
AsyncManager.me().execute(AsyncFactory.recordOper(operLog));
}
catch (Exception exp)
{
// 璁板綍鏈湴寮傚父鏃ュ織
- log.error("==鍓嶇疆閫氱煡寮傚父==");
log.error("寮傚父淇℃伅:{}", exp.getMessage());
exp.printStackTrace();
+ }
+ finally
+ {
+ TIME_THREADLOCAL.remove();
}
}
@@ -124,7 +153,7 @@
if (log.isSaveRequestData())
{
// 鑾峰彇鍙傛暟鐨勪俊鎭紝浼犲叆鍒版暟鎹簱涓��
- setRequestValue(joinPoint, operLog);
+ setRequestValue(joinPoint, operLog, log.excludeParamNames());
}
// 鏄惁闇�瑕佷繚瀛榬esponse锛屽弬鏁板拰鍊�
if (log.isSaveResponseData() && StringUtils.isNotNull(jsonResult))
@@ -139,25 +168,26 @@
* @param operLog 鎿嶄綔鏃ュ織
* @throws Exception 寮傚父
*/
- private void setRequestValue(JoinPoint joinPoint, SysOperLog operLog) throws Exception
+ private void setRequestValue(JoinPoint joinPoint, SysOperLog operLog, String[] excludeParamNames) throws Exception
{
String requestMethod = operLog.getRequestMethod();
- if (HttpMethod.PUT.name().equals(requestMethod) || HttpMethod.POST.name().equals(requestMethod))
+ Map<?, ?> paramsMap = ServletUtils.getParamMap(ServletUtils.getRequest());
+ if (StringUtils.isEmpty(paramsMap)
+ && (HttpMethod.PUT.name().equals(requestMethod) || HttpMethod.POST.name().equals(requestMethod)))
{
- String params = argsArrayToString(joinPoint.getArgs());
+ String params = argsArrayToString(joinPoint.getArgs(), excludeParamNames);
operLog.setOperParam(StringUtils.substring(params, 0, 2000));
}
else
{
- Map<?, ?> paramsMap = (Map<?, ?>) ServletUtils.getRequest().getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE);
- operLog.setOperParam(StringUtils.substring(paramsMap.toString(), 0, 2000));
+ operLog.setOperParam(StringUtils.substring(JSON.toJSONString(paramsMap, excludePropertyPreFilter(excludeParamNames)), 0, 2000));
}
}
/**
* 鍙傛暟鎷艰
*/
- private String argsArrayToString(Object[] paramsArray)
+ private String argsArrayToString(Object[] paramsArray, String[] excludeParamNames)
{
String params = "";
if (paramsArray != null && paramsArray.length > 0)
@@ -168,7 +198,7 @@
{
try
{
- Object jsonObj = JSON.toJSON(o);
+ String jsonObj = JSON.toJSONString(o, excludePropertyPreFilter(excludeParamNames));
params += jsonObj.toString() + " ";
}
catch (Exception e)
@@ -181,6 +211,14 @@
}
/**
+ * 蹇界暐鏁忔劅灞炴��
+ */
+ public PropertyPreExcludeFilter excludePropertyPreFilter(String[] excludeParamNames)
+ {
+ return new PropertyPreExcludeFilter().addExcludes(ArrayUtils.addAll(EXCLUDE_PROPERTIES, excludeParamNames));
+ }
+
+ /**
* 鍒ゆ柇鏄惁闇�瑕佽繃婊ょ殑瀵硅薄銆�
*
* @param o 瀵硅薄淇℃伅銆�
--
Gitblit v1.9.3