Home Explore Help
Register Sign In
zrd
/
report
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

修复国家信息安全漏洞共享平台披露的漏洞CNVD-2024-34975,避免,通过/dataSetParam/verification;swagger-ui,方式,绕过TokenFilter,当初在开发期,为方便前后联调,引入了swagger-ui,目前前后端接口基本稳定,同时考虑目前大部分aj-report没有二开能力,我们再三斟酌,删除swagger-ui,二开的同学如有需要,自己添加。

Devli 11 months ago
parent
1f951a6127
commit
af73727e40
3 changed files with 11 additions and 9 deletions
Split View Show Diff Stats
  1. 4 0
      report-core/pom.xml
  2. 0 2
      report-core/src/main/java/com/anjiplus/template/gaea/business/ReportApplication.java
  3. 7 7
      report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java

+ 4 - 0
report-core/pom.xml
View File 

@@ -88,6 +88,10 @@
 
                     <groupId>org.springframework.boot</groupId>
 
                     <artifactId>spring-boot-starter-data-redis</artifactId>
 
                 </exclusion>
 
+                <exclusion>
 
+                    <groupId>com.spring4all</groupId>
 
+                    <artifactId>swagger-spring-boot-starter</artifactId>
 
+                </exclusion>
 
             </exclusions>
 
         </dependency>

+ 0 - 2
report-core/src/main/java/com/anjiplus/template/gaea/business/ReportApplication.java
View File 

@@ -4,7 +4,6 @@ import com.anji.plus.gaea.annotation.enabled.EnabledGaeaConfiguration;
 
 import org.mybatis.spring.annotation.MapperScan;
 
 import org.springframework.boot.SpringApplication;
 
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 
-import springfox.documentation.swagger2.annotations.EnableSwagger2;
 
 
 /**
 
  * 业务模板
 
@@ -21,7 +20,6 @@ import springfox.documentation.swagger2.annotations.EnableSwagger2;
 
         "com.anjiplus.template.gaea.business.modules.*.**.dao",
 
         "com.anji.plus.gaea.*.module.*.dao"
 
 })
 
-@EnableSwagger2
 
 public class ReportApplication {
 
     public static void main( String[] args ) {
 
         SpringApplication.run(ReportApplication.class);

+ 7 - 7
report-core/src/main/java/com/anjiplus/template/gaea/business/filter/TokenFilter.java
View File 

@@ -67,24 +67,24 @@ public class TokenFilter implements Filter {
 
         HttpServletResponse response = (HttpServletResponse) servletResponse;
 
         String uri = request.getRequestURI();
 
 
-        // TODO 暂时先不校验 直接放行
 
-        /*if (true) {
 
-            filterChain.doFilter(request, response);
 
-            return;
 
-        }*/
 
-
 
         //OPTIONS直接放行
 
         if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
 
             filterChain.doFilter(request, response);
 
             return;
 
         }
 
 
+        /** 修复 国家信息安全漏洞共享平台披露的漏洞 CNVD-2024-34975
 
+         * 避免,通过/dataSetParam/verification;swagger-ui,方式,绕过TokenFilter
 
+         * 当初在开发期,为方便前后联调,引入了swagger-ui,目前前后端接口基本稳定,同时考虑目前大部分aj-report没有二开能力,
 
+         * 我们再三斟酌,删除swagger-ui,二开的同学如有需要,自己添加。
 
+         */
 
         // swagger相关的直接放行
 
+        /*
 
         if (uri.contains("swagger-ui") || uri.contains("swagger-resources")) {
 
             filterChain.doFilter(request, response);
 
             return;
 
         }
 
-
 
+        */
 
 
         if (SLASH.equals(uri) || SLASH.concat(BusinessConstant.SLASH).equals(uri)) {
 
             if (BusinessConstant.SLASH.equals(uri)) {