修复漏洞（对报错信息进行自定义，避免泄露系统敏感信息）

2026-04-29 17:12:04 +08:00
parent 6b7d16c400
commit 106c1a0b6f
7 changed files with 58 additions and 8 deletions
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysLoginController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysLoginController.java
@@ -3,6 +3,7 @@ package com.ruoyi.web.controller.system;
 import java.util.List;
 import java.util.Set;

+import com.ruoyi.cms.util.StringUtil;
 import com.ruoyi.common.core.domain.entity.tymh.wwToken.WwTokenResult;
 import com.ruoyi.common.core.domain.entity.tymh.wwToken.WwUserLogin;
 import com.ruoyi.common.core.domain.model.RegisterBody;
@@ -22,6 +23,8 @@ import com.ruoyi.framework.web.service.SysLoginService;
 import com.ruoyi.framework.web.service.SysPermissionService;
 import com.ruoyi.system.service.ISysMenuService;

+import javax.servlet.http.HttpServletRequest;
+

 /**
 * 登录验证
@@ -63,9 +66,24 @@ public class SysLoginController
    @PostMapping("/app/login")
    public AjaxResult loginApp(@RequestBody LoginBody loginBody)
    {
+        return AjaxResult.error(403, "接口已禁用");
+//        AjaxResult ajax = AjaxResult.success();
+//        // 生成令牌
+//        String token = loginService.loginApp("admin", "admin123");
+//        ajax.put(Constants.TOKEN, token);
+//        return ajax;
+    }
+
+    @PostMapping("/loginWeb")
+    public AjaxResult loginWeb(@RequestBody LoginBody loginBody, HttpServletRequest request)
+    {
+        String proxyServer = StringUtil.getProxyServer(request);
+        if (!"proxy-146".equals(proxyServer)) {
+            return AjaxResult.error(403, "当前环境不允许登录");
+        }
        AjaxResult ajax = AjaxResult.success();
        // 生成令牌
-        String token = loginService.loginApp("admin", "admin123");
+        String token = loginService.loginWeb("admin", "admin123");
        ajax.put(Constants.TOKEN, token);
        return ajax;
    }
--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/app/AppSkillController.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/app/AppSkillController.java
@@ -38,6 +38,9 @@ public class AppSkillController extends BaseController {
    @ApiOperation("获取技能列表")
    @GetMapping("/list")
    public TableDataInfo list(AppSkill appSkill){
+        if(appSkill.getUserId()==null){
+            return error(400,"无效的用户id!");
+        }
        startPage();
        List<AppSkill> list=appSkillService.getList(appSkill);
        return getDataTable(list);
--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/CmsSkillController.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/CmsSkillController.java
@@ -43,6 +43,9 @@ public class CmsSkillController extends BaseController {
    @ApiOperation("获取技能列表")
    @GetMapping("/list")
    public TableDataInfo list(AppSkill appSkill){
+        if(appSkill.getUserId()==null){
+            return error(400,"无效的用户id!");
+        }
        startPage();
        List<AppSkill> list=appSkillService.getList(appSkill);
        return getDataTable(list);
--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/EmployeeConfirmController.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/controller/cms/EmployeeConfirmController.java
@@ -37,6 +37,9 @@ public class EmployeeConfirmController extends BaseController {
 //    @PreAuthorize("@ss.hasPermi('cms:employeeConfirm:list')")
    @RequestMapping("/list")
    public TableDataInfo list(EmployeeConfirm employeeConfirm){
+        if(employeeConfirm.getCompanyId()==null){
+            return error(400,"无效的企业id!");
+        }
        List<EmployeeConfirm> list=employeeConfirmService.getEmployeeConfirmList(employeeConfirm);
        return getDataTable(list);
    }
--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/StringUtil.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/StringUtil.java
@@ -229,7 +229,7 @@ public class StringUtil {
     * @param request
     * @return
     */
-    private static String getProxyServer(HttpServletRequest request) {
+    public static String getProxyServer(HttpServletRequest request) {
        if (request == null) {
            return null;
        }
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/SecurityConfig.java
@@ -66,6 +66,20 @@ public class SecurityConfig
    @Autowired
    private PermitAllUrlProperties permitAllUrl;

+    //全部禁用的高危接口
+    private static final String[] DENY_URLS = {
+            "/swagger-ui.html",
+            "/swagger-resources/**",
+            "/webjars/**",
+            "/*/api-docs/**",
+            "/druid/**",
+            "/app/user/list",
+            "/cms/appskill/list",
+            "/app/appskill/list",
+            "/cms/employeeConfirm/list",
+            "/app/fair/**"
+    };
+
    /**
     * 身份验证实现
     */
@@ -111,10 +125,9 @@ public class SecurityConfig
            .authorizeHttpRequests((requests) -> {
                permitAllUrl.getUrls().forEach(url -> requests.antMatchers(url).permitAll());
                // 对于登录login 注册register 验证码captchaImage 允许匿名访问
-                requests.antMatchers("/login", "/register", "/captchaImage","/app/login","/websocket/**","/ws/**","/app/appLogin",
+                requests.antMatchers("/login", "/register", "/captchaImage","/loginWeb","/websocket/**","/ws/**","/app/appLogin",
                                "/app/appWxphoneSmsCode","/app/appLoginPhone","/app/sendSmsAgain","/app/idCardLogin","/app/phoneLogin",
-                                "/cms/company/listPage","/cms/appUser/noTmlist","/getTjmhToken","/getWwTjmhToken","/getWwTjmHlwToken",
-                                "/cms/jobApply/zphApply","/cms/jobApply/zphApplyAgree","/actuator/health").permitAll()
+                                "/getTjmhToken","/getWwTjmhToken","/getWwTjmHlwToken","/actuator/health").permitAll()
                    // 静态资源，可匿名访问
                    .antMatchers(HttpMethod.GET, "/", "/*.html", "/**/*.html", "/**/*.css", "/**/*.js", "/profile/**").permitAll()
                    // 移动端公用查询，可匿名访问
@@ -127,12 +140,10 @@ public class SecurityConfig
                    .antMatchers("/app/job/**").permitAll()
                    //企业信息
                    .antMatchers("/app/company/**").permitAll()
-                    //招聘会信息
-                    .antMatchers("/app/fair/**").permitAll()
                    //.antMatchers("/app/**").permitAll()
                    //.antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**").permitAll()
                    //正式环境禁用接口
-                    .antMatchers("/swagger-ui.html", "/swagger-resources/**", "/webjars/**", "/*/api-docs", "/druid/**","/app/user/list").denyAll()
+                    .antMatchers(DENY_URLS).denyAll()
                    //放行前端界面
                    .antMatchers("/kashi/job-portal/detail/**").permitAll()
                    // 除上面外的所有请求全部需要鉴权认证
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/SysLoginService.java
@@ -145,6 +145,18 @@ public class SysLoginService
        return tokenSiteService.createToken(loginSiteUser);
    }

+    //给浪潮——web模拟登录
+    public String loginWeb(String username, String password){
+        SysUser sysUser = userService.selectUserById(1L);
+        LoginUser loginUser = new LoginUser();
+        loginUser.setUserId(sysUser.getUserId());
+        loginUser.setUser(sysUser);
+        AsyncManager.me().execute(AsyncFactory.recordLogininfor(username, Constants.LOGIN_SUCCESS, MessageUtils.message("user.login.success")));
+        recordLoginInfo(sysUser.getUserId());
+        // 生成token
+        return tokenService.createToken(loginUser);
+    }
+
    /**
     * 根据微信生成的
     * @param appUser