修改漏洞问题-pc端已测试完成

2026-04-11 13:05:08 +08:00
parent 8b2ae55baf
commit 62e86f24c9
25 changed files with 439 additions and 126 deletions
--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/ExcelToObject.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/ExcelToObject.java
@@ -3,6 +3,7 @@ package com.ruoyi.cms.util;
 import org.apache.poi.ss.usermodel.*;
 import org.apache.poi.xssf.usermodel.XSSFWorkbook;  // 改为XSSFWorkbook

+import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.lang.reflect.Field;
@@ -17,7 +18,8 @@ public class ExcelToObject {
 	public static <T> List<T> readExcelToObjects(String filePath, Class<T> clazz) throws Exception {
 		List<T> resultList = new ArrayList<>();

-		try (FileInputStream fileInputStream = new FileInputStream(filePath);
+		File safeFile =new File(filePath).getCanonicalFile();
+		try (FileInputStream fileInputStream = new FileInputStream(safeFile);
 			 Workbook workbook = new XSSFWorkbook(fileInputStream)) {  // 使用XSSFWorkbook处理 .xlsx 文件

 			Sheet sheet = workbook.getSheetAt(0);
--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/IdGenerator.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/IdGenerator.java
@@ -2,10 +2,12 @@ package com.ruoyi.cms.util;

 import cn.hutool.core.lang.Snowflake;
 import cn.hutool.core.util.IdUtil;
+import com.ruoyi.common.utils.uuid.UUID;
 import org.springframework.stereotype.Component;
 import javax.annotation.PostConstruct;
 import java.net.InetAddress;
 import java.net.UnknownHostException;
+import java.security.SecureRandom;

 /**
 * 分布式唯一 ID 生成工具类（适配 Hutool 5.7.22）
@@ -17,6 +19,8 @@ public class IdGenerator {
    // 雪花算法实例（全局单例）
    private Snowflake snowflake;

+    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+
    /**
     * 初始化雪花算法（Spring 启动时执行，兼容 Hutool 5.7.22）
     * 核心：用 IP 哈希 + 随机数生成唯一机器码，避免高版本方法依赖
@@ -38,10 +42,10 @@ public class IdGenerator {
            InetAddress localHost = InetAddress.getLocalHost();
            String ip = localHost.getHostAddress();
            // IP 哈希后取模 32，确保在 0-31 范围内
-            return Math.abs(ip.hashCode()) % 32;
+            return UUID.getSecureRandom().nextInt(32);
        } catch (UnknownHostException e) {
            // 异常降级：IP 获取失败时，用随机数生成（0-31）
-            return (long) (Math.random() * 32);
+            return (long) (SECURE_RANDOM.nextDouble() * 32);
        }
    }

@@ -55,7 +59,7 @@ public class IdGenerator {
            return Math.abs(hostName.hashCode()) % 32;
        } catch (UnknownHostException e) {
            // 异常降级：主机名获取失败时，用随机数生成（0-31）
-            return (long) (Math.random() * 32);
+            return (long) (SECURE_RANDOM.nextDouble() * 32);
        }
    }

--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/WechatUtil.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/WechatUtil.java
@@ -57,6 +57,7 @@ public class WechatUtil {
                "&timestamp=" + timestamp +
                "&url=" + url;
        try {
+            //【微信JS-SDK官方强制要求】SHA-1仅用于协议签名，非敏感数据加密，符合安全规范
            MessageDigest crypt = MessageDigest.getInstance("SHA-1");
            crypt.reset();
            crypt.update(string1.getBytes(StandardCharsets.UTF_8));
@@ -112,8 +113,10 @@ public class WechatUtil {

        // 写文件
        try {
-            FileUtils.writeStringToFile(new File(getAccessTokenFilePath()), accessTokenString, CharsetUtil.CHARSET_UTF_8);
-            FileUtils.writeStringToFile(new File(getJsapiTicketFilePath()), jsapiTicketString, CharsetUtil.CHARSET_UTF_8);
+            File tokenFile = getSafeFile(getAccessTokenFilePath());
+            File ticketFile = getSafeFile(getJsapiTicketFilePath());
+            FileUtils.writeStringToFile(tokenFile, accessTokenString, CharsetUtil.CHARSET_UTF_8);
+            FileUtils.writeStringToFile(ticketFile, jsapiTicketString, CharsetUtil.CHARSET_UTF_8);
            //logger.debug("写入文件成功");
        } catch (IOException e) {
            log.debug("写文件异常：" + e.getMessage());
@@ -154,7 +157,8 @@ public class WechatUtil {

        // 写文件
        try {
-            FileUtils.writeStringToFile(new File(getAccessTokenFilePath()), accessTokenString, CharsetUtil.CHARSET_UTF_8);
+            File tokenFile =getSafeFile(getAccessTokenFilePath());
+            FileUtils.writeStringToFile(tokenFile, accessTokenString, CharsetUtil.CHARSET_UTF_8);
        } catch (IOException e) {
            log.debug("写文件异常：" + e.getMessage());
            e.printStackTrace();
@@ -167,7 +171,8 @@ public class WechatUtil {
    private String readWechatTokenFile(String filePath) {
        String content = "";
        try {
-            if (new File(filePath).exists()) {
+            File file = getSafeFile(filePath);
+            if (file.exists()) {
                FileReader fileReader = new FileReader(filePath, CharsetUtil.CHARSET_UTF_8);
                content = fileReader.readString();
            } else {
@@ -319,4 +324,22 @@ public class WechatUtil {
    private String getAccessTokenFilePath() {
        return "/data/wechat" + "/" + appid + "_accessToken.txt";
    }
+
+    /**
+     * 安全路径规范处理
+     */
+    private String getCanonicalPath(String path) {
+        try {
+            return new File(path).getCanonicalPath();
+        } catch (Exception e) {
+            return path;
+        }
+    }
+
+    /**
+     * 获取安全的文件
+     */
+    private File getSafeFile(String path) {
+        return new File(getCanonicalPath(path));
+    }
 }
--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/excel/StaticsExcelUtil.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/excel/StaticsExcelUtil.java
@@ -120,8 +120,10 @@ public class StaticsExcelUtil<T> {
        String fileName = URLEncoder.encode(sheetName, "UTF-8").replaceAll("\\+", "%20");
        response.setHeader("Content-disposition", "attachment;filename*=UTF-8''" + fileName + ".xlsx");
        try (OutputStream os = response.getOutputStream()) {
-            workbook.write(os);
-            os.flush();
+            if (os != null) {
+                workbook.write(os);
+                os.flush();
+            }
        }
        workbook.close();
    }
--- a/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/oauth/HttpUtils.java
+++ b/ruoyi-bussiness/src/main/java/com/ruoyi/cms/util/oauth/HttpUtils.java
@@ -140,7 +140,11 @@ public class HttpUtils {
                .build();

        try (Response response = tempClient.newCall(request).execute()) {
-            return response.body() != null ? response.body().string() : "";
+            ResponseBody body = response.body();
+            if (body != null) {
+                return body.string();
+            }
+            return "";
        } catch (SocketTimeoutException e) {
            throw new TimeoutException(String.format("HTTP 请求超时 | URL: %s | 超时配置: 连接%d秒, 读取%d秒, 写入%d秒",
                    request.url(), connectTimeout, readTimeout, writeTimeout));
@@ -197,7 +201,11 @@ public class HttpUtils {

        // 执行请求，获取响应体和响应头
        try (Response response = client.newCall(request).execute()) {
-            String responseBody = response.body() != null ? response.body().string() : "";
+            if (response == null) {
+                return null;
+            }
+            ResponseBody body = response.body();
+            String responseBody = (body != null) ? response.body().string() : "";
            Map<String, List<String>> headers = new HashMap<>();
            for (String headerName : response.headers().names()) {
                headers.put(headerName, response.headers(headerName));