From 8057dcc4fcb29974afc708b759fdf75679b46420 Mon Sep 17 00:00:00 2001 From: RuoYi Date: Fri, 30 Jul 2021 11:06:11 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AE=9A=E6=97=B6=E4=BB=BB=E5=8A=A1=E5=B1=8F?= =?UTF-8?q?=E8=94=BDhttp(s)=E8=BF=9C=E7=A8=8B=E8=B0=83=E7=94=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/ruoyi/common/core/constant/Constants.java | 5 +++ .../com/ruoyi/job/controller/SysJobController.java | 38 ++++++++++++++++------ 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java index 4225eaa..4a07f40 100644 --- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java +++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java @@ -18,6 +18,11 @@ public class Constants public static final String GBK = "GBK"; /** + * RMI 远程方法调用 + */ + public static final String LOOKUP_RMI = "rmi://"; + + /** * http请求 */ public static final String HTTP = "http://"; diff --git a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java index 3c224aa..9ce0067 100644 --- a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java +++ b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java @@ -13,8 +13,10 @@ import org.springframework.web.bind.annotation.PutMapping; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; +import com.ruoyi.common.core.constant.Constants; import com.ruoyi.common.core.exception.job.TaskException; import com.ruoyi.common.core.utils.SecurityUtils; +import com.ruoyi.common.core.utils.StringUtils; import com.ruoyi.common.core.utils.poi.ExcelUtil; import com.ruoyi.common.core.web.controller.BaseController; import com.ruoyi.common.core.web.domain.AjaxResult; @@ -79,14 +81,22 @@ public class SysJobController extends BaseController @PreAuthorize(hasPermi = "monitor:job:add") @Log(title = "定时任务", businessType = BusinessType.INSERT) @PostMapping - public AjaxResult add(@RequestBody SysJob sysJob) throws SchedulerException, TaskException + public AjaxResult add(@RequestBody SysJob job) throws SchedulerException, TaskException { - if (!CronUtils.isValid(sysJob.getCronExpression())) + if (!CronUtils.isValid(job.getCronExpression())) { - return AjaxResult.error("cron表达式不正确"); + return error("新增任务'" + job.getJobName() + "'失败,Cron表达式不正确"); } - sysJob.setCreateBy(SecurityUtils.getUsername()); - return toAjax(jobService.insertJob(sysJob)); + else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI)) + { + return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi://'调用"); + } + else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS })) + { + return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用"); + } + job.setCreateBy(SecurityUtils.getUsername()); + return toAjax(jobService.insertJob(job)); } /** @@ -95,14 +105,22 @@ public class SysJobController extends BaseController @PreAuthorize(hasPermi = "monitor:job:edit") @Log(title = "定时任务", businessType = BusinessType.UPDATE) @PutMapping - public AjaxResult edit(@RequestBody SysJob sysJob) throws SchedulerException, TaskException + public AjaxResult edit(@RequestBody SysJob job) throws SchedulerException, TaskException { - if (!CronUtils.isValid(sysJob.getCronExpression())) + if (!CronUtils.isValid(job.getCronExpression())) + { + return error("修改任务'" + job.getJobName() + "'失败,Cron表达式不正确"); + } + else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI)) + { + return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi://'调用"); + } + else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS })) { - return AjaxResult.error("cron表达式不正确"); + return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用"); } - sysJob.setUpdateBy(SecurityUtils.getUsername()); - return toAjax(jobService.updateJob(sysJob)); + job.setUpdateBy(SecurityUtils.getUsername()); + return toAjax(jobService.updateJob(job)); } /**