From c44cf9b9f6ead2feb9492bf9065e600bc4f6cd52 Mon Sep 17 00:00:00 2001 From: RuoYi Date: Thu, 6 Jan 2022 14:58:56 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AE=9A=E6=97=B6=E4=BB=BB=E5=8A=A1=E7=9B=AE?= =?UTF-8?q?=E6=A0=87=E5=AD=97=E7=AC=A6=E4=B8=B2=E9=AA=8C=E8=AF=81=E5=8C=85?= =?UTF-8?q?=E5=90=8D=E7=99=BD=E5=90=8D=E5=8D=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/ruoyi/common/core/constant/Constants.java | 12 ++++++++++- .../com/ruoyi/job/controller/SysJobController.java | 25 +++++++++++++++------- .../java/com/ruoyi/job/util/ScheduleUtils.java | 24 ++++++++++++++++++++- 3 files changed, 51 insertions(+), 10 deletions(-) diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java index e19a3ce..82e48a6 100644 --- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java +++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java @@ -28,6 +28,11 @@ public class Constants public static final String LOOKUP_LDAP = "ldap:"; /** + * LDAPS 远程方法调用 + */ + public static final String LOOKUP_LDAPS = "ldaps:"; + + /** * http请求 */ public static final String HTTP = "http://"; @@ -114,8 +119,13 @@ public class Constants public static final String RESOURCE_PREFIX = "/profile"; /** + * 定时任务白名单配置(仅允许访问的包名,如其他需要可以自行添加) + */ + public static final String[] JOB_WHITELIST_STR = { "com.ruoyi" }; + + /** * 定时任务违规的字符 */ public static final String[] JOB_ERROR_STR = { "java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", - "org.springframework" }; + "org.springframework", "org.apache" }; } diff --git a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java index fd4e3df..07cb368 100644 --- a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java +++ b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java @@ -26,6 +26,7 @@ import com.ruoyi.common.security.utils.SecurityUtils; import com.ruoyi.job.domain.SysJob; import com.ruoyi.job.service.ISysJobService; import com.ruoyi.job.util.CronUtils; +import com.ruoyi.job.util.ScheduleUtils; /** * 调度任务信息操作处理 @@ -88,20 +89,24 @@ public class SysJobController extends BaseController } else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI)) { - return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi:'调用"); + return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi'调用"); } - else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP)) + else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS })) { - return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'ldap:'调用"); + return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'ldap'调用"); } else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS })) { - return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用"); + return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)'调用"); } else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR)) { return error("新增任务'" + job.getJobName() + "'失败,目标字符串存在违规"); } + else if (!ScheduleUtils.whiteList(job.getInvokeTarget())) + { + return error("新增任务'" + job.getJobName() + "'失败,目标字符串不在白名单内"); + } job.setCreateBy(SecurityUtils.getUsername()); return toAjax(jobService.insertJob(job)); } @@ -120,20 +125,24 @@ public class SysJobController extends BaseController } else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI)) { - return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi:'调用"); + return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi'调用"); } - else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP)) + else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS })) { - return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'ldap:'调用"); + return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'ldap'调用"); } else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS })) { - return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用"); + return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)'调用"); } else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR)) { return error("修改任务'" + job.getJobName() + "'失败,目标字符串存在违规"); } + else if (!ScheduleUtils.whiteList(job.getInvokeTarget())) + { + return error("修改任务'" + job.getJobName() + "'失败,目标字符串不在白名单内"); + } job.setUpdateBy(SecurityUtils.getUsername()); return toAjax(jobService.updateJob(job)); } diff --git a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/util/ScheduleUtils.java b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/util/ScheduleUtils.java index 7e7657f..1ffd12d 100644 --- a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/util/ScheduleUtils.java +++ b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/util/ScheduleUtils.java @@ -10,9 +10,11 @@ import org.quartz.Scheduler; import org.quartz.SchedulerException; import org.quartz.TriggerBuilder; import org.quartz.TriggerKey; +import com.ruoyi.common.core.constant.Constants; import com.ruoyi.common.core.constant.ScheduleConstants; import com.ruoyi.common.core.exception.job.TaskException; import com.ruoyi.common.core.exception.job.TaskException.Code; +import com.ruoyi.common.core.utils.StringUtils; import com.ruoyi.job.domain.SysJob; /** @@ -110,4 +112,24 @@ public class ScheduleUtils + "' cannot be used in cron schedule tasks", Code.CONFIG_ERROR); } } -} \ No newline at end of file + + /** + * 检查包名是否为白名单配置 + * + * @param invokeTarget 目标字符串 + * @return 结果 + */ + public static boolean whiteList(String invokeTarget) + { + String packageName = StringUtils.substringBefore(invokeTarget, ")"); + int count = StringUtils.countMatches(packageName, "."); + if (count > 1) + { + if (!StringUtils.containsAnyIgnoreCase(invokeTarget, Constants.JOB_WHITELIST_STR)) + { + return false; + } + } + return true; + } +}