| Source/UBCS/pom.xml | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| Source/UBCS/ubcs-common/src/main/java/com/vci/ubcs/common/constant/LauncherConstant.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| Source/UBCS/ubcs-gateway/src/main/java/com/vci/ubcs/gateway/filter/EssentialSecurityFilter.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| Source/UBCS/ubcs-gateway/src/main/java/com/vci/ubcs/gateway/filter/GlobalUrlSecurityFilter.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 | |
| Source/UBCS/ubcs-ops/ubcs-flow/src/main/java/com/vci/ubcs/flow/engine/controller/FlowManagerController.java | ●●●●● 补丁 | 查看 | 原始文档 | blame | 历史 |
Source/UBCS/pom.xml
@@ -108,11 +108,11 @@ <resource> <directory>src/main/resources</directory> <excludes> <!--<exclude>bootstrap.yml</exclude> <exclude>bootstrap.yml</exclude> <exclude>application.yml</exclude> <exclude>application-dev.yml</exclude> <exclude>application-test.yml</exclude> <exclude>application-prop.yml</exclude>--> <exclude>application-prop.yml</exclude> </excludes> </resource> <resource> @@ -205,6 +205,7 @@ <excludes> <exclude>application-dev.yml</exclude> <exclude>application-prod.yml</exclude> <exclude>application-test.yml</exclude> <exclude>application.yml</exclude> <exclude>lib/*</exclude> </excludes> Source/UBCS/ubcs-common/src/main/java/com/vci/ubcs/common/constant/LauncherConstant.java
@@ -40,20 +40,20 @@ /** * nacos dev å°å */ //String NACOS_DEV_ADDR = "dev.vci-tech.com:38848"; String NACOS_DEV_ADDR = "127.0.0.1:8848"; String NACOS_DEV_ADDR = "dev.vci-tech.com:38848"; //String NACOS_DEV_ADDR = "127.0.0.1:8848"; /** * nacos prod å°å */ //String NACOS_PROD_ADDR = "dev.vci-tech.com:38848"; String NACOS_PROD_ADDR = "127.0.0.1:8848"; String NACOS_PROD_ADDR = "dev.vci-tech.com:38848"; //String NACOS_PROD_ADDR = "127.0.0.1:8848"; /** * nacos test å°å */ //String NACOS_TEST_ADDR = "dev.vci-tech.com:38848"; String NACOS_TEST_ADDR = "127.0.0.1:8848"; String NACOS_TEST_ADDR = "dev.vci-tech.com:38848"; //String NACOS_TEST_ADDR = "127.0.0.1:8848"; /** * sentinel dev å°å Source/UBCS/ubcs-gateway/src/main/java/com/vci/ubcs/gateway/filter/EssentialSecurityFilter.java
ÎļþÒÑɾ³ý Source/UBCS/ubcs-gateway/src/main/java/com/vci/ubcs/gateway/filter/GlobalUrlSecurityFilter.java
¶Ô±ÈÐÂÎļþ @@ -0,0 +1,142 @@ package com.vci.ubcs.gateway.filter; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.cloud.gateway.filter.GatewayFilterChain; import org.springframework.cloud.gateway.filter.GlobalFilter; import org.springframework.core.Ordered; import org.springframework.http.HttpStatus; import org.springframework.http.server.reactive.ServerHttpRequest; import org.springframework.stereotype.Component; import org.springframework.web.server.ServerWebExchange; import reactor.core.publisher.Mono; import javax.annotation.PostConstruct; import java.util.Arrays; import java.util.HashSet; import java.util.Set; import java.util.regex.Pattern; /** * å ¨å±URLå®å ¨è¿æ»¤å¨ - 对ææ请æ±çæ * ç´æ¥ä½¿ç¨@Value注解读åé ç½® */ @Component public class GlobalUrlSecurityFilter implements GlobalFilter, Ordered { private static final Logger log = LoggerFactory.getLogger(GlobalUrlSecurityFilter.class); // æ¯å¦å¯ç¨URLå®å ¨è¿æ»¤å¨ @Value("${gateway.security.url.enabled:true}") private boolean enabled; // å±é©å符æ£åè¡¨è¾¾å¼ @Value("${gateway.security.url.dangerous-pattern:<script|</script|javascript:|onload|onerror|onclick|union.*select|select.*from|[\"';<>\\x00-\\x1F\\x7F]|%3C|%3E|%27|%22|%00|\\.\\./|\\.\\.\\\\}") private String dangerousPattern; // ç½ååè·¯å¾ @Value("${gateway.security.url.whitelist-paths:/health,/actuator/health,/actuator/info,/favicon.ico}") private String[] whitelistPaths; private Pattern compiledPattern; private Set<String> whitelistSet; /** * åå§åæ¹æ³ */ @PostConstruct public void init() { try { // ç¼è¯å±é©å符æ£åè¡¨è¾¾å¼ this.compiledPattern = Pattern.compile(dangerousPattern, Pattern.CASE_INSENSITIVE); // åå§åç½ååéå this.whitelistSet = new HashSet<>(Arrays.asList(whitelistPaths)); log.info("å ¨å±URLå®å ¨è¿æ»¤å¨åå§åå®æ"); log.info("è¿æ»¤å¨ç¶æ: {}", enabled ? "å·²å¯ç¨" : "å·²ç¦ç¨"); log.info("ç½ååè·¯å¾: {}", whitelistSet); } catch (Exception e) { log.error("åå§åè¿æ»¤å¨å¤±è´¥", e); // 使ç¨é»è®¤é ç½®ä½ä¸ºåå¤ this.compiledPattern = Pattern.compile( "<script|</script|javascript:|onload|onerror|onclick|union.*select|select.*from|[\"';<>\\x00-\\x1F\\x7F]|%3C|%3E|%27|%22|%00|\\.\\./|\\.\\.\\\\", Pattern.CASE_INSENSITIVE ); this.whitelistSet = new HashSet<>(Arrays.asList( "/health", "/actuator/health", "/actuator/info", "/favicon.ico" )); } } @Override public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) { // æ£æ¥æ¯å¦å¯ç¨è¿æ»¤å¨ if (!enabled) { return chain.filter(exchange); } ServerHttpRequest request = exchange.getRequest(); String path = request.getURI().getPath(); String method = request.getMethod().name(); // æ£æ¥ç½ååè·¯å¾ if (isWhitelistedPath(path)) { return chain.filter(exchange); } // éªè¯è·¯å¾å®å ¨æ§ if (!isPathSafe(path)) { log.warn("æ¦æªå±é©è¯·æ±: {} {}", method, request.getURI()); exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN); return exchange.getResponse().setComplete(); } return chain.filter(exchange); } @Override public int getOrder() { return Ordered.HIGHEST_PRECEDENCE; } /** * éªè¯è·¯å¾å®å ¨æ§ */ private boolean isPathSafe(String path) { if (path == null || path.isEmpty()) { return true; } // æ£æ¥è·¯å¾éå if (path.contains("../") || path.contains("..\\")) { return false; } // æ£æ¥å±é©å符 if (compiledPattern.matcher(path).find()) { return false; } return true; } /** * æ£æ¥è·¯å¾æ¯å¦å¨ç½ååä¸ */ private boolean isWhitelistedPath(String path) { if (path == null) { return false; } for (String whitelistPath : whitelistSet) { if (path.startsWith(whitelistPath) || path.equals(whitelistPath)) { return true; } } return false; } } Source/UBCS/ubcs-ops/ubcs-flow/src/main/java/com/vci/ubcs/flow/engine/controller/FlowManagerController.java
@@ -46,7 +46,7 @@ */ @NonDS @RestController @RequestMapping("manager") @RequestMapping("/manager") @AllArgsConstructor @Api(value = "æµç¨ç®¡çæ¥å£", tags = "æµç¨ç®¡çæ¥å£") public class FlowManagerController { @@ -62,7 +62,7 @@ /** * å页 */ @GetMapping("list") @GetMapping("/list") @ApiOperationSupport(order = 1) @ApiOperation(value = "å页", notes = "ä¼ å ¥æµç¨ç±»å") public R<IPage<FlowProcess>> list(@ApiParam("æµç¨ç±»å") String category, Query query, @RequestParam(required = false, defaultValue = "1") Integer mode) { @@ -76,7 +76,7 @@ * @param state ç¶æ * @param processId æµç¨id */ @PostMapping("change-state") @PostMapping("/change-state") @ApiOperationSupport(order = 2) @ApiOperation(value = "åæ´æµç¨ç¶æ", notes = "ä¼ å ¥state,processId") public R changeState(@RequestParam String state, @RequestParam String processId) { @@ -89,7 +89,7 @@ * * @param deploymentIds é¨ç½²æµç¨idéå */ @PostMapping("delete-deployment") @PostMapping("/delete-deployment") @ApiOperationSupport(order = 3) @ApiOperation(value = "å é¤é¨ç½²æµç¨", notes = "é¨ç½²æµç¨idéå") public R deleteDeployment(String deploymentIds) { @@ -101,7 +101,7 @@ * * @param file æµç¨æ件 */ @PostMapping("check-upload") @PostMapping("/check-upload") @ApiOperationSupport(order = 4) @ApiOperation(value = "ä¸ä¼ é¨ç½²æµç¨æ件", notes = "ä¼ å ¥æ件") public R checkUpload(@RequestParam MultipartFile file) { @@ -120,7 +120,7 @@ * @param files æµç¨æ件 * @param category ç±»å */ @PostMapping("deploy-upload") @PostMapping("/deploy-upload") @ApiOperationSupport(order = 5) @ApiOperation(value = "ä¸ä¼ é¨ç½²æµç¨æ件", notes = "ä¼ å ¥æ件") public R deployUpload(@RequestParam List<MultipartFile> files,
