Song/xkrs_ms
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

定时任务目标字符串验证包名白名单

Browse Source
This commit is contained in:
RuoYi 2022-01-06 14:50:56 +08:00
parent 578d65dfb4
commit 1a5b024df6
3 changed files with 47 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java
View File

@ -149,9 +149,19 @@ public class Constants
*/ */
public static final String LOOKUP_LDAP = "ldap:"; public static final String LOOKUP_LDAP = "ldap:";
/**
* LDAPS 远程方法调用
*/
public static final String LOOKUP_LDAPS = "ldaps:";
/**
* 定时任务白名单配置仅允许访问的包名如其他需要可以自行添加
*/
public static final String[] JOB_WHITELIST_STR = { "com.ruoyi" };
/** /**
* 定时任务违规的字符 * 定时任务违规的字符
*/ */
public static final String[] JOB_ERROR_STR = { "java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml", public static final String[] JOB_ERROR_STR = { "java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml",
"org.springframework" }; "org.springframework", "org.apache" };
} }

17
ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java
View File

@ -25,6 +25,7 @@ import com.ruoyi.common.utils.poi.ExcelUtil;
import com.ruoyi.quartz.domain.SysJob; import com.ruoyi.quartz.domain.SysJob;
import com.ruoyi.quartz.service.ISysJobService; import com.ruoyi.quartz.service.ISysJobService;
import com.ruoyi.quartz.util.CronUtils; import com.ruoyi.quartz.util.CronUtils;
import com.ruoyi.quartz.util.ScheduleUtils;
/** /**
* 调度任务信息操作处理 * 调度任务信息操作处理
@ -89,18 +90,22 @@ public class SysJobController extends BaseController
{ {
return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi'调用"); return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi'调用");
} }
else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP)) else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS }))
{ {
return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'ldap'调用"); return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'ldap'调用");
} }
else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS })) else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
{ {
return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用"); return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)'调用");
} }
else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR)) else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
{ {
return error("新增任务'" + job.getJobName() + "'失败,目标字符串存在违规"); return error("新增任务'" + job.getJobName() + "'失败,目标字符串存在违规");
} }
else if (!ScheduleUtils.whiteList(job.getInvokeTarget()))
{
return error("新增任务'" + job.getJobName() + "'失败,目标字符串不在白名单内");
}
job.setCreateBy(getUsername()); job.setCreateBy(getUsername());
return toAjax(jobService.insertJob(job)); return toAjax(jobService.insertJob(job));
} }
@ -121,18 +126,22 @@ public class SysJobController extends BaseController
{ {
return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi'调用"); return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi'调用");
} }
else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP)) else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS }))
{ {
return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'ldap'调用"); return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'ldap'调用");
} }
else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS })) else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
{ {
return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用"); return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)'调用");
} }
else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR)) else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
{ {
return error("修改任务'" + job.getJobName() + "'失败,目标字符串存在违规"); return error("修改任务'" + job.getJobName() + "'失败,目标字符串存在违规");
} }
else if (!ScheduleUtils.whiteList(job.getInvokeTarget()))
{
return error("新增任务'" + job.getJobName() + "'失败,目标字符串不在白名单内");
}
job.setUpdateBy(getUsername()); job.setUpdateBy(getUsername());
return toAjax(jobService.updateJob(job)); return toAjax(jobService.updateJob(job));
} }

22
ruoyi-quartz/src/main/java/com/ruoyi/quartz/util/ScheduleUtils.java
View File

@ -10,9 +10,11 @@ import org.quartz.Scheduler;
import org.quartz.SchedulerException; import org.quartz.SchedulerException;
import org.quartz.TriggerBuilder; import org.quartz.TriggerBuilder;
import org.quartz.TriggerKey; import org.quartz.TriggerKey;
import com.ruoyi.common.constant.Constants;
import com.ruoyi.common.constant.ScheduleConstants; import com.ruoyi.common.constant.ScheduleConstants;
import com.ruoyi.common.exception.job.TaskException; import com.ruoyi.common.exception.job.TaskException;
import com.ruoyi.common.exception.job.TaskException.Code; import com.ruoyi.common.exception.job.TaskException.Code;
import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.quartz.domain.SysJob; import com.ruoyi.quartz.domain.SysJob;
/** /**
@ -110,4 +112,24 @@ public class ScheduleUtils
+ "' cannot be used in cron schedule tasks", Code.CONFIG_ERROR); + "' cannot be used in cron schedule tasks", Code.CONFIG_ERROR);
} }
} }
/**
* 检查包名是否为白名单配置
*
* @param invokeTarget 目标字符串
* @return 结果
*/
public static boolean whiteList(String invokeTarget)
{
String packageName = StringUtils.substringBefore(invokeTarget, ")");
int count = StringUtils.countMatches(packageName, ".");
if (count > 1)
{
if (!StringUtils.containsAnyIgnoreCase(invokeTarget, Constants.JOB_WHITELIST_STR))
{
return false;
}
}
return true;
}
} }