修复安全漏洞。优化代码

admin/pom.xml

@@ -27,6 +27,11 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
         </dependency>
+        <dependency>
+            <groupId>net.logstash.logback</groupId>
+            <artifactId>logstash-logback-encoder</artifactId>
+            <version>${logstash-logback-encoder}</version>
+        </dependency>
 <!--        <dependency>-->
 <!--            <groupId>org.springframework.boot</groupId>-->
 <!--            <artifactId>spring-boot-starter-mail</artifactId>-->

buyer-api/src/main/java/cn/lili/controller/member/CouponBuyerController.java

@@ -1,15 +1,16 @@
 package cn.lili.controller.member;
 
-import cn.lili.common.enums.ResultCode;
-import cn.lili.common.security.context.UserContext;
 import cn.lili.common.enums.ResultUtil;
+import cn.lili.common.security.AuthUser;
+import cn.lili.common.security.context.UserContext;
 import cn.lili.common.vo.PageVO;
 import cn.lili.common.vo.ResultMessage;
 import cn.lili.modules.promotion.entity.dos.MemberCoupon;
 import cn.lili.modules.promotion.entity.vos.CouponSearchParams;
 import cn.lili.modules.promotion.entity.vos.CouponVO;
 import cn.lili.modules.promotion.service.CouponService;
 import cn.lili.modules.promotion.service.MemberCouponService;
+import cn.lili.modules.system.utils.OperationalJudgment;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
@@ -22,6 +23,7 @@
 import org.springframework.web.bind.annotation.RestController;
 
 import javax.validation.constraints.NotNull;
+import java.util.Objects;
 
 /**
  * 买家端,买家优惠券接口
@@ -56,14 +58,16 @@ public ResultMessage<IPage<CouponVO>> getCouponList(CouponSearchParams queryPara
     @ApiOperation(value = "获取当前会员的优惠券列表")
     @GetMapping("/getCoupons")
     public ResultMessage<IPage<MemberCoupon>> getCoupons(CouponSearchParams param, PageVO pageVo) {
-        param.setMemberId(UserContext.getCurrentUser().getId());
+        AuthUser currentUser = Objects.requireNonNull(UserContext.getCurrentUser());
+        param.setMemberId(currentUser.getId());
         return ResultUtil.data(memberCouponService.getMemberCoupons(param, pageVo));
     }
 
     @ApiOperation(value = "获取当前会员的对于当前商品可使用的优惠券列表")
     @GetMapping("/canUse")
     public ResultMessage<IPage<MemberCoupon>> getCouponsByCanUse(CouponSearchParams param, Double totalPrice, PageVO pageVo) {
-        param.setMemberId(UserContext.getCurrentUser().getId());
+        AuthUser currentUser = Objects.requireNonNull(UserContext.getCurrentUser());
+        param.setMemberId(currentUser.getId());
         return ResultUtil.data(memberCouponService.getMemberCouponsByCanUse(param, totalPrice, pageVo));
     }
 
@@ -79,8 +83,9 @@ public ResultMessage<Object> getMemberCouponsNum() {
     })
     @GetMapping("/receive/{couponId}")
     public ResultMessage<Object> receiveCoupon(@NotNull(message = "优惠券ID不能为空") @PathVariable("couponId") String couponId) {
-        memberCouponService.checkCouponLimit(couponId, UserContext.getCurrentUser().getId());
-        memberCouponService.receiveCoupon(couponId, UserContext.getCurrentUser().getId(), UserContext.getCurrentUser().getNickName());
+        AuthUser currentUser = Objects.requireNonNull(UserContext.getCurrentUser());
+        memberCouponService.checkCouponLimit(couponId, currentUser.getId());
+        memberCouponService.receiveCoupon(couponId, currentUser.getId(), currentUser.getNickName());
         return ResultUtil.success();
     }
 
@@ -90,7 +95,7 @@ public ResultMessage<Object> receiveCoupon(@NotNull(message = "优惠券ID不能
     })
     @GetMapping(value = "/get/{id}")
     public ResultMessage<MemberCoupon> get(@NotNull(message = "优惠券ID不能为空") @PathVariable("id") String id) {
-        MemberCoupon memberCoupon = memberCouponService.getById(id);
+        MemberCoupon memberCoupon = OperationalJudgment.judgment(memberCouponService.getById(id));
         return ResultUtil.data(memberCoupon);
     }
 

buyer-api/src/main/java/cn/lili/controller/member/MemberAddressBuyerController.java

@@ -6,6 +6,7 @@
 import cn.lili.common.vo.ResultMessage;
 import cn.lili.modules.member.entity.dos.MemberAddress;
 import cn.lili.modules.promotion.service.MemberAddressService;
+import cn.lili.modules.system.utils.OperationalJudgment;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
@@ -14,6 +15,7 @@
 import org.springframework.web.bind.annotation.*;
 
 import javax.validation.Valid;
+import java.util.Objects;
 
 
 /**
@@ -56,7 +58,7 @@ public ResultMessage<MemberAddress> getDefaultShippingAddress() {
     @PostMapping
     public ResultMessage<MemberAddress> addShippingAddress(@Valid MemberAddress shippingAddress) {
         //添加会员地址
-        shippingAddress.setMemberId(UserContext.getCurrentUser().getId());
+        shippingAddress.setMemberId(Objects.requireNonNull(UserContext.getCurrentUser()).getId());
         if(shippingAddress.getIsDefault()==null){
             shippingAddress.setIsDefault(false);
         }
@@ -73,6 +75,7 @@ public ResultMessage<MemberAddress> editShippingAddress(@Valid MemberAddress shi
     @ApiImplicitParam(name = "id", value = "会员地址ID", dataType = "String", paramType = "path")
     @DeleteMapping(value = "/delById/{id}")
     public ResultMessage<Object> delShippingAddressById(@PathVariable String id) {
+        OperationalJudgment.judgment(memberAddressService.getById(id));
         memberAddressService.removeMemberAddress(id);
         return ResultUtil.success();
     }

buyer-api/src/main/java/cn/lili/controller/passport/MemberBuyerController.java

@@ -1,6 +1,7 @@
 package cn.lili.controller.passport;
 
 import cn.lili.common.enums.ResultUtil;
+import cn.lili.common.security.enums.UserEnums;
 import cn.lili.common.vo.ResultMessage;
 import cn.lili.modules.member.entity.dos.Member;
 import cn.lili.modules.member.entity.dto.MemberEditDTO;
@@ -49,6 +50,13 @@ public ResultMessage<Object> userLogin(@NotNull(message = "用户名不能为空
         return ResultUtil.data(this.memberService.usernameLogin(username, password));
     }
 
+    @ApiOperation(value = "注销接口")
+    @PostMapping("/logout")
+    public ResultMessage<Object> logout() {
+        this.memberService.logout(UserEnums.MEMBER);
+        return ResultUtil.success();
+    }
+
     @ApiOperation(value = "短信登录接口")
     @ApiImplicitParams({
             @ApiImplicitParam(name = "mobile", value = "手机号", required = true, paramType = "query"),

buyer-api/src/main/java/cn/lili/controller/trade/AfterSaleBuyerController.java

@@ -13,6 +13,7 @@
 import cn.lili.modules.order.order.service.AfterSaleService;
 import cn.lili.modules.order.trade.entity.dos.AfterSaleLog;
 import cn.lili.modules.store.entity.dto.StoreAfterSaleAddressDTO;
+import cn.lili.modules.system.utils.OperationalJudgment;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
@@ -57,7 +58,8 @@ public class AfterSaleBuyerController {
     @ApiImplicitParam(name = "sn", value = "售后单号", required = true, paramType = "path")
     @GetMapping(value = "/get/{sn}")
     public ResultMessage<AfterSaleVO> get(@NotNull(message = "售后单号") @PathVariable("sn") String sn) {
-        return ResultUtil.data(afterSaleService.getAfterSale(sn));
+        AfterSaleVO afterSale = OperationalJudgment.judgment(afterSaleService.getAfterSale(sn));
+        return ResultUtil.data(afterSale);
     }
 
     @ApiOperation(value = "分页获取售后服务")
@@ -72,7 +74,8 @@ public ResultMessage<IPage<AfterSaleVO>> getByPage(AfterSaleSearchParams searchP
     })
     @GetMapping(value = "/applyAfterSaleInfo/{sn}")
     public ResultMessage<AfterSaleApplyVO> applyAfterSaleInfo(@PathVariable String sn) {
-        return ResultUtil.data(afterSaleService.getAfterSaleVO(sn));
+        AfterSaleApplyVO afterSaleApplyVO = OperationalJudgment.judgment(afterSaleService.getAfterSaleVO(sn));
+        return ResultUtil.data(afterSaleApplyVO);
     }
 
     @PostMapping(value = "/save/{orderItemSn}")
@@ -95,7 +98,7 @@ public ResultMessage<AfterSale> save(AfterSaleDTO afterSaleDTO) {
     public ResultMessage<AfterSale> delivery(@NotNull(message = "售后编号不能为空") @PathVariable("afterSaleSn") String afterSaleSn,
                                              @NotNull(message = "发货单号不能为空") @RequestParam String logisticsNo,
                                              @NotNull(message = "请选择物流公司") @RequestParam String logisticsId,
-                                             @NotNull(message = "请选择发货时间") @RequestParam  @DateTimeFormat(pattern = "yyyy-MM-dd") Date mDeliverTime) {
+                                             @NotNull(message = "请选择发货时间") @RequestParam @DateTimeFormat(pattern = "yyyy-MM-dd") Date mDeliverTime) {
         return ResultUtil.data(afterSaleService.buyerDelivery(afterSaleSn, logisticsNo, logisticsId, mDeliverTime));
     }
 

buyer-api/src/main/java/cn/lili/controller/trade/OrderBuyerController.java

@@ -1,17 +1,18 @@
 package cn.lili.controller.trade;
 
 import cn.lili.common.enums.ResultCode;
+import cn.lili.common.enums.ResultUtil;
 import cn.lili.common.exception.ServiceException;
 import cn.lili.common.security.AuthUser;
 import cn.lili.common.security.context.UserContext;
-import cn.lili.common.enums.ResultUtil;
 import cn.lili.common.vo.ResultMessage;
 import cn.lili.modules.order.order.entity.dos.Order;
 import cn.lili.modules.order.order.entity.dto.OrderSearchParams;
 import cn.lili.modules.order.order.entity.enums.OrderStatusEnum;
 import cn.lili.modules.order.order.entity.vo.OrderDetailVO;
 import cn.lili.modules.order.order.entity.vo.OrderSimpleVO;
 import cn.lili.modules.order.order.service.OrderService;
+import cn.lili.modules.system.utils.OperationalJudgment;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
@@ -23,6 +24,7 @@
 
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;
+import java.util.Objects;
 
 /**
  * 买家端,订单接口
@@ -44,7 +46,7 @@ public class OrderBuyerController {
     @ApiOperation(value = "查询会员订单列表")
     @GetMapping
     public ResultMessage<IPage<OrderSimpleVO>> queryMineOrder(OrderSearchParams orderSearchParams) {
-        AuthUser currentUser = UserContext.getCurrentUser();
+        AuthUser currentUser = Objects.requireNonNull(UserContext.getCurrentUser());
         orderSearchParams.setMemberId(currentUser.getId());
         return ResultUtil.data(orderService.queryByParams(orderSearchParams));
     }
@@ -55,7 +57,9 @@ public ResultMessage<IPage<OrderSimpleVO>> queryMineOrder(OrderSearchParams orde
     })
     @GetMapping(value = "/{orderSn}")
     public ResultMessage<OrderDetailVO> detail(@NotNull(message = "订单编号不能为空") @PathVariable("orderSn") String orderSn) {
-        return ResultUtil.data(orderService.queryDetail(orderSn));
+        OrderDetailVO orderDetailVO = orderService.queryDetail(orderSn);
+        OperationalJudgment.judgment(orderDetailVO.getOrder());
+        return ResultUtil.data(orderDetailVO);
     }
 
     @ApiOperation(value = "确认收货")
@@ -93,6 +97,7 @@ public ResultMessage<Object> cancel(@ApiIgnore @PathVariable String orderSn, @Re
     })
     @DeleteMapping(value = "/{orderSn}")
     public ResultMessage<Object> deleteOrder(@PathVariable String orderSn) {
+        OperationalJudgment.judgment(orderService.getBySn(orderSn));
         orderService.deleteOrder(orderSn);
         return ResultUtil.success();
     }
@@ -103,6 +108,7 @@ public ResultMessage<Object> deleteOrder(@PathVariable String orderSn) {
     })
     @PostMapping(value = "/getTraces/{orderSn}")
     public ResultMessage<Object> getTraces(@NotBlank(message = "订单编号不能为空") @PathVariable String orderSn) {
+        OperationalJudgment.judgment(orderService.getBySn(orderSn));
         return ResultUtil.data(orderService.getTraces(orderSn));
     }
 
@@ -113,6 +119,7 @@ public ResultMessage<Object> getTraces(@NotBlank(message = "订单编号不能
     })
     @PostMapping(value = "/receipt/{orderSn}")
     public ResultMessage<Object> invoice(@NotBlank(message = "订单编号不能为空") @PathVariable String orderSn) {
+        OperationalJudgment.judgment(orderService.getBySn(orderSn));
         return ResultUtil.data(orderService.invoice(orderSn));
     }
 

buyer-api/src/main/java/cn/lili/controller/trade/OrderComplaintBuyerController.java

@@ -13,6 +13,7 @@
 import cn.lili.modules.order.order.entity.vo.OrderComplaintVO;
 import cn.lili.modules.order.order.service.OrderComplaintCommunicationService;
 import cn.lili.modules.order.order.service.OrderComplaintService;
+import cn.lili.modules.system.utils.OperationalJudgment;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
@@ -22,6 +23,7 @@
 import org.springframework.web.bind.annotation.*;
 
 import javax.validation.Valid;
+import java.util.Objects;
 
 /**
  * 买家端,交易投诉接口
@@ -51,13 +53,15 @@ public class OrderComplaintBuyerController {
     @ApiImplicitParam(name = "id", value = "投诉单ID", required = true, paramType = "path")
     @GetMapping(value = "/{id}")
     public ResultMessage<OrderComplaintVO> get(@PathVariable String id) {
-        return ResultUtil.data(orderComplaintService.getOrderComplainById(id));
+        OrderComplaintVO orderComplaintVO = OperationalJudgment.judgment(orderComplaintService.getOrderComplainById(id));
+        return ResultUtil.data(orderComplaintVO);
     }
 
     @ApiOperation(value = "分页获取")
     @GetMapping
     public ResultMessage<IPage<OrderComplaint>> get(OrderComplaintSearchParams searchParams, PageVO pageVO) {
-        searchParams.setMemberId(UserContext.getCurrentUser().getId());
+        AuthUser currentUser = Objects.requireNonNull(UserContext.getCurrentUser());
+        searchParams.setMemberId(currentUser.getId());
         return ResultUtil.data(orderComplaintService.getOrderComplainByPage(searchParams, pageVO));
 
     }
@@ -75,7 +79,7 @@ public ResultMessage<OrderComplaint> add(@Valid OrderComplaintDTO orderComplaint
     })
     @PostMapping("/communication")
     public ResultMessage<OrderComplaintCommunicationVO> addCommunication(@RequestParam String complainId, @RequestParam String content) {
-        AuthUser currentUser = UserContext.getCurrentUser();
+        AuthUser currentUser = Objects.requireNonNull(UserContext.getCurrentUser());
         OrderComplaintCommunicationVO communicationVO = new OrderComplaintCommunicationVO(complainId, content, CommunicationOwnerEnum.BUYER.name(), currentUser.getId(), currentUser.getNickName());
         orderComplaintCommunicationService.addCommunication(communicationVO);
         return ResultUtil.data(communicationVO);

common-api/src/main/java/cn/lili/controller/common/UploadController.java

@@ -1,18 +1,17 @@
 package cn.lili.controller.common;
 
-import cn.hutool.core.util.StrUtil;
+import cn.hutool.core.text.CharSequenceUtil;
 import cn.lili.cache.Cache;
 import cn.lili.common.enums.ResultCode;
+import cn.lili.common.enums.ResultUtil;
 import cn.lili.common.exception.ServiceException;
+import cn.lili.common.properties.SystemSettingProperties;
 import cn.lili.common.security.AuthUser;
 import cn.lili.common.security.context.UserContext;
 import cn.lili.common.security.enums.UserEnums;
 import cn.lili.common.utils.Base64DecodeMultipartFile;
 import cn.lili.common.utils.CommonUtil;
-import cn.lili.common.enums.ResultUtil;
-import cn.lili.common.utils.StringUtils;
 import cn.lili.common.vo.ResultMessage;
-import cn.lili.common.properties.SystemSettingProperties;
 import cn.lili.modules.file.entity.File;
 import cn.lili.modules.file.plugin.FileManagerPlugin;
 import cn.lili.modules.file.service.FileService;
@@ -30,6 +29,7 @@
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.InputStream;
+import java.util.Objects;
 
 /**
  * 文件上传接口
@@ -68,16 +68,24 @@ public ResultMessage<Object> upload(MultipartFile file,
             throw new ServiceException(ResultCode.USER_AUTHORITY_ERROR);
         }
         Setting setting = settingService.get(SettingEnum.OSS_SETTING.name());
-        if (setting == null || StrUtil.isBlank(setting.getSettingValue())) {
+        if (setting == null || CharSequenceUtil.isBlank(setting.getSettingValue())) {
             throw new ServiceException(ResultCode.OSS_NOT_EXIST);
         }
+        if (file == null || CharSequenceUtil.isEmpty(file.getContentType())) {
+            throw new ServiceException(ResultCode.IMAGE_FILE_EXT_ERROR);
+        }
+
+
+        if (!CharSequenceUtil.containsAny(file.getContentType().toLowerCase(), "image")) {
+            throw new ServiceException(ResultCode.FILE_TYPE_NOT_SUPPORT);
+        }
 
-        if (StringUtils.isNotBlank(base64)) {
+        if (CharSequenceUtil.isNotBlank(base64)) {
             //base64上传
             file = Base64DecodeMultipartFile.base64Convert(base64);
         }
-        String result = "";
-        String fileKey = CommonUtil.rename(file.getOriginalFilename());
+        String result;
+        String fileKey = CommonUtil.rename(Objects.requireNonNull(file.getOriginalFilename()));
         File newFile = new File();
         try {
             InputStream inputStream = file.getInputStream();

consumer/src/main/java/cn/lili/listener/NoticeSendMessageListener.java

@@ -2,11 +2,9 @@
 
 import cn.hutool.json.JSONUtil;
 import cn.lili.common.enums.SwitchEnum;
-import cn.lili.rocketmq.tags.OtherTagsEnum;
-import cn.lili.modules.system.sms.SmsUtil;
 import cn.lili.common.vo.PageVO;
-import cn.lili.modules.member.entity.dos.Member;
 import cn.lili.modules.member.entity.vo.MemberSearchVO;
+import cn.lili.modules.member.entity.vo.MemberVO;
 import cn.lili.modules.member.mapper.MemberMapper;
 import cn.lili.modules.member.service.MemberService;
 import cn.lili.modules.message.entity.dos.MemberMessage;
@@ -20,6 +18,8 @@
 import cn.lili.modules.message.service.StoreMessageService;
 import cn.lili.modules.store.entity.dos.Store;
 import cn.lili.modules.store.service.StoreService;
+import cn.lili.modules.system.sms.SmsUtil;
+import cn.lili.rocketmq.tags.OtherTagsEnum;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import org.apache.rocketmq.common.message.MessageExt;
@@ -169,7 +169,7 @@ private void saveMemberMessage(Message message) {
                 PageVO pageVO = new PageVO();
                 pageVO.setPageSize(pageSize);
                 pageVO.setPageNumber(i);
-                IPage<Member> page = memberService.getMemberPage(memberSearchVO, pageVO);
+                IPage<MemberVO> page = memberService.getMemberPage(memberSearchVO, pageVO);
                 //循环要保存的信息
                 page.getRecords().forEach(item -> {
                     MemberMessage memberMessage = new MemberMessage();

framework/pom.xml

@@ -302,6 +302,13 @@
             <artifactId>commons-text</artifactId>
             <version>${commons-text}</version>
         </dependency>
+        <!-- https://mvnrepository.com/artifact/com.googlecode.owasp-java-html-sanitizer/owasp-java-html-sanitizer -->
+        <dependency>
+            <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+            <artifactId>owasp-java-html-sanitizer</artifactId>
+            <version>${owasp-java-html-sanitizer}</version>
+        </dependency>
+
     </dependencies>