diff --git a/pom.xml b/pom.xml
index d4ecdd6c..3336a503 100644
--- a/pom.xml
+++ b/pom.xml
@@ -21,7 +21,7 @@
2020.0.4
2021.1
2.0.3
- 2.5.2
+ 2.5.3
2.2.0
3.0.0
1.6.2
diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java
index edb90246..d97ba692 100644
--- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java
@@ -112,4 +112,10 @@ public class Constants
* 资源映射路径 前缀
*/
public static final String RESOURCE_PREFIX = "/profile";
+
+ /**
+ * 定时任务违规的字符
+ */
+ public static final String[] JOB_ERROR_STR = { "java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml",
+ "org.springframework.jndi" };
}
diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/html/EscapeUtil.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/html/EscapeUtil.java
index 9ddae356..2f5a8721 100644
--- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/html/EscapeUtil.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/utils/html/EscapeUtil.java
@@ -69,26 +69,37 @@ public class EscapeUtil
*/
private static String encode(String text)
{
- int len;
- if ((text == null) || ((len = text.length()) == 0))
+ if (StringUtils.isEmpty(text))
{
return StringUtils.EMPTY;
}
- StringBuilder buffer = new StringBuilder(len + (len >> 2));
+
+ final StringBuilder tmp = new StringBuilder(text.length() * 6);
char c;
- for (int i = 0; i < len; i++)
+ for (int i = 0; i < text.length(); i++)
{
c = text.charAt(i);
- if (c < 64)
+ if (c < 256)
{
- buffer.append(TEXT[c]);
+ tmp.append("%");
+ if (c < 16)
+ {
+ tmp.append("0");
+ }
+ tmp.append(Integer.toString(c, 16));
}
else
{
- buffer.append(c);
+ tmp.append("%u");
+ if (c <= 0xfff)
+ {
+ // issue#I49JU8@Gitee
+ tmp.append("0");
+ }
+ tmp.append(Integer.toString(c, 16));
}
}
- return buffer.toString();
+ return tmp.toString();
}
/**
@@ -145,11 +156,12 @@ public class EscapeUtil
public static void main(String[] args)
{
String html = "";
+ String escape = EscapeUtil.escape(html);
// String html = "ipt>alert(\"XSS\")ipt>";
// String html = "<123";
// String html = "123>";
- System.out.println(EscapeUtil.clean(html));
- System.out.println(EscapeUtil.escape(html));
- System.out.println(EscapeUtil.unescape(html));
+ System.out.println("clean: " + EscapeUtil.clean(html));
+ System.out.println("escape: " + escape);
+ System.out.println("unescape: " + EscapeUtil.unescape(escape));
}
}
diff --git a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java
index 4fbd5eae..5cf87af7 100644
--- a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java
+++ b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java
@@ -99,6 +99,10 @@ public class SysJobController extends BaseController
{
return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用");
}
+ else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
+ {
+ return error("新增任务'" + job.getJobName() + "'失败,目标字符串存在违规");
+ }
job.setCreateBy(SecurityUtils.getUsername());
return toAjax(jobService.insertJob(job));
}
@@ -127,6 +131,10 @@ public class SysJobController extends BaseController
{
return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用");
}
+ else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
+ {
+ return error("修改任务'" + job.getJobName() + "'失败,目标字符串存在违规");
+ }
job.setUpdateBy(SecurityUtils.getUsername());
return toAjax(jobService.updateJob(job));
}
diff --git a/ruoyi-ui/package.json b/ruoyi-ui/package.json
index fbcebb9a..4176a049 100644
--- a/ruoyi-ui/package.json
+++ b/ruoyi-ui/package.json
@@ -37,7 +37,7 @@
},
"dependencies": {
"@riophae/vue-treeselect": "0.4.0",
- "axios": "0.21.0",
+ "axios": "0.24.0",
"clipboard": "2.0.6",
"core-js": "3.8.1",
"echarts": "4.9.0",
diff --git a/ruoyi-ui/src/api/login.js b/ruoyi-ui/src/api/login.js
index 74ed95ed..6b0cda03 100644
--- a/ruoyi-ui/src/api/login.js
+++ b/ruoyi-ui/src/api/login.js
@@ -4,6 +4,9 @@ import request from '@/utils/request'
export function login(username, password, code, uuid) {
return request({
url: '/auth/login',
+ headers: {
+ isToken: false
+ },
method: 'post',
data: { username, password, code, uuid }
})
@@ -49,6 +52,9 @@ export function logout() {
export function getCodeImg() {
return request({
url: '/code',
+ headers: {
+ isToken: false
+ },
method: 'get',
timeout: 20000
})
diff --git a/ruoyi-ui/src/utils/ruoyi.js b/ruoyi-ui/src/utils/ruoyi.js
index 8d5bfc6d..0bdaa618 100644
--- a/ruoyi-ui/src/utils/ruoyi.js
+++ b/ruoyi-ui/src/utils/ruoyi.js
@@ -87,8 +87,8 @@ export function selectDictLabels(datas, value, separator) {
var temp = value.split(currentSeparator);
Object.keys(value.split(currentSeparator)).some((val) => {
Object.keys(datas).some((key) => {
- if (datas[key].dictValue == ('' + temp[val])) {
- actions.push(datas[key].dictLabel + currentSeparator);
+ if (datas[key].value == ('' + temp[val])) {
+ actions.push(datas[key].label + currentSeparator);
}
})
})