wol/AgileBoot-Back-End
2
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactor: 通过excel注入数据时 清除掉html标签 防止注入

Browse Source
This commit is contained in:
valarchie
2022-10-16 23:26:32 +08:00
parent 31beb1288c
commit 28c859ef66
3 changed files with 38 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
agileboot-admin/src/main/java/com/agileboot/admin/controller/system/SysUserController.java
View File

@@ -67,8 +67,8 @@ public class SysUserController extends BaseController {
@AccessLog(title = "用户管理", businessType = BusinessType.IMPORT)
@PreAuthorize("@ss.hasPerm('system:user:import')")
@PostMapping("/importData")
public ResponseDTO importData(MultipartFile file) {
List<?> commands = CustomExcelUtil.readFromResponse(AddUserCommand.class, file);
public ResponseDTO<?> importData(MultipartFile file) {
List<?> commands = CustomExcelUtil.readFromRequest(AddUserCommand.class, file);
LoginUser loginUser = AuthenticationUtils.getLoginUser();
for (Object command : commands) {
@@ -99,7 +99,7 @@ public class SysUserController extends BaseController {
@PreAuthorize("@ss.hasPerm('system:user:add') AND @ss.checkDataScopeWithDeptId(#command.deptId)")
@AccessLog(title = "用户管理", businessType = BusinessType.INSERT)
@PostMapping
public ResponseDTO add(@Validated @RequestBody AddUserCommand command) {
public ResponseDTO<?> add(@Validated @RequestBody AddUserCommand command) {
LoginUser loginUser = AuthenticationUtils.getLoginUser();
userApplicationService.addUser(loginUser, command);
return ResponseDTO.ok();
@@ -111,7 +111,7 @@ public class SysUserController extends BaseController {
@PreAuthorize("@ss.hasPerm('system:user:edit') AND @ss.checkDataScopeWithUserId(#command.userId)")
@AccessLog(title = "用户管理", businessType = BusinessType.UPDATE)
@PutMapping
public ResponseDTO edit(@Validated @RequestBody UpdateUserCommand command) {
public ResponseDTO<?> edit(@Validated @RequestBody UpdateUserCommand command) {
LoginUser loginUser = AuthenticationUtils.getLoginUser();
userApplicationService.updateUser(loginUser, command);
return ResponseDTO.ok();
@@ -123,7 +123,7 @@ public class SysUserController extends BaseController {
@PreAuthorize("@ss.hasPerm('system:user:remove') AND @ss.checkDataScopeWithUserIds(#userIds)")
@AccessLog(title = "用户管理", businessType = BusinessType.DELETE)
@DeleteMapping("/{userIds}")
public ResponseDTO remove(@PathVariable List<Long> userIds) {
public ResponseDTO<?> remove(@PathVariable List<Long> userIds) {
BulkOperationCommand<Long> bulkDeleteCommand = new BulkOperationCommand(userIds);
LoginUser loginUser = AuthenticationUtils.getLoginUser();
userApplicationService.deleteUsers(loginUser, bulkDeleteCommand);
@@ -136,7 +136,7 @@ public class SysUserController extends BaseController {
@PreAuthorize("@ss.hasPerm('system:user:resetPwd') AND @ss.checkDataScopeWithUserId(#userId)")
@AccessLog(title = "用户管理", businessType = BusinessType.UPDATE)
@PutMapping("/{userId}/password/reset")
public ResponseDTO resetPassword(@PathVariable Long userId, @RequestBody ResetPasswordCommand command) {
public ResponseDTO<?> resetPassword(@PathVariable Long userId, @RequestBody ResetPasswordCommand command) {
command.setUserId(userId);
LoginUser loginUser = AuthenticationUtils.getLoginUser();
userApplicationService.resetUserPassword(loginUser, command);
@@ -149,7 +149,7 @@ public class SysUserController extends BaseController {
@PreAuthorize("@ss.hasPerm('system:user:edit') AND @ss.checkDataScopeWithUserId(#command.userId)")
@AccessLog(title = "用户管理", businessType = BusinessType.UPDATE)
@PutMapping("/{userId}/status")
public ResponseDTO changeStatus(@PathVariable Long userId, @RequestBody ChangeStatusCommand command) {
public ResponseDTO<?> changeStatus(@PathVariable Long userId, @RequestBody ChangeStatusCommand command) {
command.setUserId(userId);
LoginUser loginUser = AuthenticationUtils.getLoginUser();
userApplicationService.changeUserStatus(loginUser, command);

20
agileboot-common/src/main/java/com/agileboot/common/utils/poi/CustomExcelUtil.java
View File

@@ -5,6 +5,8 @@ import cn.hutool.poi.excel.ExcelUtil;
import cn.hutool.poi.excel.ExcelWriter;
import com.agileboot.common.annotation.ExcelColumn;
import com.agileboot.common.annotation.ExcelSheet;
import com.agileboot.common.exception.ApiException;
import com.agileboot.common.exception.error.ErrorCode.Internal;
import java.io.IOException;
import java.lang.reflect.Field;
import java.util.List;
@@ -56,25 +58,25 @@ public class CustomExcelUtil {
}
public static List<?> readFromResponse(Class clazz, MultipartFile file) {
public static List<?> readFromRequest(Class clazz, MultipartFile file) {
ExcelReader reader;
ExcelReader reader = null;
try {
reader = ExcelUtil.getReader(file.getInputStream());
// 去除掉excel中的html标签语言 避免xss攻击
reader.setCellEditor(new TrimXssEditor());
} catch (IOException e) {
e.printStackTrace();
throw new ApiException(Internal.UNKNOWN_ERROR);
}
Field[] fields = clazz.getDeclaredFields();
//自定义标题别名
if (fields != null) {
for (Field field : fields) {
ExcelColumn annotation = field.getAnnotation(ExcelColumn.class);
if (annotation != null) {
reader.addHeaderAlias(annotation.name(), field.getName());
}
for (Field field : fields) {
ExcelColumn annotation = field.getAnnotation(ExcelColumn.class);
if (annotation != null) {
reader.addHeaderAlias(annotation.name(), field.getName());
}
}

20
agileboot-common/src/main/java/com/agileboot/common/utils/poi/TrimXssEditor.java Normal file
View File

@@ -0,0 +1,20 @@
package com.agileboot.common.utils.poi;
import cn.hutool.http.HtmlUtil;
import cn.hutool.poi.excel.cell.CellEditor;
import org.apache.poi.ss.usermodel.Cell;
/**
* @author valarchie
* 读取excel的时候去除掉html相关的标签 避免xss注入
*/
public class TrimXssEditor implements CellEditor {
@Override
public Object edit(Cell cell, Object value) {
if (value instanceof String) {
return HtmlUtil.cleanHtmlTag(value.toString());
}
return value;
}
}