feat: 攻防漏洞修复

10 months ago · 4ed28e54df
parent c11e0b6418
commit 4ed28e54df
7 changed files with 73 additions and 8 deletions
--- a/src/main/java/com/glxp/api/constant/Constant.java
+++ b/src/main/java/com/glxp/api/constant/Constant.java
@ -241,6 +241,9 @@ public class Constant {

    public static final String ORDER_STATUS_RETURN = "supReturned";

+    //密码错误次数
+    public static final String PASSWORD_ERROR_COUNT = "PasswordErrorCount";
+
    /**前端页面查询相关单据类型标识*/


@ -271,5 +274,5 @@ public class Constant {

    public static final String SERIAL_CACHE_PREFIX_PLACE = "serialplace_";
    //密码复杂度校验
-    public static final String passwordReg = "^(?![a-zA-Z]+$)(?![A-Z0-9]+$)(?![A-Z\\W_.*%@!]+$)(?![a-z0-9]+$)(?![a-z\\W_.;*%@!]+$)(?![0-9\\W_.;*%@!]+$)[a-zA-Z0-9\\W_.;*%@!]{8,20}$";
+    public static final String passwordReg = "^(?![a-zA-Z]+$)(?![A-Z0-9]+$)(?![A-Z\\W_.*%@!]+$)(?![a-z0-9]+$)(?![a-z\\W_.;*%@!]+$)(?![0-9\\W_.;*%@!]+$)[a-zA-Z0-9\\W_.;*%@!]{12,20}$";
 }
--- a/src/main/java/com/glxp/api/controller/auth/AuthUserController.java
+++ b/src/main/java/com/glxp/api/controller/auth/AuthUserController.java
@ -145,13 +145,35 @@ public class AuthUserController extends BaseController {
            return ResultVOUtils.error(500, "请输入确认密码！");
        }

-        if (!updateUserRequset.getPassWord().equals(authAdmin.getPassWord())) {
+        if (!updateUserRequset.getPassWord().equals(authAdmin.getPassWord()) && !PasswordUtils.authAdminPwd(updateUserRequset.getPassWord()).equals(authAdmin.getPassWord()) ) {
            return ResultVOUtils.error(500, "当前密码输入错误！请重新输入！");
        }
-        if (updateUserRequset.getNewPassword().equals(authAdmin.getPassWord())) {
+        if (updateUserRequset.getNewPassword().equals(authAdmin.getPassWord()) || PasswordUtils.authAdminPwd(updateUserRequset.getNewPassword()).equals(authAdmin.getPassWord())) {
            return ResultVOUtils.error(500, "新密码与旧密码重复！请重新修改！");
        }
-        if (updateUserRequset.getNewPassword().equals(updateUserRequset.getConfirmPassword()) && updateUserRequset.getPassWord().equals(authAdmin.getPassWord())) {
+        List<String> oldPassWords = this.splitPassword(authAdmin.getOldPassWord());
+        if (oldPassWords.contains(PasswordUtils.authAdminPwd(updateUserRequset.getNewPassword()))){
+            return ResultVOUtils.error(500, "新密码与最近五次密码重复！");
+        }
+
+        if (
+                (updateUserRequset.getNewPassword().equals(updateUserRequset.getConfirmPassword()) && updateUserRequset.getPassWord().equals(authAdmin.getPassWord()))
+         ||
+                (updateUserRequset.getNewPassword().equals(updateUserRequset.getConfirmPassword()) && PasswordUtils.authAdminPwd(updateUserRequset.getPassWord()).equals(authAdmin.getPassWord()))
+         ||
+                (updateUserRequset.getNewPassword().equals(updateUserRequset.getConfirmPassword()) && PasswordUtils.authAdminPwd(updateUserRequset.getPassWord()).equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord())))
+                ){
+
+            if (oldPassWords.size() >= 5){//删除第一个
+                oldPassWords.remove(0);
+            }
+            String pwd = PasswordUtils.authAdminPwd(updateUserRequset.getNewPassword());
+            // 追加到列表末尾
+            oldPassWords.add(pwd);
+            // 使用String.join()方法将List转换为逗号分隔的字符串
+            String commaSeparatedPasswords = String.join(",", oldPassWords);
+            updateUserRequset.setOldPassword(commaSeparatedPasswords);
+            updateUserRequset.setNewPassword(pwd);
            authAdminService.updateUser(updateUserRequset);
            return ResultVOUtils.success("修改成功");
        } else {
@ -190,4 +212,22 @@ public class AuthUserController extends BaseController {

    }

+
+    public List<String> splitPassword(String oldPassWord) {
+        List<String> strings = new ArrayList<>(5);
+        if (oldPassWord == null || oldPassWord.isEmpty()) {
+            // 如果字符串为空或null，返回一个空的列表
+            return strings;
+        } else if (!oldPassWord.contains(",")) {
+            // 如果没有逗号，将整个字符串作为一个元素放入列表
+            strings.add(oldPassWord);
+            return strings;
+        } else {
+            // 如果有逗号，使用split方法按逗号切割字符串
+            List<String> strings1 = Arrays.asList(oldPassWord.split(","));
+            strings.addAll(strings1);
+            return strings;
+        }
+    }
+
 }
--- a/src/main/java/com/glxp/api/controller/auth/LoginController.java
+++ b/src/main/java/com/glxp/api/controller/auth/LoginController.java
@ -74,8 +74,8 @@ public class LoginController extends BaseController {
    WarehouseBussinessTypeService warehouseBussinessTypeService;
    @Resource
    IoOrderUtilsService ioOrderUtilsService;
-
-
+    @Resource
+    RedisUtil redisUtil;
    /**
     * 用户登录
     *
@ -99,12 +99,23 @@ public class LoginController extends BaseController {
            }
        }

+        //验证错误了几次
+        Integer errorCount = (Integer) redisUtil.get(Constant.PASSWORD_ERROR_COUNT + authAdmin.getId());
+        if (errorCount == null ){
+            errorCount = 0;
+        }else {
+            if (errorCount == 5){
+                throw new JsonException(ResultEnum.DATA_NOT, "已连续5次输入错误密码，账号被锁定30分钟！");
+            }
+        }
+
        if (PasswordUtils.authAdminPwd(loginRequest.getPassword()).equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord()))
                || loginRequest.getPassword().equals(authAdmin.getPassWord()) || (loginRequest.getPassword().equals(PasswordUtils.authAdminPwd(authAdmin.getPassWord())))
        ) {
-
+            redisUtil.del(Constant.PASSWORD_ERROR_COUNT+authAdmin.getId());
        } else {
            if (!PasswordUtils.authAdminPwd(loginRequest.getPassword()).equals(SecureUtil.sha256(authAdmin.getPassWord()))) {
+                redisUtil.set(Constant.PASSWORD_ERROR_COUNT+authAdmin.getId(), errorCount + 1,30*60);
                throw new JsonException(ResultEnum.DATA_NOT, "用户名或密码错误");
            }
        }
--- a/src/main/java/com/glxp/api/entity/auth/AuthAdmin.java
+++ b/src/main/java/com/glxp/api/entity/auth/AuthAdmin.java
@ -51,6 +51,8 @@ public class AuthAdmin {
    private String locDeptCode;
    @TableField("locInvCode")
    private String locInvCode;
+    @TableField("oldPassWord")
+    private String oldPassWord;

    @TableField(exist = false)
    private String deptName;
--- a/src/main/java/com/glxp/api/req/auth/UpdateUserRequset.java
+++ b/src/main/java/com/glxp/api/req/auth/UpdateUserRequset.java
@ -18,7 +18,7 @@ public class UpdateUserRequset {
    private String passWord;
    @NotEmpty(message = "请输入新密码")
    @Pattern(regexp = Constant.passwordReg
-            , message = "密码需要包含大写字母、小写字符、数字、特殊字符(含_.*%@!)其中任意三种,长度8-20位")
+            , message = "密码需要包含大写字母、小写字符、数字、特殊字符(含_.*%@!)其中任意三种,长度12-20位")
    private String newPassword;
    private String confirmPassword;
    private String oldPassword;
--- a/src/main/resources/mybatis/mapper/auth/AuthAdminDao.xml
+++ b/src/main/resources/mybatis/mapper/auth/AuthAdminDao.xml
@ -256,6 +256,9 @@
            <if test="passWord != null">
                passWord=#{newPassword},
            </if>
+            <if test="oldPassword != null">
+                oldPassword=#{oldPassword},
+            </if>
        </set>
        WHERE id = #{id}
    </update>
--- a/src/main/resources/schemas/schema_v2.4.sql
+++ b/src/main/resources/schemas/schema_v2.4.sql
@ -848,3 +848,9 @@ VALUES (2021, 8, '2', 1, 'mainIdLike', '内部物资编码', 'input', NULL, NULL
 CALL Pro_Temp_ColumnWork('basic_bussiness_type', 'codeCheck',
                         'tinyint    NULL DEFAULT NULL COMMENT '' 是否开启校验扫码 ：0:不校验；1:只允许录入扫码产品；2:只允许录入不扫码产品''', 1);
 CALL Pro_Temp_ColumnWork('basic_udirel', 'isStack', 'tinyint', 1);
+
+
+
+CALL Pro_Temp_ColumnWork('auth_user', 'oldPassWord',
+                         'longtext DEFAULT NULL COMMENT ''最近5次旧密码''',
+                         1);