feat: 攻防漏洞修复

7 months ago · f1511634d1
parent 4ed28e54df
commit f1511634d1
7 changed files with 61 additions and 9 deletions
--- a/src/main/java/com/glxp/api/constant/Constant.java
+++ b/src/main/java/com/glxp/api/constant/Constant.java
@ -274,5 +274,6 @@ public class Constant {

    public static final String SERIAL_CACHE_PREFIX_PLACE = "serialplace_";
    //密码复杂度校验
-    public static final String passwordReg = "^(?![a-zA-Z]+$)(?![A-Z0-9]+$)(?![A-Z\\W_.*%@!]+$)(?![a-z0-9]+$)(?![a-z\\W_.;*%@!]+$)(?![0-9\\W_.;*%@!]+$)[a-zA-Z0-9\\W_.;*%@!]{12,20}$";
+    public static final String passwordReg = "^(?=.*[A-Z])(?=.*[a-z])(?=.*[0-9]|.*[_.*%@!]).{12,20}$";
+
 }
--- a/src/main/java/com/glxp/api/controller/auth/AuthUserController.java
+++ b/src/main/java/com/glxp/api/controller/auth/AuthUserController.java
@ -18,6 +18,7 @@ import com.glxp.api.util.PasswordUtils;
 import com.glxp.api.util.StringUtils;
 import org.springframework.beans.BeanUtils;
 import org.springframework.validation.BindingResult;
+import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;

 import javax.annotation.Resource;
@ -132,7 +133,10 @@ public class AuthUserController extends BaseController {
    //修改用户信息
    @AuthRuleAnnotation("")
    @PostMapping("/admin/auth/admin/updateUser")
-    public BaseResponse updateUser(@RequestBody UpdateUserRequset updateUserRequset) {
+    public BaseResponse updateUser(@RequestBody @Valid UpdateUserRequset updateUserRequset, BindingResult bindingResult) {
+        if (bindingResult.hasErrors()) {
+            return ResultVOUtils.error(ResultEnum.PARAM_VERIFY_FALL, bindingResult.getFieldError().getDefaultMessage());
+        }
        AuthAdmin authAdmin = customerService.getUserBean();
        System.out.println(updateUserRequset.toString());
        if (StrUtil.isEmpty(updateUserRequset.getPassWord())) {
@ -172,7 +176,7 @@ public class AuthUserController extends BaseController {
            oldPassWords.add(pwd);
            // 使用String.join()方法将List转换为逗号分隔的字符串
            String commaSeparatedPasswords = String.join(",", oldPassWords);
-            updateUserRequset.setOldPassword(commaSeparatedPasswords);
+            updateUserRequset.setOldPassWord(commaSeparatedPasswords);
            updateUserRequset.setNewPassword(pwd);
            authAdminService.updateUser(updateUserRequset);
            return ResultVOUtils.success("修改成功");
@ -197,10 +201,10 @@ public class AuthUserController extends BaseController {
            return ResultVOUtils.error(500, "请输入确认密码！");
        }

-        if (updateUserRequset.getNewPassword().equals(updateUserRequset.getOldPassword())) {
+        if (updateUserRequset.getNewPassword().equals(updateUserRequset.getOldPassWord())) {
            return ResultVOUtils.error(500, "新密码与旧密码重复！请重新修改！");
        }
-        if (updateUserRequset.getNewPassword().equals(updateUserRequset.getConfirmPassword()) && updateUserRequset.getOldPassword().equals(authAdmin.getPassWord())) {
+        if (updateUserRequset.getNewPassword().equals(updateUserRequset.getConfirmPassword()) && updateUserRequset.getOldPassWord().equals(authAdmin.getPassWord())) {
            String newPwd = PasswordUtils.authAdminPwd(updateUserRequset.getNewPassword());
            authAdmin.setPassWord(newPwd);
            authAdmin.setLastUpdatePwdTime(new Date());
--- a/src/main/java/com/glxp/api/controller/auth/RegisterController.java
+++ b/src/main/java/com/glxp/api/controller/auth/RegisterController.java
@ -316,7 +316,21 @@ public class RegisterController {
        }
        CustomerContactEntity customerContactEntity = customerContactService.selectById(Long.valueOf(String.valueOf(authAdmin.getCustomerId())));
        if (customerContactEntity != null && customerContactEntity.getMobile().equals(phoneNum)) {
+
+            List<String> oldPassWords = this.splitPassword(authAdmin.getOldPassWord());
+            if (oldPassWords.contains(PasswordUtils.authAdminPwd(resetPasswdRequest.getPassword()))){
+                return ResultVOUtils.error(500, "新密码与最近五次密码重复！");
+            }
+
+            if (oldPassWords.size() >= 5){//删除第一个
+                oldPassWords.remove(0);
+            }
            String newPwd = PasswordUtils.authAdminPwd(resetPasswdRequest.getPassword());
+            // 追加到列表末尾
+            oldPassWords.add(newPwd);
+            // 使用String.join()方法将List转换为逗号分隔的字符串
+            String commaSeparatedPasswords = String.join(",", oldPassWords);
+            authAdmin.setOldPassWord(commaSeparatedPasswords);
            authAdmin.setPassWord(newPwd);
            authAdmin.setLastModifyTime(new Date());
            authAdminService.updateAuthAdmin(authAdmin);
@ -500,5 +514,20 @@ public class RegisterController {
        return Long.parseLong(userId);
    }

-
+    public List<String> splitPassword(String oldPassWord) {
+        List<String> strings = new ArrayList<>(5);
+        if (oldPassWord == null || oldPassWord.isEmpty()) {
+            // 如果字符串为空或null，返回一个空的列表
+            return strings;
+        } else if (!oldPassWord.contains(",")) {
+            // 如果没有逗号，将整个字符串作为一个元素放入列表
+            strings.add(oldPassWord);
+            return strings;
+        } else {
+            // 如果有逗号，使用split方法按逗号切割字符串
+            List<String> strings1 = Arrays.asList(oldPassWord.split(","));
+            strings.addAll(strings1);
+            return strings;
+        }
+    }
 }
--- a/src/main/java/com/glxp/api/entity/auth/UserRegisterEntity.java
+++ b/src/main/java/com/glxp/api/entity/auth/UserRegisterEntity.java
@ -1,12 +1,20 @@
 package com.glxp.api.entity.auth;

+import com.glxp.api.constant.Constant;
 import lombok.Data;

+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.Pattern;
+
@Data
 public class UserRegisterEntity {

    private Integer id;
    private String nickName;
+
+    @NotEmpty(message = "请输入密码")
+    @Pattern(regexp = Constant.passwordReg
+            , message = "密码需要包含大写字母、小写字符、数字、特殊字符(含_.*%@!)其中任意三种,长度12-20位")
    private String password;
    private String realName;
    private String tel;
--- a/src/main/java/com/glxp/api/req/auth/ResetPasswdRequest.java
+++ b/src/main/java/com/glxp/api/req/auth/ResetPasswdRequest.java
@ -1,10 +1,17 @@
 package com.glxp.api.req.auth;

+import com.glxp.api.constant.Constant;
 import lombok.Data;

+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.Pattern;
+
@Data
 public class ResetPasswdRequest {

+    @NotEmpty(message = "请输入密码")
+    @Pattern(regexp = Constant.passwordReg
+            , message = "密码需要包含大写字母、小写字符、数字、特殊字符(含_.*%@!)其中任意三种,长度12-20位")
    private String password;
    private String mobile;
    private String confirmPassword;
--- a/src/main/java/com/glxp/api/req/auth/UpdateUserRequset.java
+++ b/src/main/java/com/glxp/api/req/auth/UpdateUserRequset.java
@ -21,7 +21,7 @@ public class UpdateUserRequset {
            , message = "密码需要包含大写字母、小写字符、数字、特殊字符(含_.*%@!)其中任意三种,长度12-20位")
    private String newPassword;
    private String confirmPassword;
-    private String oldPassword;
+    private String oldPassWord;
    // 最后登录ip
    private String lastLoginIp;
    // 最后登录时间
--- a/src/main/resources/mybatis/mapper/auth/AuthAdminDao.xml
+++ b/src/main/resources/mybatis/mapper/auth/AuthAdminDao.xml
@ -177,6 +177,9 @@
            <if test="lastUpdatePwdTime != null">
                lastUpdatePwdTime=#{lastUpdatePwdTime},
            </if>
+            <if test="lastUpdatePwdTime != null">
+                lastUpdatePwdTime=#{lastUpdatePwdTime},
+            </if>
        </set>
        WHERE id = #{id}
    </update>
@ -256,8 +259,8 @@
            <if test="passWord != null">
                passWord=#{newPassword},
            </if>
-            <if test="oldPassword != null">
-                oldPassword=#{oldPassword},
+            <if test="oldPassWord != null">
+                oldPassWord=#{oldPassWord},
            </if>
        </set>
        WHERE id = #{id}