XML External Entity Injection(XML外部实体注入) 问题处理

amos-boot-biz-common/src/main/java/com/yeejoin/amos/boot/biz/common/controller/DataDictionaryController.java

@@ -370,30 +370,30 @@ public class DataDictionaryController extends BaseController {
 	@RequestMapping(value = "/cleanRedis", method = RequestMethod.GET)
 	@ApiOperation(httpMethod = "GET", value = "清楚redis缓存", notes = "清楚redis缓存")
 	public ResponseModel<Object> cleanRedis(@RequestParam String type) throws Exception {
-		type = type.toLowerCase();
+		type = type.toLowerCase(Locale.ENGLISH);
 		if ("all".equalsIgnoreCase(type)) {
 			RedisConnection redisConnection = redisTemplate.getConnectionFactory().getConnection();
 			redisConnection.flushAll();
 			redisConnection.close();
-		} else if (RedisKey.FORM_CODE.startsWith(type)) {
+		} else if (RedisKey.FORM_CODE.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.FORM_CODE);
-		} else if (RedisKey.DATA_DICTIONARY_CODE.startsWith(type)) {
+		} else if (RedisKey.DATA_DICTIONARY_CODE.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.DATA_DICTIONARY_CODE);
-		} else if (RedisKey.DATA_DICTIONARY_CODE_XIN.startsWith(type)) {
+		} else if (RedisKey.DATA_DICTIONARY_CODE_XIN.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.DATA_DICTIONARY_CODE_XIN);
-		} else if (RedisKey.FIREFIGHTERS_ID.startsWith(type)) {
+		} else if (RedisKey.FIREFIGHTERS_ID.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.FIREFIGHTERS_ID);
-		} else if (RedisKey.FIREFIGHTERS_LIST_ID.startsWith(type)) {
+		} else if (RedisKey.FIREFIGHTERS_LIST_ID.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.FIREFIGHTERS_LIST_ID);
-		} else if (RedisKey.EDUCATION_POST_EXPERIENCE_FIREFIGHTERS_ID.startsWith(type)) {
+		} else if (RedisKey.EDUCATION_POST_EXPERIENCE_FIREFIGHTERS_ID.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.EDUCATION_POST_EXPERIENCE_FIREFIGHTERS_ID);
-		} else if (RedisKey.CONTRACT_ID.startsWith(type)) {
+		} else if (RedisKey.CONTRACT_ID.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.CONTRACT_ID);
-		} else if (RedisKey.THOUGHT_ID.startsWith(type)) {
+		} else if (RedisKey.THOUGHT_ID.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.THOUGHT_ID);
-		} else if (RedisKey.ALERTCALLED_ID.startsWith(type)) {
+		} else if (RedisKey.ALERTCALLED_ID.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.ALERTCALLED_ID);
-		} else if (RedisKey.TZS_ALERTCALLED_ID.startsWith(type)) {
+		} else if (RedisKey.TZS_ALERTCALLED_ID.toLowerCase(Locale.ENGLISH).startsWith(type)) {
 			redisUtils.del(RedisKey.TZS_ALERTCALLED_ID);
 		}
 		return ResponseHelper.buildResponse(type);

amos-boot-biz-common/src/main/java/com/yeejoin/amos/boot/biz/common/utils/WordConverterUtils.java

@@ -119,6 +119,7 @@ public class WordConverterUtils {
 				StreamResult streamResult = new StreamResult(targetFile);
 				TransformerFactory tf = TransformerFactory.newInstance();
 				tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+				tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 				Transformer serializer = tf.newTransformer();
 				serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 				serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/WordConverterUtils.java

@@ -108,6 +108,7 @@ public class WordConverterUtils {
 			StreamResult streamResult = new StreamResult(targetFile);
 			TransformerFactory tf = TransformerFactory.newInstance();
 			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");
@@ -157,6 +158,7 @@ public class WordConverterUtils {
 			StreamResult streamResult = new StreamResult(stringWriter);
 			TransformerFactory tf = TransformerFactory.newInstance();
 			tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 			Transformer serializer = tf.newTransformer();
 			serializer.setOutputProperty(OutputKeys.ENCODING, "utf-8");
 			serializer.setOutputProperty(OutputKeys.INDENT, "yes");

amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/WordHtml.java

@@ -121,6 +121,7 @@ public class WordHtml implements AbstractHtml {
 
             TransformerFactory tf = TransformerFactory.newInstance();
             tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             // 创建执行从 Source 到 Result 的复制的新 Transformer。
             Transformer serializer = tf.newTransformer();
             serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -208,6 +209,7 @@ public class WordHtml implements AbstractHtml {
             //根据XSL文件创建准个转换对象
             TransformerFactory transformerFactory = TransformerFactory.newInstance();
             transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             Transformer transformer = transformerFactory.newTransformer(template);
             //处理xml进行交换
             transformer.transform(source, result);

amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/XmlBuilder.java

@@ -19,9 +19,10 @@ public class XmlBuilder {
 
     public static Object xmlStrToObject(Class<?> clazz, String xmlStr) throws Exception {
         Object obj = null;
-        Reader reader = null;
+        StringReader reader = null;
         JAXBContext context = JAXBContext.newInstance(clazz);
         Unmarshaller un = context.createUnmarshaller();
+        un.setProperty("com.sun.xml.bind.v2.runtime.property.DisableExternalEntities", true); // 禁用外部实体解析
         reader = new StringReader(FilenameUtils.normalize(xmlStr));
         obj = un.unmarshal(reader);
         if (null != reader) {

amos-boot-module/amos-boot-module-biz/amos-boot-module-common-biz/src/main/java/com/yeejoin/amos/boot/module/common/biz/service/impl/MaintenanceCompanyServiceImpl.java

@@ -292,7 +292,7 @@ public class MaintenanceCompanyServiceImpl
     public List<Map<String, Object>> getAllMaintenanceEexcleList(String maintenanceType, Map<String, Object> parms) {
         List<Map<String, Object>> da=null;
         String type = null;
-        switch (maintenanceType.toUpperCase()) {
+        switch (maintenanceType.toUpperCase(Locale.ENGLISH)) {
             case PERSON:
                 type = MAINTENANCE_PERSON;
                 break;

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/controller/CheckController.java

@@ -882,6 +882,7 @@ public class CheckController extends AbstractBaseController {
             Result result = new StreamResult(html);
             TransformerFactory transformerFactory = TransformerFactory.newInstance();
             transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             Transformer transformer = transformerFactory.newTransformer(template);
             transformer.transform(source, result);
             String data = IOUtils.toString(fis, StandardCharsets.UTF_8);

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/controller/TaskController.java

@@ -198,6 +198,7 @@ public class TaskController extends AbstractBaseController{
 	        Result result=new StreamResult(html);
 			 TransformerFactory transformerFactory = TransformerFactory.newInstance();
 			 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+			 transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
 	        Transformer transformer  = transformerFactory.newTransformer(template);
 			transformer.transform(source, result);
 

amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/util/WordHtml.java

@@ -119,6 +119,7 @@ public class WordHtml implements AbstractHtml {
       streamResult = new StreamResult(out);
       TransformerFactory tf = TransformerFactory.newInstance();
       tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
       // 创建执行从 Source 到 Result 的复制的新 Transformer。
       Transformer serializer = tf.newTransformer();
       serializer.setOutputProperty(OutputKeys.ENCODING, "UTF-8"); // 文件编码方式
@@ -206,6 +207,7 @@ public class WordHtml implements AbstractHtml {
       //根据XSL文件创建准个转换对象
       TransformerFactory transformerFactory = TransformerFactory.newInstance();
       transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+      transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
       Transformer transformer = transformerFactory.newTransformer(template);
       //处理xml进行交换
       transformer.transform(source, result);