修改SCA测试报告日志漏洞

f021d979 · KeYong · c2a90a0a · f021d979 · f021d979 · f021d979
Commit f021d979 authored Mar 26, 2024 by KeYong
5 changed files
--- a/amos-boot-biz-common/src/main/java/com/yeejoin/amos/boot/biz/config/LogFilter.java
+++ b/amos-boot-biz-common/src/main/java/com/yeejoin/amos/boot/biz/config/LogFilter.java
+package com.yeejoin.amos.boot.biz.config;
+import ch.qos.logback.classic.pattern.ClassicConverter;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+import java.text.Normalizer;
+import java.util.Arrays;
+import java.util.List;
+/**
+ * @author keyong
+ * @title: LogFilter
+ * <pre>
+ * @description: 修复扫描漏洞，日志防止伪造日志输出结果
+ * </pre>
+ * @date 2024/3/25 14:02
+ */
+public class LogFilter extends ClassicConverter {
+    private static final List<String> LOG_VALID_LIST = Arrays.asList("%0d", "%0a", "%0A", "%0D", "\r", "\n");
+    @Override
+    public String convert(ILoggingEvent event) {
+        if (event.getLoggerName().startsWith("com.yeejoin")) { //根据package启用规则
+            return validLog(event.getFormattedMessage());
+        } else {
+            return event.getFormattedMessage();
+        }
+    }
+    public static String validLog(String logs) {
+        String normalize = Normalizer.normalize(logs, Normalizer.Form.NFKC);
+        for (String str : LOG_VALID_LIST) {
+            normalize = normalize.replace(str, "");
+        }
+        return normalize;
+    }
+}
--- a/amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/WordHtml.java
+++ b/amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/WordHtml.java
 package com.yeejoin.equipmanage.common.utils;
+import org.apache.cxf.helpers.FileUtils;
 import org.apache.poi.hwpf.HWPFDocument;
 import org.apache.poi.hwpf.converter.PicturesManager;
 import org.apache.poi.hwpf.converter.WordToHtmlConverter;
@@ -11,6 +12,7 @@ import org.apache.poi.xwpf.converter.core.IXWPFConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLConverter;
 import org.apache.poi.xwpf.converter.xhtml.XHTMLOptions;
 import org.apache.poi.xwpf.usermodel.XWPFDocument;
+import org.apache.tika.io.FilenameUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
@@ -200,11 +202,11 @@ public class WordHtml implements AbstractHtml {
      FileInputStream fis1= null;
      try {
          //创建XML的文件输入流
-          fis = new FileInputStream(docPath);
+          fis = new FileInputStream(FilenameUtils.normalize(docPath));
          Source source=new StreamSource(fis);
          //创建XSL文件的输入流
-          fis1 = new FileInputStream(xsltPath);
+          fis1 = new FileInputStream(FilenameUtils.normalize(xsltPath));
          Source template=new StreamSource(fis1);
          PrintStream stm=new PrintStream(new File(hrmlPath));

--- a/amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/XmlBuilder.java
+++ b/amos-boot-module/amos-boot-module-api/amos-boot-module-equip-api/src/main/java/com/yeejoin/equipmanage/common/utils/XmlBuilder.java
 package com.yeejoin.equipmanage.common.utils;
+import org.apache.tika.io.FilenameUtils;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Unmarshaller;
 import java.io.Reader;
@@ -20,7 +22,7 @@ public class XmlBuilder {
        Reader reader = null;
        JAXBContext context = JAXBContext.newInstance(clazz);
        Unmarshaller un = context.createUnmarshaller();
-        reader = new StringReader(xmlStr);
+        reader = new StringReader(FilenameUtils.normalize(xmlStr));
        obj = un.unmarshal(reader);
        if (null != reader) {
            reader.close();

--- a/amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/util/WordHtml.java
+++ b/amos-boot-module/amos-boot-module-biz/amos-boot-module-patrol-biz/src/main/java/com/yeejoin/amos/patrol/business/util/WordHtml.java
 package com.yeejoin.amos.patrol.business.util;
+import org.apache.commons.io.FilenameUtils;
 import org.apache.poi.hwpf.HWPFDocument;
 import org.apache.poi.hwpf.converter.PicturesManager;
 import org.apache.poi.hwpf.converter.WordToHtmlConverter;
@@ -199,11 +200,11 @@ public class WordHtml implements AbstractHtml {
      FileInputStream fis1= null;
      try {
          //创建XML的文件输入流
-          fis = new FileInputStream(docPath);
+          fis = new FileInputStream(FilenameUtils.normalize(docPath));
          Source source=new StreamSource(fis);
          //创建XSL文件的输入流
-          fis1 = new FileInputStream(xsltPath);
+          fis1 = new FileInputStream(FilenameUtils.normalize(xsltPath));
          Source template=new StreamSource(fis1);
          PrintStream stm=new PrintStream(hrmlPath);

--- a/amos-boot-system-equip/src/main/resources/logback-spring.xml
+++ b/amos-boot-system-equip/src/main/resources/logback-spring.xml
@@ -2,6 +2,7 @@
 <configuration>
    <property name="LOG_HOME" value="/opt/log"/>
    <timestamp key="startTime" datePattern="yyyyMMdd'T'HHmmss"/>
+    <conversionRule conversionWord="msg" converterClass="com.yeejoin.amos.boot.biz.config.LogFilter" />
    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
        <encoder>
@@ -60,5 +61,4 @@
    <logger name="org.apache.http" level="INFO"/>
    <logger name="com.zaxxer.hikari" level="INFO"/>
 </configuration>