From 8ed7916b617ed7a602817d976d4779a6c9af1d99 Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期五, 30 七月 2021 11:28:46 +0800
Subject: [PATCH] 定时任务屏蔽http(s)远程调用
---
ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java | 23 +++++++++++++++++++++++
ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java | 36 ++++++++++++++++++++++--------------
2 files changed, 45 insertions(+), 14 deletions(-)
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java
index ca12798..8df5617 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java
@@ -325,6 +325,29 @@
}
/**
+ * 查找指定字符串是否包含指定字符串列表中的任意一个字符串同时串忽略大小写
+ *
+ * @param cs 指定字符串
+ * @param searchCharSequences 需要检查的字符串数组
+ * @return 是否包含任意一个字符串
+ */
+ public static boolean containsAnyIgnoreCase(CharSequence cs, CharSequence... searchCharSequences)
+ {
+ if (isEmpty(cs) || isEmpty(searchCharSequences))
+ {
+ return false;
+ }
+ for (CharSequence testStr : searchCharSequences)
+ {
+ if (containsIgnoreCase(cs, testStr))
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
* 驼峰转下划线命名
*/
public static String toUnderScoreCase(String str)
diff --git a/ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java b/ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java
index e779b64..4d37ee9 100644
--- a/ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java
+++ b/ruoyi-quartz/src/main/java/com/ruoyi/quartz/controller/SysJobController.java
@@ -79,18 +79,22 @@
@PreAuthorize("@ss.hasPermi('monitor:job:add')")
@Log(title = "定时任务", businessType = BusinessType.INSERT)
@PostMapping
- public AjaxResult add(@RequestBody SysJob sysJob) throws SchedulerException, TaskException
+ public AjaxResult add(@RequestBody SysJob job) throws SchedulerException, TaskException
{
- if (!CronUtils.isValid(sysJob.getCronExpression()))
+ if (!CronUtils.isValid(job.getCronExpression()))
{
- return AjaxResult.error("新增任务'" + sysJob.getJobName() + "'失败,Cron表达式不正确");
+ return error("新增任务'" + job.getJobName() + "'失败,Cron表达式不正确");
}
- else if (StringUtils.containsIgnoreCase(sysJob.getInvokeTarget(), Constants.LOOKUP_RMI))
+ else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI))
{
- return AjaxResult.error("新增任务'" + sysJob.getJobName() + "'失败,目标字符串不允许'rmi://'调用");
+ return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi://'调用");
}
- sysJob.setCreateBy(SecurityUtils.getUsername());
- return toAjax(jobService.insertJob(sysJob));
+ else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
+ {
+ return error("新增任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用");
+ }
+ job.setCreateBy(SecurityUtils.getUsername());
+ return toAjax(jobService.insertJob(job));
}
/**
@@ -99,18 +103,22 @@
@PreAuthorize("@ss.hasPermi('monitor:job:edit')")
@Log(title = "定时任务", businessType = BusinessType.UPDATE)
@PutMapping
- public AjaxResult edit(@RequestBody SysJob sysJob) throws SchedulerException, TaskException
+ public AjaxResult edit(@RequestBody SysJob job) throws SchedulerException, TaskException
{
- if (!CronUtils.isValid(sysJob.getCronExpression()))
+ if (!CronUtils.isValid(job.getCronExpression()))
{
- return AjaxResult.error("修改任务'" + sysJob.getJobName() + "'失败,Cron表达式不正确");
+ return error("修改任务'" + job.getJobName() + "'失败,Cron表达式不正确");
}
- else if (StringUtils.containsIgnoreCase(sysJob.getInvokeTarget(), Constants.LOOKUP_RMI))
+ else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI))
{
- return AjaxResult.error("修改任务'" + sysJob.getJobName() + "'失败,目标字符串不允许'rmi://'调用");
+ return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'rmi://'调用");
}
- sysJob.setUpdateBy(SecurityUtils.getUsername());
- return toAjax(jobService.updateJob(sysJob));
+ else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
+ {
+ return error("修改任务'" + job.getJobName() + "'失败,目标字符串不允许'http(s)//'调用");
+ }
+ job.setUpdateBy(SecurityUtils.getUsername());
+ return toAjax(jobService.updateJob(job));
}
/**
--
Gitblit v1.9.2