fix: 修复 eal4 bug

1.Null dereference on some path 2.Incorrect string comparison 3.Internal information leak
author: tanghao <admin@LAPTOP-QCSKVLI9> 2021-03-25 14:42:13 +0800
committer: tanghao <admin@LAPTOP-QCSKVLI9> 2021-03-25 14:42:13 +0800
commit: e9d106155eb2c9a5f6a220cbb833dc72297b49ca (patch)
tree: ac251c4b29937e9423e2d7ff98dfb72fe9140d94
parent: 5266ddf3a69b204e6e125cb55e99fe7a7d2fe318 (diff)
10 files changed, 29 insertions, 24 deletions
diff --git a/nz-admin/src/main/java/com/nis/common/config/FlywayConfig.java b/nz-admin/src/main/java/com/nis/common/config/FlywayConfig.java
index f5c72c55..a20b6a29 100644
--- a/nz-admin/src/main/java/com/nis/common/config/FlywayConfig.java
+++ b/nz-admin/src/main/java/com/nis/common/config/FlywayConfig.java
@@ -59,7 +59,7 @@ public class FlywayConfig {
             flyway.migrate();
         } catch (FlywayException e) {
             flyway.repair();
-            log.error("flyway执行脚本失败，错误信息是：" + e.getMessage(), e);
+            log.error("flyway执行脚本失败，错误信息是："+ e);
         }
     }
 }
diff --git a/nz-admin/src/main/java/com/nis/modules/alert/service/impl/AlertRuleServiceImpl.java b/nz-admin/src/main/java/com/nis/modules/alert/service/impl/AlertRuleServiceImpl.java
index 14bd46ae..6ce3b5a0 100644
--- a/nz-admin/src/main/java/com/nis/modules/alert/service/impl/AlertRuleServiceImpl.java
+++ b/nz-admin/src/main/java/com/nis/modules/alert/service/impl/AlertRuleServiceImpl.java
@@ -365,7 +365,7 @@ public class AlertRuleServiceImpl extends ServiceImpl<AlertRuleDao, AlertRuleEnt
         try {
             work = ExcelUtils.getWork(excelFile.getOriginalFilename(), excelFile.getInputStream());
         } catch (IOException e) {
-            log.error("解析导入告警规则文件格式有误",e);
+            log.error("解析导入告警规则文件格式有误"+e);
             throw new NZException(RCode.ASSET_IMPORTFILE_FAILED);
         } finally {
             if (work != null) {
diff --git a/nz-admin/src/main/java/com/nis/modules/endpoint/job/EndpointStateJob.java b/nz-admin/src/main/java/com/nis/modules/endpoint/job/EndpointStateJob.java
index 9f5e152f..33859280 100644
--- a/nz-admin/src/main/java/com/nis/modules/endpoint/job/EndpointStateJob.java
+++ b/nz-admin/src/main/java/com/nis/modules/endpoint/job/EndpointStateJob.java
@@ -75,6 +75,7 @@ public class EndpointStateJob extends QuartzJobBean {
         Promserver promserver = promserverService.getOneAvaPromServer(null, null, 1);
         if (promserver == null) {
             log.debug("Endpoint 状态定时任务不执行,当前暂无可用 prometheus");
+            return;
         }
 
         try {
diff --git a/nz-admin/src/main/java/com/nis/modules/panel/service/impl/ChartServiceImpl.java b/nz-admin/src/main/java/com/nis/modules/panel/service/impl/ChartServiceImpl.java
index 4479703d..2040de99 100644
--- a/nz-admin/src/main/java/com/nis/modules/panel/service/impl/ChartServiceImpl.java
+++ b/nz-admin/src/main/java/com/nis/modules/panel/service/impl/ChartServiceImpl.java
@@ -887,7 +887,7 @@ public class ChartServiceImpl extends ServiceImpl<ChartDao, Chart> implements Ch
         try {
             work = ExcelUtils.getWork(excelFile.getOriginalFilename(), excelFile.getInputStream());
         } catch (IOException e) {
-            log.error("解析导入图表文件格式有误",e);
+            log.error("解析导入图表文件格式有误"+e);
             throw new NZException(RCode.PANEL_IMPORTFILE_FAILED);
         } finally {
             if (work != null) {
diff --git a/nz-admin/src/main/java/com/nis/modules/promserver/controller/PromProxyController.java b/nz-admin/src/main/java/com/nis/modules/promserver/controller/PromProxyController.java
index 5ce530e0..4d81ab81 100644
--- a/nz-admin/src/main/java/com/nis/modules/promserver/controller/PromProxyController.java
+++ b/nz-admin/src/main/java/com/nis/modules/promserver/controller/PromProxyController.java
@@ -1,6 +1,7 @@
 package com.nis.modules.promserver.controller;
 
 import cn.hutool.core.net.url.UrlBuilder;
+import cn.hutool.core.util.ObjectUtil;
 import cn.hutool.core.util.ReflectUtil;
 import cn.hutool.http.HttpConnection;
 import cn.hutool.log.Log;
@@ -158,8 +159,9 @@ public class PromProxyController {
 //				response.addHeader(XssUtil.stripXSS(key), XssUtil.stripXSS(StringUtils.join(value, "; ")));
 				ReflectUtil.invoke(response,"addHeader",key,StringUtils.join(value, "; "));
 			}
-			response.setStatus(responseCode, responseMessage);
-
+//			response.setStatus(responseCode, responseMessage);
+			response.setStatus(responseCode);
+			
 			String promPath = request.getServletPath().substring(5);
 			String nullType = request.getParameter("nullType");
 			if ("/api/v1/query_range".equals(promPath) && responseCode < 400) {
@@ -189,7 +191,9 @@ public class PromProxyController {
 			logger.error("request error : ",e);
 		}finally {
 			IOUtils.closeQuietly(reqInputStream,resOutputStream,connOutputStream,connInputStream);
-			conn.disconnect();
+			if(ObjectUtil.isNotEmpty(conn)) {
+				conn.disconnect();
+			}
 		}
 	}
 
diff --git a/nz-admin/src/main/java/com/nis/modules/sys/controller/SysLoginController.java b/nz-admin/src/main/java/com/nis/modules/sys/controller/SysLoginController.java
index f4f14cb8..bf97d935 100644
--- a/nz-admin/src/main/java/com/nis/modules/sys/controller/SysLoginController.java
+++ b/nz-admin/src/main/java/com/nis/modules/sys/controller/SysLoginController.java
@@ -74,7 +74,7 @@ public class SysLoginController extends AbstractController {
 	@SysLog(operation = OperationEnum.LOGIN,type = TypeEnum.SYSTEM)
 	public R login(@RequestBody SysUserEntity sysUser) {
 		String username = sysUser.getUsername();
-		String mima = StrUtil.str(sysUser.getPin());
+		String pin = StrUtil.str(sysUser.getPin());
 	//public R login( String username, String password, String captcha) {
 		/*String kaptcha = ShiroUtils.getKaptcha(Constants.KAPTCHA_SESSION_KEY);
 		if(!captcha.equalsIgnoreCase(kaptcha)){
@@ -82,7 +82,7 @@ public class SysLoginController extends AbstractController {
 		}*/
 		try{
 			Subject subject = ShiroUtils.getSubject();
-			UsernamePasswordToken token = new UsernamePasswordToken(username, mima);
+			UsernamePasswordToken token = new UsernamePasswordToken(username, pin);
 			subject.login(token); //登录
 			String loginToken=CommonUtils.uuid();
 			subject.getSession().setAttribute("token",loginToken);
diff --git a/nz-admin/src/main/java/com/nis/modules/sys/controller/SysUserController.java b/nz-admin/src/main/java/com/nis/modules/sys/controller/SysUserController.java
index 53072371..ca92b9e4 100644
--- a/nz-admin/src/main/java/com/nis/modules/sys/controller/SysUserController.java
+++ b/nz-admin/src/main/java/com/nis/modules/sys/controller/SysUserController.java
@@ -47,16 +47,16 @@ public class SysUserController extends AbstractController {
 	 * 修改登录用户密码
 	 */
 	@RequestMapping("/password")
-	public R password(String mima, String newPassword){
-		Assert.isBlank(newPassword, "新密码不为能空");
+	public R password(String pin, String newPin){
+		Assert.isBlank(newPin, "新密码不为能空");
 
 		//原密码
-		mima = ShiroUtils.sha256(mima, getUser().getSalt());
+		pin = ShiroUtils.sha256(pin, getUser().getSalt());
 		//新密码
-		newPassword = ShiroUtils.sha256(newPassword, getUser().getSalt());
+		newPin = ShiroUtils.sha256(newPin, getUser().getSalt());
 
 		//更新密码
-		boolean flag = sysUserService.updatePassword(getUserId(), mima, newPassword);
+		boolean flag = sysUserService.updatePassword(getUserId(), pin, newPin);
 		if(!flag){
 			throw new NZException(RCode.SYS_USER_OLDPWD);
 		}
diff --git a/nz-admin/src/main/java/com/nis/modules/sys/service/impl/SysConfigServiceImpl.java b/nz-admin/src/main/java/com/nis/modules/sys/service/impl/SysConfigServiceImpl.java
index 8f185a1d..154062c4 100644
--- a/nz-admin/src/main/java/com/nis/modules/sys/service/impl/SysConfigServiceImpl.java
+++ b/nz-admin/src/main/java/com/nis/modules/sys/service/impl/SysConfigServiceImpl.java
@@ -327,10 +327,10 @@ public class SysConfigServiceImpl extends ServiceImpl<SysConfigDao, SysConfigEnt
     @Override
     @Transactional(rollbackFor = Exception.class)
     public void resetConfig(Map<String, Object> param) throws IOException,RuntimeException{
-        String mima = StrUtil.str(param.get(Constant.PIN).toString());
+        String pin = StrUtil.str(param.get(Constant.PIN).toString());
         List<String> types = (List<String>)param.get("type");
         try {
-            if(ToolUtil.isEmpty(mima)||ToolUtil.isEmpty(types)){
+            if(ToolUtil.isEmpty(pin)||ToolUtil.isEmpty(types)){
                 throw new NZException(RCode.SYS_CONFIG_PASSWORDORTYPE_INVALID);
             }
             // 当前登录用户
@@ -340,7 +340,7 @@ public class SysConfigServiceImpl extends ServiceImpl<SysConfigDao, SysConfigEnt
             // 加密盐值
             String salt = userEntity.getSalt();
             // 现加密密码
-            String currentPassword = ShiroUtils.sha256(mima,salt);
+            String currentPassword = ShiroUtils.sha256(pin,salt);
             if(!StrUtil.equals(oriPassword,currentPassword)){
                 // 密码不对，禁止重置
                 throw new NZException(RCode.SYS_CONFIG_PASSWORD_ERROR);
@@ -689,9 +689,9 @@ public class SysConfigServiceImpl extends ServiceImpl<SysConfigDao, SysConfigEnt
 
         try {
             String receicer = map.get("email_test_reciver");
-            String mima = StrUtil.str(map.get("email_smtp_password"));
+            String pin = StrUtil.str(map.get("email_smtp_password"));
 
-            mailUtil.sendHTML(smtpHost, prop, smtpAccount, sendAccount, mima, receicer, Constant.TESTEMAIL_SEND_TITLE, this.getSendMailContent(sendAccount));
+            mailUtil.sendHTML(smtpHost, prop, smtpAccount, sendAccount, pin, receicer, Constant.TESTEMAIL_SEND_TITLE, this.getSendMailContent(sendAccount));
         } catch (IOException e) {
             logger.error("获取测试发送邮件模板失败",e);
             throw new NZException(RCode.SYS_CONFIG_TESTEMAIL_TEMPLATE_NOTFOUND);
@@ -707,13 +707,13 @@ public class SysConfigServiceImpl extends ServiceImpl<SysConfigDao, SysConfigEnt
      * @param password
      * @param address
      */
-    public R testConnectionLdapConfig(String dn, String mima, String address, String ou) {
+    public R testConnectionLdapConfig(String dn, String pin, String address, String ou) {
         InitialDirContext initialDirContext = null;
         try {
             Hashtable<String, String> environment = new Hashtable<>();
             environment.put(Context.SECURITY_AUTHENTICATION, "simple");
             environment.put(Context.SECURITY_PRINCIPAL, dn);
-            environment.put(Context.SECURITY_CREDENTIALS, mima);
+            environment.put(Context.SECURITY_CREDENTIALS, pin);
             environment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
             // 当连接ldaps时候  会发生异常 无法进行连接 
 //            environment.put("com.sun.jndi.ldap.connect.timeout", "3000");
diff --git a/nz-admin/src/main/java/com/nis/modules/sys/service/impl/SysUserServiceImpl.java b/nz-admin/src/main/java/com/nis/modules/sys/service/impl/SysUserServiceImpl.java
index 3e12e48f..fd355d70 100644
--- a/nz-admin/src/main/java/com/nis/modules/sys/service/impl/SysUserServiceImpl.java
+++ b/nz-admin/src/main/java/com/nis/modules/sys/service/impl/SysUserServiceImpl.java
@@ -275,13 +275,13 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserDao, SysUserEntity> i
 
 
 	@Override
-	public boolean updatePassword(Long userId, String mima, String newPassword) {
+	public boolean updatePassword(Long userId, String pin, String newPin) {
         SysUserEntity userEntity = new SysUserEntity();
-        userEntity.setPin(newPassword);
+        userEntity.setPin(newPin);
         return this.update(userEntity,
         	new LambdaUpdateWrapper<SysUserEntity>()
 					.eq(ToolUtil.isNotEmpty(userId),SysUserEntity::getUserId, userId)
-					.eq(ToolUtil.isNotEmpty(mima),SysUserEntity::getPin, mima));
+					.eq(ToolUtil.isNotEmpty(pin),SysUserEntity::getPin, pin));
     }
 
 	@Override
diff --git a/nz-admin/src/main/java/com/nis/modules/terminal/config/TerminalSession.java b/nz-admin/src/main/java/com/nis/modules/terminal/config/TerminalSession.java
index 753e4168..8ee2fea5 100644
--- a/nz-admin/src/main/java/com/nis/modules/terminal/config/TerminalSession.java
+++ b/nz-admin/src/main/java/com/nis/modules/terminal/config/TerminalSession.java
@@ -182,7 +182,7 @@ public class TerminalSession implements Serializable {
     
     public static void setTerminalMessage(String uuid,String message,Integer cursorIndex) {
     	String string = terminalMessageInfo.get(uuid);
-        if (string != null && string != "") {
+        if (StrUtil.isNotBlank(string)) {
     		// 根据光标位置来追加字符出现的位置
     		if(cursorIndex==null||cursorIndex==string.length()) {
     			string=string+message;
author	tanghao <admin@LAPTOP-QCSKVLI9>	2021-03-25 14:42:13 +0800
committer	tanghao <admin@LAPTOP-QCSKVLI9>	2021-03-25 14:42:13 +0800
commit	e9d106155eb2c9a5f6a220cbb833dc72297b49ca (patch)
tree	ac251c4b29937e9423e2d7ff98dfb72fe9140d94
parent	5266ddf3a69b204e6e125cb55e99fe7a7d2fe318 (diff)