mirror of
https://github.com/dataease/dataease.git
synced 2025-02-24 11:32:57 +08:00
Merge pull request #13370 from dataease/pr@dev-v2@fix_unsafe_requests
fix: 禁用不安全的请求类型
This commit is contained in:
fit2cloud-chenyw
GitHub
commit
b8330a84f3
@ -208,7 +208,7 @@ export const addApi = (data: ITaskInfoInsertReq) => {
|
||||
}
|
||||
|
||||
export const removeApi = (taskId: string) => {
|
||||
return request.delete({ url: `/sync/task/remove/${taskId}` })
|
||||
return request.post({ url: `/sync/task/remove/${taskId}` })
|
||||
}
|
||||
|
||||
export const batchRemoveApi = (taskIds: string[]) => {
|
||||
|
||||
@ -8,7 +8,7 @@ export const getTaskLogListApi = (current: number, size: number, data: any) => {
|
||||
}
|
||||
|
||||
export const removeApi = (logId: string) => {
|
||||
return request.delete({ url: `/sync/task/log/delete/${logId}` })
|
||||
return request.post({ url: `/sync/task/log/delete/${logId}` })
|
||||
}
|
||||
|
||||
export const getTaskLogDetailApi = (logId: string, fromLineNum: number) => {
|
||||
|
||||
@ -68,7 +68,7 @@ export const moveResource = data => request.post({ url: '/dataVisualization/move
|
||||
export const copyResource = data => request.post({ url: '/dataVisualization/copy', data })
|
||||
|
||||
export const deleteLogic = (dvId, busiFlag) =>
|
||||
request.delete({ url: '/dataVisualization/deleteLogic/' + dvId + '/' + busiFlag })
|
||||
request.post({ url: '/dataVisualization/deleteLogic/' + dvId + '/' + busiFlag })
|
||||
|
||||
export const querySubjectWithGroupApi = data =>
|
||||
request.post({ url: '/visualizationSubject/querySubjectWithGroup', data })
|
||||
@ -76,7 +76,7 @@ export const querySubjectWithGroupApi = data =>
|
||||
export const saveOrUpdateSubject = data =>
|
||||
request.post({ url: '/visualizationSubject/update', data })
|
||||
|
||||
export const deleteSubject = id => request.delete({ url: '/visualizationSubject/delete/' + id })
|
||||
export const deleteSubject = id => request.post({ url: '/visualizationSubject/delete/' + id })
|
||||
|
||||
export const dvNameCheck = async data => request.post({ url: '/dataVisualization/nameCheck', data })
|
||||
|
||||
|
||||
@ -33,13 +33,13 @@ public interface DatasourceDriverApi {
|
||||
@PostMapping("/update")
|
||||
DriveDTO update(@RequestBody DriveDTO datasourceDrive);
|
||||
|
||||
@DeleteMapping("/delete/{driverId}")
|
||||
@PostMapping("/delete/{driverId}")
|
||||
void delete(@PathVariable("driverId") String driverId);
|
||||
|
||||
@GetMapping("/listDriverJar/{driverId}")
|
||||
List<DriveJarDTO> listDriverJar(@PathVariable("driverId") String driverId);
|
||||
|
||||
@DeleteMapping("/deleteDriverJar/{jarId}")
|
||||
@PostMapping("/deleteDriverJar/{jarId}")
|
||||
void deleteDriverJar(@PathVariable("jarId") String jarId);
|
||||
|
||||
@PostMapping("/uploadJar")
|
||||
|
||||
@ -41,7 +41,7 @@ public interface DataVisualizationApi {
|
||||
|
||||
@GetMapping("/findCopyResource/{dvId}/{busiFlag}")
|
||||
@Operation(summary = "查询临时复制资源")
|
||||
DataVisualizationVO findCopyResource(@PathVariable("dvId") Long dvId,@PathVariable("busiFlag") String busiFlag);
|
||||
DataVisualizationVO findCopyResource(@PathVariable("dvId") Long dvId, @PathVariable("busiFlag") String busiFlag);
|
||||
|
||||
|
||||
@PostMapping("/saveCanvas")
|
||||
@ -64,10 +64,10 @@ public interface DataVisualizationApi {
|
||||
@Operation(summary = "可视化资源基础信息更新")
|
||||
void updateBase(@RequestBody DataVisualizationBaseRequest request);
|
||||
|
||||
@DeleteMapping("/deleteLogic/{dvId}/{busiFlag}")
|
||||
@PostMapping("/deleteLogic/{dvId}/{busiFlag}")
|
||||
@DePermit(value = {"#p0+':manage'"}, busiFlag = "#p1")
|
||||
@Operation(summary = "可视化资源删除")
|
||||
void deleteLogic(@PathVariable("dvId") Long dvId,@PathVariable("busiFlag") String busiFlag);
|
||||
void deleteLogic(@PathVariable("dvId") Long dvId, @PathVariable("busiFlag") String busiFlag);
|
||||
|
||||
@PostMapping("/tree")
|
||||
@Operation(summary = "查询可视化资源树")
|
||||
@ -98,7 +98,7 @@ public interface DataVisualizationApi {
|
||||
|
||||
@GetMapping("/findDvType/{dvId}")
|
||||
@Operation(summary = "查询可视化资源类型")
|
||||
String findDvType(@PathVariable("dvId")Long dvId);
|
||||
String findDvType(@PathVariable("dvId") Long dvId);
|
||||
|
||||
/**
|
||||
* 从模板解压可视化资源 模板来源包括 模板市场、内部模板管理
|
||||
|
||||
@ -5,7 +5,9 @@ import io.dataease.api.visualization.request.VisualizationSubjectRequest;
|
||||
import io.dataease.api.visualization.vo.VisualizationSubjectVO;
|
||||
import io.swagger.v3.oas.annotations.Operation;
|
||||
import io.swagger.v3.oas.annotations.tags.Tag;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import org.springframework.web.bind.annotation.PathVariable;
|
||||
import org.springframework.web.bind.annotation.PostMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
@ -25,8 +27,8 @@ public interface VisualizationSubjectApi {
|
||||
@Operation(summary = "更新")
|
||||
void update(@RequestBody VisualizationSubjectRequest request);
|
||||
|
||||
@DeleteMapping("/delete/{id}")
|
||||
@PostMapping("/delete/{id}")
|
||||
@Operation(summary = "删除")
|
||||
void delete(@PathVariable String id);
|
||||
void delete(@PathVariable("id") String id);
|
||||
|
||||
}
|
||||
|
||||
@ -28,7 +28,7 @@ public interface TaskApi {
|
||||
@PostMapping("/update")
|
||||
void update(@RequestBody TaskInfoDTO jobInfo) throws DEException;
|
||||
|
||||
@DeleteMapping("/remove/{id}")
|
||||
@PostMapping("/remove/{id}")
|
||||
void remove(@PathVariable(value = "id") String id) throws DEException;
|
||||
|
||||
@GetMapping("start/{id}")
|
||||
|
||||
@ -27,10 +27,10 @@ public interface TaskLogApi {
|
||||
@PostMapping("/update")
|
||||
void updateLog(@RequestBody TaskLogVO logDetail);
|
||||
|
||||
@DeleteMapping("/deleteByJobId/{jobId}")
|
||||
@PostMapping("/deleteByJobId/{jobId}")
|
||||
void deleteByJobId(@PathVariable("jobId") String jobId);
|
||||
|
||||
@DeleteMapping("/delete/{logId}")
|
||||
@PostMapping("/delete/{logId}")
|
||||
void deleteById(@PathVariable("logId") String logId);
|
||||
|
||||
@PostMapping("/clear")
|
||||
|
||||
@ -5,6 +5,7 @@ import io.dataease.constant.AuthConstant;
|
||||
import io.dataease.utils.*;
|
||||
import jakarta.servlet.*;
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
|
||||
import java.io.IOException;
|
||||
@ -16,6 +17,22 @@ public class TokenFilter implements Filter {
|
||||
@Override
|
||||
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
|
||||
HttpServletRequest request = (HttpServletRequest) servletRequest;
|
||||
String method = request.getMethod();
|
||||
if (!StringUtils.equalsAny(method, "GET", "POST", "OPTIONS")) {
|
||||
HttpServletResponse res = (HttpServletResponse) servletResponse;
|
||||
res.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
|
||||
return;
|
||||
}
|
||||
if (StringUtils.equalsIgnoreCase("OPTIONS", method)) {
|
||||
String origin = request.getHeader("Origin");
|
||||
if (StringUtils.isBlank(origin)) {
|
||||
HttpServletResponse res = (HttpServletResponse) servletResponse;
|
||||
res.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
|
||||
return;
|
||||
}
|
||||
filterChain.doFilter(servletRequest, servletResponse);
|
||||
return;
|
||||
}
|
||||
String requestURI = request.getRequestURI();
|
||||
|
||||
if (ModelUtils.isDesktop()) {
|
||||
@ -28,10 +45,7 @@ public class TokenFilter implements Filter {
|
||||
filterChain.doFilter(servletRequest, servletResponse);
|
||||
return;
|
||||
}
|
||||
if (StringUtils.equalsIgnoreCase("OPTIONS", ServletUtils.request().getMethod())) {
|
||||
filterChain.doFilter(servletRequest, servletResponse);
|
||||
return;
|
||||
}
|
||||
|
||||
String executeVersion = null;
|
||||
if (StringUtils.isNotBlank(executeVersion = VersionUtil.getRandomVersion())) {
|
||||
Objects.requireNonNull(ServletUtils.response()).addHeader(AuthConstant.DE_EXECUTE_VERSION, executeVersion);
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
package io.dataease.auth.interceptor;
|
||||
|
||||
import io.dataease.constant.AuthConstant;
|
||||
import jakarta.annotation.Resource;
|
||||
import org.apache.commons.collections4.CollectionUtils;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.servlet.config.annotation.CorsRegistration;
|
||||
import org.springframework.web.servlet.config.annotation.CorsRegistry;
|
||||
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
|
||||
import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
|
||||
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
|
||||
|
||||
@ -15,17 +15,11 @@ import java.util.List;
|
||||
@Configuration
|
||||
public class CorsConfig implements WebMvcConfigurer {
|
||||
|
||||
@Resource(name = "deCorsInterceptor")
|
||||
private CorsInterceptor corsInterceptor;
|
||||
|
||||
@Value("#{'${dataease.origin-list:http://127.0.0.1:8100}'.split(',')}")
|
||||
private List<String> originList;
|
||||
|
||||
@Override
|
||||
public void addInterceptors(InterceptorRegistry registry) {
|
||||
corsInterceptor.addOriginList(originList);
|
||||
registry.addInterceptor(corsInterceptor).addPathPatterns("/**");
|
||||
}
|
||||
private CorsRegistration operateCorsRegistration;
|
||||
|
||||
@Override
|
||||
public void configurePathMatch(PathMatchConfigurer configurer) {
|
||||
@ -34,11 +28,21 @@ public class CorsConfig implements WebMvcConfigurer {
|
||||
|
||||
@Override
|
||||
public void addCorsMappings(CorsRegistry registry) {
|
||||
registry.addMapping("/**")
|
||||
operateCorsRegistration = registry.addMapping("/**")
|
||||
.allowCredentials(true)
|
||||
.allowedOriginPatterns("*")
|
||||
.allowedOrigins(originList.toArray(new String[0]))
|
||||
.allowedHeaders("*")
|
||||
.maxAge(3600)
|
||||
.allowedMethods("*");
|
||||
.allowedMethods("GET", "POST");
|
||||
}
|
||||
|
||||
public void addAllowedOrigins(List<String> origins) {
|
||||
if (CollectionUtils.isEmpty(origins)) {
|
||||
return;
|
||||
}
|
||||
origins.addAll(originList);
|
||||
List<String> newOrigins = origins.stream().distinct().toList();
|
||||
String[] originArray = newOrigins.toArray(new String[0]);
|
||||
operateCorsRegistration.allowedOrigins(originArray);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,86 +0,0 @@
|
||||
package io.dataease.auth.interceptor;
|
||||
|
||||
import io.dataease.utils.CommonBeanFactory;
|
||||
import io.dataease.utils.DeReflectUtil;
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.apache.commons.collections4.CollectionUtils;
|
||||
import org.apache.commons.lang3.ObjectUtils;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.stereotype.Component;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
import org.springframework.web.servlet.HandlerInterceptor;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
@Component("deCorsInterceptor")
|
||||
public class CorsInterceptor implements HandlerInterceptor {
|
||||
|
||||
|
||||
private final List<String> originList;
|
||||
|
||||
private final List<String> busiOriginList = new ArrayList<>();
|
||||
|
||||
private Class<?> aClass;
|
||||
|
||||
private Object bean;
|
||||
|
||||
|
||||
public CorsInterceptor(List<String> originList) {
|
||||
this.originList = originList;
|
||||
}
|
||||
|
||||
public void addOriginList(List<String> list) {
|
||||
List<String> strings = list.stream().filter(item -> !originList.contains(item)).toList();
|
||||
originList.addAll(strings);
|
||||
}
|
||||
|
||||
|
||||
public void addOriginList() {
|
||||
busiOriginList.clear();
|
||||
String className = "io.dataease.api.permissions.embedded.api.EmbeddedApi";
|
||||
String methodName = "domainList";
|
||||
if (ObjectUtils.isEmpty(aClass)) {
|
||||
try {
|
||||
aClass = Class.forName(className);
|
||||
} catch (ClassNotFoundException e) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
if (ObjectUtils.isEmpty(bean)) {
|
||||
bean = CommonBeanFactory.getBean(aClass);
|
||||
}
|
||||
if (ObjectUtils.isNotEmpty(bean)) {
|
||||
Method method = DeReflectUtil.findMethod(aClass, methodName);
|
||||
Object result = ReflectionUtils.invokeMethod(method, bean);
|
||||
if (ObjectUtils.isNotEmpty(result)) {
|
||||
List<String> list = (List<String>) result;
|
||||
if (CollectionUtils.isNotEmpty(list)) {
|
||||
busiOriginList.addAll(list.stream().distinct().toList());
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
|
||||
addOriginList();
|
||||
String origin = request.getHeader("Origin");
|
||||
boolean embedded = StringUtils.startsWithAny(request.getRequestURI(), "/assets/", "/js/");
|
||||
if ((StringUtils.isNotBlank(origin) && originList.contains(origin)) || busiOriginList.contains(origin) || embedded) {
|
||||
response.setHeader("Access-Control-Allow-Origin", embedded ? "*" : origin);
|
||||
response.setHeader("Access-Control-Allow-Credentials", "true");
|
||||
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS");
|
||||
response.setHeader("Access-Control-Allow-Headers", "*");
|
||||
response.setHeader("Access-Control-Max-Age", "3600");
|
||||
}
|
||||
|
||||
if (StringUtils.equalsIgnoreCase(request.getMethod(), "options")) {
|
||||
response.setStatus(200);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user