zlt2000 / microservices-platform Goto Github PK

一般数据库表名都会以t_xxx, t_xxx_yyy格式命名，replace函数是将tablePrefix替换成""，但如果有张表名为: t_event_message, 生成java文件就会出现EvenMessage, 这显然不是我们想要的结果，可以考虑这样改进： tableName = tableName.substring(tablePrefix.length(), tableName.length());

线上文档为什么要收费才能看哈。。

/**
* 一次性添加数组到 过期时间的 缓存，不用多次连接，节省开销
*
* @param keys redis主键数组
* @param values 值数组
* @param time 过期时间(单位秒)
*/
public void setExpire(final String[] keys, final Object[] values, final long time) {
for (int i = 0; i < keys.length; i++) {
redisTemplate.opsForValue().set(keys[i], values[i], time, TimeUnit.SECONDS);
}
}
上述代码：怎么做到不用多次连接，节省开销？

Recently, our team has identified a security vulnerability in the latest version of project. This vulnerability allows attackers to potentially upload arbitrary files to the server through malicious requests, thereby gaining control over server permissions.
The logic of the vulnerability is present in the following files: com/central/file/controller/FileController.java#upload.

Developers did not check the filename of the uploaded file when using com/central/file/service/impl/FastdfsService.java#uploadFile() to upload the file.

As a result, attackers could exploit this by submitting a malicious filename, such as ../../../pwned.txt, to achieve arbitrary file upload, which poses a threat to server security.

Hi,

I am a bit concern while using the projects's code for my own microservice because I noticed that the state parameter in redirect URL is missing.
RFC 6749 strongly recommends the presence of the state param because the absence of state param can essentially enable an attacker to perform Cross Site Request Forgery (CSRF) attack [1].

The following code snippet is what I am talking about which is from getAccessToken method in ApiController rest controller class where parameters of the redirect URL such as code, grant_type, redirect_uri, scope are constructed.

// zlt-demo/sso-demo/web-sso/src/main/java/com/sso/demo/controller/ApiController.java

    param.add("code", code);
    param.add("grant_type", "authorization_code");
    param.add("redirect_uri", redirectUri);
    param.add("scope", "app"); 

I want to know your view on this security concern and how it can affect the security of my application against CSRF attack as mentioned in the RFC 6749 document?
Thanks in advance.

References:
[1] RFC 6749 The OAuth 2.0 Authorization Framework Cross Site Request Forgery

in and instanceof expressions in JS

a in obj;
a instanceof C;

can be negated by grouping them and applying the ! operator, i.e.

!(a in obj);
!(a instanceof C);

Applying the ! operator incorrectly (on the LHS operand) leads to bugs:

!a in obj; // will evaluate to false, unless obj has a "true" or "false" key
!a instanceof C; // will evaluate to false, unless C overrides instanceof with a @@hasInstance method

For more information, please see these MDN docs and the no-unsafe-negation recommended Eslint rule.

I have found a potentially problematic instance of the above bugs in your codebase:

rocket MQ 环境：
ver 4.7all
broker conf：
#brokerIP1＝localhost
namesrvAddr=localhost:9876

autoCreateTopicEnable= true
autoCreateSubscriptionGroup=true

运行
http://localhost:11002/success

提示异常：No route info of this topic TransactionTopic
各种尝试无果，最终检查dependencies
修改pom中rocket 依赖改成org.springframework.cloud后运行正常

    <!--<dependency>-->
        <!--<groupId>com.alibaba.cloud</groupId>-->
        <!--<artifactId>spring-cloud-starter-stream-rocketmq</artifactId>-->
    <!--</dependency>-->

<!-- <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-starter-stream-rocketmq</artifactId>
        <version>0.9.0.RELEASE</version>
    </dependency>

-->

感谢zlt2000

有封装打包和启停脚本吗

jdk9+移除了misc包下的base64编码与解码
涉及
com.central.common.utils.RsaUtils
com.sso.demo.controller.ApiController
可以考虑以下方式兼容
Base64.Encoder encoder = Base64.getEncoder();
String encode = encoder.encodeToString(text2.getBytes());

Base64.Decoder decoder = Base64.getDecoder();
byte[] decode = decoder.decode(encodeValue2);

通过admin用户登录mp.zlt2000.cn后，查看LocalStorage，可以看到两个信息
1、login_user
其中包含了admin管理员加密后的password 以及 很多登录用户相关信息
{
"id": 1,
"createTime": 1510909019000,
"updateTime": 1548229920000,
"username": "admin",
"password": "$2a$10$TJkwVdlpbHKnV45.nBxbgeFHmQRmyWlshg94lFu2rKxVtT2OMniDO",
"nickname": "管理员",
"headImgUrl": "http://file.zlt2000.cn/group1/M00/00/00/rBJttFztYwyABaTaAAaskHJyvCo696.jpg",
"mobile": "18888888888",
"sex": 1,
"enabled": true,
"type": "APP",
"openId": "123",
"roles": [
{
"id": 1,
"createTime": 1510909019000,
"updateTime": 1537321150000,
"code": "ADMIN",
"name": "管理员",
"userId": null
}
],
"roleId": null,
"oldPassword": null,
"newPassword": null,
"permissions": [
"user-btn-add",
"user-list",
"user-roles",
"user-btn-export",
"user-btn-import"
],
"userId": "123",
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"del": false
}


2、token
其中包含OAuth2的访问令牌、refresh token
{
"access_token": "f80ecd30-fd5f-4597-8416-66092672e78d",
"token_type": "bearer",
"refresh_token": "bab98952-0359-4ec7-9930-2ca3613e3bb8",
"expires_in": 3334,
"scope": "app"
}


疑问：
1、请问将这些重要信息，尤其是加密后的password、token存放在LocalStorage中，如果发生XSS攻击，如何防范？？网站安全性如何保障？？

2、另外，mp.zlt2000.cn 也使用了cookie，请问仍然是使用cookie与网关上的session关联做会话管理的吗？那么交给前端的OAuth2访问令牌是做什么用的？？访问令牌有必要交给浏览器吗？？

打包命令为：mvn clean package -Dmaven.test.skip=true
错误如下：

[ERROR] Failed to execute goal on project zlt-db-spring-boot-starter: Could not resolve dependencies for project com.zlt:zlt-db-spring-boot-starter:jar:5.0.0: The following artifacts could not be resolved: com.sun:tools:jar:1.8, com.sun:jconsole:jar:1.8: Could not find artifact com.sun:tools:jar:1.8 at specified path /Users/cmlanche/.m2/repository/com/alibaba/druid/1.2.6/lib/openjdk-1.8-tools.jar -> [Help 1]

多租户的模块没找到。

问题描述：应用里面有 “app" pc,然后在token列表选择app, 选择对应的token 点击删除 页面列表会少一条数据 同时提示成功。

但是 重新刷新则 会发现数据实际没有删除成功。查看redis里面
client_id_to_access:* 查出来对应的list里面对应token没有删除。

跟踪代码 发现 CustomRedisTokenStore对应的removeAccessToken里面

conn.get(accessKey);
conn.get(authKey);
List results = conn.closePipeline();
byte[] access = (byte[]) results.get(0);
byte[] auth = (byte[]) results.get(1);

实际上redis里面accessKey authKey都是可以查得到，但results.get(0) 基本上都是返回的空（ 偶尔才返回）。

如果返回空
则：
conn.lRem(unameKey, 1, access);
conn.lRem(clientId, 1, access);
conn.del(serialize(ACCESS + key)); 这几行不会执行 导致lrem里面的list数据没有移除掉。

再次刷新 会发现如上图所示。有重复的也有用户名等信息不存在的现象 根本原因就是results.get(0) 和results.get(1)没有值导致 lRem没有执行。

证据：

1. 下载github的3.7 3.6 3.6.1 3.5 在本地跑（相同的redis 5.0.3）
   3.5没问题 每次都成功
   3.5以上90%以上 概率会 byte[] access = (byte[]) results.get(0);返回的是空， byte[] auth = (byte[]) results.get(1);也80%概率是空。

2.当将openPipeline closePipeline等注释掉，然后用同步方式 如下：
byte[] access = conn.get(accessKey);
byte[] auth = conn.get(authKey);

则 不管是3.5 3.6 3.7都无问题

3.redis集群我们试过 4.0.11 和5.0.3 都一样 跟版本的关联性应该可以排除

如上测试也许不全面 但是希望有朋友能够帮忙看看解惑

看到用了阿里的TransmittableThreadLocal，但是没找到在哪里进行了修饰?用java agent的方式修饰的？

添加appassembler-maven-plugin打包插件

zlt-log中，WebTraceFilter类上的注解@component并没有起作用，导致在微服务调用时，并没有走OncePerRequestFilter的代码逻辑。将@component注释，把这个类放入spring.factories中，在被调用微服务中打印日志，可以显示traceId。
--以上是个人见解，如果有理解错误，请批评指正，谢谢