优化西宁浦发银行 渗透测试漏洞解决

java110-core/src/main/java/com/java110/core/factory/AuthenticationFactory.java

@@ -13,6 +13,7 @@ import com.java110.core.context.ApiDataFlow;
 import com.java110.core.context.DataFlow;
 import com.java110.dto.reportData.ReportDataDto;
 import com.java110.dto.reportData.ReportDataHeaderDto;
+import com.java110.utils.cache.CommonCache;
 import com.java110.utils.cache.JWTCache;
 import com.java110.utils.cache.MappingCache;
 import com.java110.utils.constant.CommonConstant;
@@ -65,6 +66,8 @@ public class AuthenticationFactory {
      */
     private static final String CHARSET = "utf-8";
 
+    private static final String USER_ERROR_COUNT = "USER_ERROR_COUNT_";// 用户登录错误次数，防止暴力破解
+
 
     // 加密
     public static String AesEncrypt(String sSrc, String sKey) {
@@ -604,6 +607,42 @@ public class AuthenticationFactory {
     }
 
 
+    /**
+     * 登陆密码错误时 记录，连续输入错误7次后账号锁定 2小时
+     *
+     * @param userName
+     */
+    public static void userLoginError(String userName) {
+        String count = CommonCache.getValue(USER_ERROR_COUNT + userName);
+        int countNum = 0;
+        if (!StringUtil.isEmpty(count)) {
+            countNum = Integer.parseInt(count);
+        }
+
+        countNum += 1;
+
+        CommonCache.setValue(USER_ERROR_COUNT + userName, countNum + "", CommonCache.TOKEN_EXPIRE_TIME);
+
+    }
+
+    /**
+     * 校验 登录次数
+     *
+     * @param userName 登录账号
+     */
+    public static void checkLoginErrorCount(String userName) {
+        String count = CommonCache.getValue(USER_ERROR_COUNT + userName);
+        int countNum = 0;
+        if (!StringUtil.isEmpty(count)) {
+            countNum = Integer.parseInt(count);
+        }
+
+        if (countNum >= 7) {
+            throw new IllegalArgumentException("登陆错误次数过多，请休息一会再试");
+        }
+
+    }
+
     /***********************************JWT start***************************************/
 
 

java110-core/src/main/java/com/java110/core/smo/IOwnerGetDataCheck.java

@@ -0,0 +1,27 @@
+package com.java110.core.smo;
+
+import com.alibaba.fastjson.JSONObject;
+
+/***
+ * 业主 查询数据合法性校验
+ */
+public interface IOwnerGetDataCheck {
+
+    /**
+     * 校验业主 账户查询
+     *
+     * @param appId       应用ID
+     * @param loginUserId 登陆用户ID
+     * @param reqJson     传递参数内容
+     */
+    void checkOwnerAccount(String appId, String loginUserId, JSONObject reqJson);
+
+    /**
+     * 查询费用校验
+     *
+     * @param appId
+     * @param loginUserId
+     * @param reqJson
+     */
+    void checkOwnerFee(String appId, String loginUserId, JSONObject reqJson);
+}

java110-core/src/main/java/com/java110/core/smo/impl/OwnerGetDataCheckImpl.java

@@ -0,0 +1,248 @@
+package com.java110.core.smo.impl;
+
+import com.alibaba.fastjson.JSONObject;
+import com.java110.core.smo.IOwnerGetDataCheck;
+import com.java110.dto.account.AccountDetailDto;
+import com.java110.dto.account.AccountDto;
+import com.java110.dto.app.AppDto;
+import com.java110.dto.fee.FeeAttrDto;
+import com.java110.dto.fee.FeeDto;
+import com.java110.dto.owner.OwnerDto;
+import com.java110.dto.user.UserDto;
+import com.java110.intf.acct.IAccountInnerServiceSMO;
+import com.java110.intf.fee.IFeeInnerServiceSMO;
+import com.java110.intf.fee.IPayFeeV1InnerServiceSMO;
+import com.java110.intf.user.IOwnerV1InnerServiceSMO;
+import com.java110.intf.user.IUserV1InnerServiceSMO;
+import com.java110.utils.util.StringUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import java.util.List;
+
+
+/**
+ * 业主 查询安全性校验
+ */
+@Service
+public class OwnerGetDataCheckImpl implements IOwnerGetDataCheck {
+
+    @Autowired(required = false)
+    private IUserV1InnerServiceSMO userV1InnerServiceSMOImpl;
+
+    @Autowired(required = false)
+    private IAccountInnerServiceSMO accountInnerServiceSMOImpl;
+
+
+    @Autowired(required = false)
+    private IOwnerV1InnerServiceSMO ownerV1InnerServiceSMOImpl;
+
+    @Autowired(required = false)
+    private IFeeInnerServiceSMO feeInnerServiceSMOImpl;
+
+
+    private boolean isOwner(String appId) {
+        if (!AppDto.WECHAT_OWNER_APP_ID.equals(appId) && !AppDto.WECHAT_MINA_OWNER_APP_ID.equals(appId)) {
+            return false;
+        }
+
+        return true;
+    }
+
+
+    @Override
+    public void checkOwnerAccount(String appId, String loginUserId, JSONObject reqJson) {
+
+        if (!isOwner(appId)) {
+            return;
+        }
+
+        UserDto userDto = new UserDto();
+        userDto.setUserId(loginUserId);
+
+        List<UserDto> userDtos = userV1InnerServiceSMOImpl.queryUsers(userDto);
+
+        //todo 没有登录，说明不需要校验
+        if (userDtos == null || userDtos.isEmpty()) {
+            return;
+        }
+
+        //todo 如果 包含acctId 校验
+        ifAcctIdCheck(reqJson, userDtos.get(0));
+
+        // todo 如果包含link 校验
+        ifAccountLinkCheck(reqJson, userDtos.get(0));
+
+        String acctId = reqJson.getString("acctId");
+        String link = reqJson.getString("link");
+        if (StringUtil.isEmpty(acctId) && StringUtil.isEmpty(link)) {
+            throw new IllegalArgumentException("业主查询条件错误");
+        }
+
+    }
+
+    @Override
+    public void checkOwnerFee(String appId, String loginUserId, JSONObject reqJson) {
+        if (!isOwner(appId)) {
+            return;
+        }
+
+        UserDto userDto = new UserDto();
+        userDto.setUserId(loginUserId);
+
+        List<UserDto> userDtos = userV1InnerServiceSMOImpl.queryUsers(userDto);
+
+        //todo 没有登录，说明不需要校验
+        if (userDtos == null || userDtos.isEmpty()) {
+            return;
+        }
+
+        //todo 查询业主信息
+        OwnerDto ownerDto = new OwnerDto();
+        ownerDto.setLink(userDtos.get(0).getTel());
+        ownerDto.setCommunityId(reqJson.getString("communityId"));
+        ownerDto.setOwnerTypeCd(OwnerDto.OWNER_TYPE_CD_OWNER);
+        List<OwnerDto> ownerDtos = ownerV1InnerServiceSMOImpl.queryOwners(ownerDto);
+        //todo 游客不校验
+        if (ownerDtos == null || ownerDtos.isEmpty()) {
+            return;
+        }
+
+        //todo 根据ownerId 查询
+        ifFeeOwnerId(reqJson, ownerDtos.get(0));
+
+        //todo 根据payerObjId 查询
+        ifFeePayerObjId(reqJson, ownerDtos.get(0));
+
+        //todo 根据feeId 查询
+        ifFeeFeeId(reqJson, ownerDtos.get(0));
+
+        String ownerId = reqJson.getString("ownerId");
+        String payerObjId = reqJson.getString("payerObjId");
+        String feeId = reqJson.getString("feeId");
+
+        if (StringUtil.isEmpty(ownerId) && StringUtil.isEmpty(payerObjId) && StringUtil.isEmpty(feeId)) {
+            throw new IllegalArgumentException("业主查询费用条件错误");
+        }
+
+    }
+
+    private void ifFeeFeeId(JSONObject reqJson, OwnerDto ownerDto) {
+        if (!reqJson.containsKey("feeId")) {
+            return;
+        }
+
+        String feeId = reqJson.getString("feeId");
+        if (StringUtil.isEmpty(feeId)) {
+            return;
+        }
+
+        FeeDto feeDto = new FeeDto();
+        feeDto.setFeeId(reqJson.getString("feeId"));
+        feeDto.setCommunityId(reqJson.getString("communityId"));
+        List<FeeDto> feeDtos = feeInnerServiceSMOImpl.queryFees(feeDto);
+
+        if (feeDtos == null || feeDtos.isEmpty()) {
+            return;
+        }
+
+        String ownerId = FeeAttrDto.getFeeAttrValue(feeDtos.get(0), FeeAttrDto.SPEC_CD_OWNER_ID);
+
+        if (StringUtil.isEmpty(ownerId)) {
+            return;
+        }
+
+        if (!ownerDto.getOwnerId().equals(ownerId)) {
+            throw new IllegalArgumentException("业主查询不属于自己的数据");
+        }
+    }
+
+    private void ifFeePayerObjId(JSONObject reqJson, OwnerDto ownerDto) {
+
+        if (!reqJson.containsKey("payerObjId")) {
+            return;
+        }
+
+        String payerObjId = reqJson.getString("payerObjId");
+        if (StringUtil.isEmpty(payerObjId)) {
+            return;
+        }
+
+        FeeDto feeDto = new FeeDto();
+        feeDto.setPayerObjId(reqJson.getString("payerObjId"));
+        feeDto.setCommunityId(reqJson.getString("communityId"));
+        List<FeeDto> feeDtos = feeInnerServiceSMOImpl.queryFees(feeDto);
+
+        if (feeDtos == null || feeDtos.isEmpty()) {
+            return;
+        }
+
+        String ownerId = FeeAttrDto.getFeeAttrValue(feeDtos.get(0), FeeAttrDto.SPEC_CD_OWNER_ID);
+
+        if (StringUtil.isEmpty(ownerId)) {
+            return;
+        }
+
+        if (!ownerDto.getOwnerId().equals(ownerId)) {
+            throw new IllegalArgumentException("业主查询不属于自己的数据");
+        }
+
+
+    }
+
+    private void ifFeeOwnerId(JSONObject reqJson, OwnerDto ownerDto) {
+
+        if (!reqJson.containsKey("ownerId")) {
+            return;
+        }
+
+        String ownerId = reqJson.getString("ownerId");
+        if (StringUtil.isEmpty(ownerId)) {
+            return;
+        }
+
+        if (!ownerId.equals(ownerDto.getOwnerId())) {
+            throw new IllegalArgumentException("业主查询不属于自己的数据");
+        }
+    }
+
+    private void ifAccountLinkCheck(JSONObject reqJson, UserDto userDto) {
+
+        if (!reqJson.containsKey("link")) {
+            return;
+        }
+
+        String link = reqJson.getString("link");
+        if (StringUtil.isEmpty(link)) {
+            return;
+        }
+
+        if (!userDto.getTel().equals(link)) {
+            throw new IllegalArgumentException("业主查询不属于自己的数据");
+        }
+    }
+
+    private void ifAcctIdCheck(JSONObject reqJson, UserDto userDto) {
+
+        if (!reqJson.containsKey("accId")) {
+            return;
+        }
+
+        String acctId = reqJson.getString("acctId");
+        if (StringUtil.isEmpty(acctId)) {
+            return;
+        }
+
+        AccountDto accountDto = new AccountDto();
+        accountDto.setAcctId(acctId);
+        List<AccountDto> accountDtos = accountInnerServiceSMOImpl.queryAccounts(accountDto);
+
+        if (accountDtos == null || accountDtos.isEmpty()) {
+            return;
+        }
+
+        if (!userDto.getTel().equals(accountDtos.get(0).getLink())) {
+            throw new IllegalArgumentException("业主查询不属于自己的数据");
+        }
+    }
+}

service-acct/src/main/java/com/java110/acct/api/AccountApi.java

@@ -3,6 +3,7 @@ package com.java110.acct.api;
 import com.alibaba.fastjson.JSONObject;
 import com.java110.acct.bmo.account.IGetAccountBMO;
 import com.java110.acct.bmo.account.IOwnerPrestoreAccountBMO;
+import com.java110.core.smo.IOwnerGetDataCheck;
 import com.java110.dto.account.AccountDto;
 import com.java110.dto.account.AccountDetailDto;
 import com.java110.dto.contract.ContractDto;
@@ -16,6 +17,7 @@ import com.java110.intf.user.IOwnerCarInnerServiceSMO;
 import com.java110.intf.user.IOwnerRoomRelInnerServiceSMO;
 import com.java110.po.account.AccountDetailPo;
 import com.java110.utils.util.Assert;
+import com.java110.utils.util.BeanConvertUtil;
 import com.java110.utils.util.StringUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
@@ -54,6 +56,9 @@ public class AccountApi {
     @Autowired
     private IContractInnerServiceSMO contractInnerServiceSMOImpl;
 
+    @Autowired
+    private IOwnerGetDataCheck ownerGetDataCheckImpl;
+
     /**
      * 微信删除消息模板
      *
@@ -70,9 +75,9 @@ public class AccountApi {
         AccountDto accountDto = new AccountDto();
         accountDto.setPage(page);
         accountDto.setRow(row);
-        if(!StringUtil.isEmpty(shopId)){
+        if (!StringUtil.isEmpty(shopId)) {
             accountDto.setObjId(shopId);
-        }else {
+        } else {
             accountDto.setObjId(storeId);
         }
         return getAccountBMOImpl.get(accountDto);
@@ -97,7 +102,10 @@ public class AccountApi {
             @RequestParam(value = "acctType", required = false) String acctType,
             @RequestParam(value = "acctId", required = false) String acctId,
             @RequestParam(value = "page") int page,
-            @RequestParam(value = "row") int row) {
+            @RequestParam(value = "row") int row,
+            @RequestHeader(value = "user-id") String userId,
+            @RequestHeader(value = "app-id") String appId
+    ) {
         AccountDto accountDto = new AccountDto();
         accountDto.setPage(page);
         accountDto.setRow(row);
@@ -141,6 +149,10 @@ public class AccountApi {
         accountDto.setAcctType(acctType);
         accountDto.setLink(link);
         accountDto.setAcctId(acctId);
+
+        //todo 业主账户安全性校验
+        ownerGetDataCheckImpl.checkOwnerAccount(appId, userId, BeanConvertUtil.beanCovertJson(accountDto));
+
         OwnerDto ownerDto = new OwnerDto();
         ownerDto.setOwnerId(ownerId);
         ownerDto.setCommunityId(communityId);
@@ -161,12 +173,16 @@ public class AccountApi {
     public ResponseEntity<String> queryOwnerAccountDetail(@RequestParam(value = "objId", required = false) String objId,
                                                           @RequestParam(value = "acctId", required = false) String acctId,
                                                           @RequestParam(value = "page") int page,
-                                                          @RequestParam(value = "row") int row) {
+                                                          @RequestParam(value = "row") int row,
+                                                          @RequestHeader(value = "user-id") String userId,
+                                                          @RequestHeader(value = "app-id") String appId) {
         AccountDetailDto accountDto = new AccountDetailDto();
         accountDto.setPage(page);
         accountDto.setRow(row);
         accountDto.setObjId(objId);
         accountDto.setAcctId(acctId);
+        //todo 业主账户安全性校验
+        ownerGetDataCheckImpl.checkOwnerAccount(appId, userId, BeanConvertUtil.beanCovertJson(accountDto));
         return getAccountBMOImpl.getDetail(accountDto);
     }
 

service-fee/src/main/java/com/java110/fee/cmd/fee/ListFeeCmd.java

@@ -2,12 +2,14 @@ package com.java110.fee.cmd.fee;
 
 import com.alibaba.fastjson.JSONObject;
 import com.java110.core.annotation.Java110Cmd;
+import com.java110.core.context.CmdContextUtils;
 import com.java110.core.context.ICmdDataFlowContext;
 import com.java110.core.event.cmd.Cmd;
 import com.java110.core.event.cmd.CmdEvent;
 import com.java110.core.factory.CommunitySettingFactory;
 import com.java110.core.log.LoggerFactory;
 import com.java110.core.smo.IComputeFeeSMO;
+import com.java110.core.smo.IOwnerGetDataCheck;
 import com.java110.dto.floor.FloorDto;
 import com.java110.dto.room.RoomDto;
 import com.java110.dto.unit.UnitDto;
@@ -82,6 +84,9 @@ public class ListFeeCmd extends Cmd {
     @Autowired
     private IOwnerInnerServiceSMO ownerInnerServiceSMOImpl;
 
+    @Autowired
+    private IOwnerGetDataCheck ownerGetDataCheckImpl;
+
     //域
     public static final String DOMAIN_COMMON = "DOMAIN.COMMON";
 
@@ -98,6 +103,9 @@ public class ListFeeCmd extends Cmd {
     public void validate(CmdEvent event, ICmdDataFlowContext cmdDataFlowContext, JSONObject reqJson) {
         super.validatePageInfo(reqJson);
         Assert.hasKeyAndValue(reqJson, "communityId", "未包含小区ID");
+
+        // todo 业主查询合法性校验
+        ownerGetDataCheckImpl.checkOwnerFee(CmdContextUtils.getAppId(cmdDataFlowContext), CmdContextUtils.getLoginUserId(cmdDataFlowContext), reqJson);
     }
 
     @Override

service-user/src/main/java/com/java110/user/cmd/login/PcUserLoginCmd.java

@@ -97,6 +97,7 @@ public class PcUserLoginCmd extends Cmd {
         Assert.jsonObjectHaveKey(paramIn, "passwd", "用户登录，未包含passwd节点，请检查" + paramIn);
 
 
+        AuthenticationFactory.checkLoginErrorCount(reqJson.getString("username"));
     }
 
     @Override
@@ -117,6 +118,7 @@ public class PcUserLoginCmd extends Cmd {
         }
         if (userDtos == null || userDtos.size() < 1) {
             responseEntity = new ResponseEntity<String>("用户或密码错误", HttpStatus.UNAUTHORIZED);
+            AuthenticationFactory.userLoginError(paramInJson.getString("username"));
             cmdDataFlowContext.setResponseEntity(responseEntity);
             return;
         }

service-user/src/main/java/com/java110/user/cmd/owner/EditOwnerCmd.java

@@ -348,7 +348,7 @@ public class EditOwnerCmd extends Cmd {
             if (ownerAppUser.getUserId().startsWith("-")) {
                 continue;
             }
-            // todo 删除用户信息
+            // todo 修改用户信息
             UserPo userPo = new UserPo();
             userPo.setUserId(ownerAppUserDtos.get(0).getUserId());
             userPo.setTel(reqJson.getString("link"));

service-user/src/main/java/com/java110/user/cmd/user/UserSendSmsCmd.java

@@ -15,6 +15,7 @@ import com.java110.utils.cache.CommonCache;
 import com.java110.utils.cache.MappingCache;
 import com.java110.utils.constant.MappingConstant;
 import com.java110.utils.exception.CmdException;
+import com.java110.utils.lock.DistributedLock;
 import com.java110.utils.util.Assert;
 import com.java110.utils.util.StringUtil;
 import com.java110.utils.util.ValidatorUtil;
@@ -51,23 +52,32 @@ public class UserSendSmsCmd extends Cmd {
             throw new IllegalArgumentException("手机号格式错误");
         }
 
-        //校验是否有有效的验证码
-        String smsCode = CommonCache.getValue(reqJson.getString("tel") + SendSmsFactory.VALIDATE_CODE);
+        String requestId = DistributedLock.getLockUUID();
+        String key = this.getClass().getSimpleName() + reqJson.getString("tel");
+        try {
+            DistributedLock.waitGetDistributedLock(key, requestId);
+            //校验是否有有效的验证码
+            String smsCode = CommonCache.getValue(reqJson.getString("tel") + SendSmsFactory.VALIDATE_CODE);
 
-        if (!StringUtil.isEmpty(smsCode) && smsCode.contains("-")) {
-            long oldTime = Long.parseLong(smsCode.substring(smsCode.indexOf("-")+1, smsCode.length()));
-            long nowTime = new Date().getTime();
-            if (nowTime - oldTime < 1000 * 60 * 2) {
-                throw new IllegalArgumentException("请不要重复发送验证码");
+            if (!StringUtil.isEmpty(smsCode) && smsCode.contains("-")) {
+                long oldTime = Long.parseLong(smsCode.substring(smsCode.indexOf("-") + 1, smsCode.length()));
+                long nowTime = new Date().getTime();
+                if (nowTime - oldTime < 1000 * 60 * 2) {
+                    throw new IllegalArgumentException("请不要重复发送验证码");
+                }
             }
+        } finally {
+            //清理事务信息
+            DistributedLock.releaseDistributedLock(key, requestId);
         }
+
     }
 
     @Override
     public void doCmd(CmdEvent event, ICmdDataFlowContext context, JSONObject reqJson) throws CmdException {
         String tel = reqJson.getString("tel");
         String captchaType = reqJson.getString("captchaType");
-        if(!StringUtil.isEmpty(captchaType) && "ownerBinding".equals(captchaType)){
+        if (!StringUtil.isEmpty(captchaType) && "ownerBinding".equals(captchaType)) {
             OwnerDto ownerDto = new OwnerDto();
             ownerDto.setCommunityId(reqJson.getString("communityId"));
             ownerDto.setName(reqJson.getString("appUserName"));
@@ -76,21 +86,21 @@ public class UserSendSmsCmd extends Cmd {
             //取出开关映射的值
             String val = MappingCache.getValue(DOMAIN_COMMON, ID_CARD_SWITCH);
             //取出身份证
-            String idCardErrorMsg ="";
+            String idCardErrorMsg = "";
             String idCard = reqJson.getString("idCard");
             if ("1".equals(val) && !StringUtil.isEmpty(idCard)) {
                 ownerDto.setIdCard(idCard);
-                idCardErrorMsg="或者身份证号";
+                idCardErrorMsg = "或者身份证号";
             }
             List<OwnerDto> ownerDtos = ownerInnerServiceSMOImpl.queryOwnerMembers(ownerDto);
-            Assert.listOnlyOne(ownerDtos, "填写业主信息错误，请确认，预留业主姓名、手机号"+idCardErrorMsg+"信息是否正确！");
+            Assert.listOnlyOne(ownerDtos, "填写业主信息错误，请确认，预留业主姓名、手机号" + idCardErrorMsg + "信息是否正确！");
         }
         //校验是否传了 分页信息
         String msgCode = SendSmsFactory.generateMessageCode(6);
         SmsDto smsDto = new SmsDto();
         smsDto.setTel(tel);
         smsDto.setCode(msgCode);
-        if ("ON".equals(MappingCache.getValue(MappingConstant.SMS_DOMAIN,SendSmsFactory.SMS_SEND_SWITCH))) {
+        if ("ON".equals(MappingCache.getValue(MappingConstant.SMS_DOMAIN, SendSmsFactory.SMS_SEND_SWITCH))) {
             smsDto = smsInnerServiceSMOImpl.send(smsDto);
         } else {
             CommonCache.setValue(smsDto.getTel() + SendSmsFactory.VALIDATE_CODE, smsDto.getCode().toLowerCase() + "-" + new Date().getTime(), CommonCache.defaultExpireTime);