admin/MaxKey
1
0
Fork 0
mirror of https://gitee.com/dromara/MaxKey.git synced 2025-12-08 01:48:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

Xss

Browse Source
This commit is contained in:
MaxKey 2022-01-25 14:35:06 +08:00
parent 50dd3ef566
commit 02fcbc870c
2 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
View File

@ -37,6 +37,7 @@ public class WebXssRequestFilter extends GenericFilterBean {
final static Logger _logger = LoggerFactory.getLogger(GenericFilterBean.class); final static Logger _logger = LoggerFactory.getLogger(GenericFilterBean.class);
final static ConcurrentHashMap <String,String> skipUrlMap = new ConcurrentHashMap <String,String>(); final static ConcurrentHashMap <String,String> skipUrlMap = new ConcurrentHashMap <String,String>();
final static ConcurrentHashMap <String,String> skipParameterName = new ConcurrentHashMap <String,String>();
static { static {
//add or update //add or update
@ -45,8 +46,6 @@ public class WebXssRequestFilter extends GenericFilterBean {
skipUrlMap.put("/institutions/update","/institutions/update"); skipUrlMap.put("/institutions/update","/institutions/update");
skipUrlMap.put("/localization/update","/localization/update"); skipUrlMap.put("/localization/update","/localization/update");
skipUrlMap.put("/apps/updateExtendAttr","/apps/updateExtendAttr"); skipUrlMap.put("/apps/updateExtendAttr","/apps/updateExtendAttr");
skipUrlMap.put("/synchronizers/add","/synchronizers/add");
skipUrlMap.put("/synchronizers/update","/synchronizers/update");
//authz //authz
skipUrlMap.put("/authz/cas", "/authz/cas"); skipUrlMap.put("/authz/cas", "/authz/cas");
@ -56,6 +55,15 @@ public class WebXssRequestFilter extends GenericFilterBean {
//TENCENT_IOA //TENCENT_IOA
skipUrlMap.put("/oauth2/authorize", "/oauth2/authorize"); skipUrlMap.put("/oauth2/authorize", "/oauth2/authorize");
skipParameterName.put("relatedPassword", "relatedPassword");
skipParameterName.put("oldPassword", "oldPassword");
skipParameterName.put("password", "password");
skipParameterName.put("confirmpassword", "confirmpassword");
skipParameterName.put("credentials", "credentials");
skipParameterName.put("clientSecret", "clientSecret");
skipParameterName.put("appSecret", "appSecret");
skipParameterName.put("sharedSecret", "sharedSecret");
skipParameterName.put("secret", "secret");
} }
@Override @Override
@ -76,6 +84,8 @@ public class WebXssRequestFilter extends GenericFilterBean {
Enumeration<String> parameterNames = request.getParameterNames(); Enumeration<String> parameterNames = request.getParameterNames();
while (parameterNames.hasMoreElements()) { while (parameterNames.hasMoreElements()) {
String key = (String) parameterNames.nextElement(); String key = (String) parameterNames.nextElement();
if(skipParameterName.containsKey(key)) {continue;}
String value = request.getParameter(key); String value = request.getParameter(key);
_logger.trace("parameter name "+key +" , value " + value); _logger.trace("parameter name "+key +" , value " + value);
String tempValue = value; String tempValue = value;

1
maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/MaxKeyMgtMvcConfig.java
View File

@ -134,6 +134,7 @@ public class MaxKeyMgtMvcConfig implements WebMvcConfigurer {
.addPathPatterns("/ldapcontext/**") .addPathPatterns("/ldapcontext/**")
.addPathPatterns("/emailsenders/**") .addPathPatterns("/emailsenders/**")
.addPathPatterns("/smsprovider/**") .addPathPatterns("/smsprovider/**")
.addPathPatterns("/synchronizers/**")
; ;