测试存储型xss

fdc91f98 · zengtianlai3 · f92d2851 · fdc91f98 · fdc91f98 · fdc91f98
Commit fdc91f98 authored Jul 16, 2022 by zengtianlai3
3 changed files
--- a/license/src/main/java/iot/sixiang/license/service/impl/AlarmReadServiceImpl.java
+++ b/license/src/main/java/iot/sixiang/license/service/impl/AlarmReadServiceImpl.java
@@ -8,10 +8,12 @@ import iot.sixiang.license.mapper.AlarmMapper;
 import iot.sixiang.license.mapper.AlarmReadMapper;
 import iot.sixiang.license.model.vo.AlarmVo;
 import iot.sixiang.license.service.AlarmReadService;
+import iot.sixiang.license.util.CommonUtil;
 import org.apache.poi.ss.formula.functions.T;
 import org.springframework.stereotype.Service;

 import javax.annotation.Resource;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;

@@ -38,8 +40,8 @@ public class AlarmReadServiceImpl extends ServiceImpl<AlarmReadMapper, AlarmRead
            throw new IotLicenseException(ResultCode.VALIDATE_FAILED.getCode(),ResultCode.VALIDATE_FAILED.getMsg());
        }
        List<AlarmVo> alarmList = alarmMapper.getAlarmList(userId);
-
-        for (AlarmVo alarm: alarmList) {
+        List<AlarmVo> list = CommonUtil.dealWithAccessControl(alarmList, List.class);
+        for (AlarmVo alarm: list) {
            if (alarm.getReadFlag() == 0) {
                int alarmId = alarm.getId();
                int typeId = alarm.getTypeId();

--- a/license/src/main/java/iot/sixiang/license/service/impl/AlarmServiceImpl.java
+++ b/license/src/main/java/iot/sixiang/license/service/impl/AlarmServiceImpl.java
@@ -7,6 +7,7 @@ import iot.sixiang.license.handler.IotLicenseException;
 import iot.sixiang.license.mapper.AlarmMapper;
 import iot.sixiang.license.model.vo.AlarmVo;
 import iot.sixiang.license.service.AlarmService;
+import iot.sixiang.license.util.CommonUtil;
 import org.owasp.esapi.ESAPI;
 import org.springframework.stereotype.Service;

@@ -30,7 +31,8 @@ public class AlarmServiceImpl extends ServiceImpl<AlarmMapper, Alarm> implements
        if (uI == 0) {
            throw new IotLicenseException(ResultCode.VALIDATE_FAILED.getCode(), ResultCode.VALIDATE_FAILED.getMsg());
        }
-        List<AlarmVo> alarmVos = alarmMapper.getAlarmList(uI);
+        List<AlarmVo> list = alarmMapper.getAlarmList(uI);
+        List<AlarmVo> alarmVos = CommonUtil.dealWithAccessControl(list, List.class);
        alarmVos = alarmVos.stream().sorted(Comparator.comparing(AlarmVo::getCreateTime, Comparator.reverseOrder())).collect(Collectors.toList());
        if (alarmVos != null && !alarmVos.isEmpty()) {
            for (AlarmVo alarmVo : alarmVos) {

--- a/license/src/main/java/iot/sixiang/license/util/CommonUtil.java
+++ b/license/src/main/java/iot/sixiang/license/util/CommonUtil.java
 package iot.sixiang.license.util;

 import iot.sixiang.license.consts.Consts;
+import iot.sixiang.license.model.ResResult;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.boot.system.ApplicationHome;
@@ -11,6 +12,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.text.SimpleDateFormat;
 import java.util.Date;
+import java.util.HashMap;
 import java.util.Locale;
 @Slf4j
 public class CommonUtil {
@@ -139,4 +141,19 @@ public class CommonUtil {
 		return res;
 	}

+
+	// 用于测试存储型xss
+	public static Object reverseData(Object obj, Class clazz) {
+		HashMap<String, Object> resMap = new HashMap<String, Object>();
+		resMap.put("data", obj);
+		return  ResResult.success().goRecord(resMap);
+	}
+
+	public static <T> T dealWithAccessControl(Object obj, Class<T> clazz) {
+		 ResResult actionResult = (ResResult) reverseData(obj, clazz);
+		HashMap<String, Object> resMap = (HashMap<String, Object>)actionResult.getRecord();
+		return (T) resMap.get("data");
+	}
+
+
 }