Merge branch 'master' of https://gitee.com/antai-wuliu/ANTAI-API

src/main/java/com/steerinfo/dil/config/RequestFilter.java

@@ -26,7 +26,6 @@ public class RequestFilter implements Filter {
     public void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {
        try{
            HttpServletRequest httpRequest = (HttpServletRequest) request;
-
            String url = httpRequest.getRequestURL().toString();
            //获取参数，并校验
            Cookie[] cookies = httpRequest.getCookies();

src/main/java/com/steerinfo/dil/config/SessionInterceptor.java

@@ -35,7 +35,7 @@ public class SessionInterceptor extends HandlerInterceptorAdapter {
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
         HandlerMethod hm = (HandlerMethod) handler;
         String requestUrl = "" + request.getRequestURL();
-        if(!requestUrl.contains("/api/v1/bp/bpLogin") && (request.getAttribute("userId")==null || request.getAttribute("userName")==null)){
+        if(!requestUrl.contains("/api/v1/bp/bpLogin") && !requestUrl.contains("/api/v1/uc/getAppVersion") && (request.getAttribute("userId")==null || request.getAttribute("userName")==null)){
             //无权访问
             response.setCharacterEncoding("UTF-8");
             response.setContentType("application/json; charset=utf-8");

src/main/java/com/steerinfo/dil/config/SqlInjectFilter.java

@@ -0,0 +1,112 @@
+package com.steerinfo.filter;
+
+import java.io.IOException;
+import java.util.Enumeration;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.annotation.WebFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.stereotype.Component;
+import com.alibaba.fastjson.JSONArray;
+import com.steerinfo.framework.constant.RESTCodes;
+import com.steerinfo.framework.controller.RESTfulResult;
+
+/**
+ * SQL注入过滤器
+ *
+ * @author CL
+ *
+ */
+/*@Component
+@ConfigurationProperties(prefix = "security.sql")
+@WebFilter(filterName = "SqlInjectFilter", urlPatterns = "/*")*/
+public class SqlInjectFilter implements Filter {
+    private static final Logger log = LoggerFactory.getLogger(SqlInjectFilter.class);
+    /**
+     * 过滤器配置对象
+     */
+    FilterConfig filterConfig = null;
+
+    /**
+     * 初始化
+     */
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        this.filterConfig = filterConfig;
+    }
+
+    /**
+     * 拦截
+     */
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest req = (HttpServletRequest) servletRequest;
+        HttpServletResponse res = (HttpServletResponse) servletResponse;
+        // 获得所有请求参数名
+        Enumeration params = req.getParameterNames();
+//        String requestUriMb= req.getRequestURI();
+        String sql = "";
+        String strparams = "";
+        while (params.hasMoreElements()) {
+            // 得到参数名
+            String name = params.nextElement().toString();
+            // 得到参数对应值
+            String[] value = req.getParameterValues(name);
+            for (int i = 0; i < value.length; i++) {
+                sql = sql + value[i];
+                strparams = strparams + " " + value[i];
+            }
+        }
+        if (sqlValidate(sql) ) { //&& !requestUriMb.contains("executeSqlDataWf")
+            // res.sendRedirect("error.jsp");
+            log.info("发现sql注入:" + strparams);
+            String msg = "非法请求参数,请检查后再进行操作";
+            RESTfulResult result = new RESTfulResult(RESTCodes.ERROR, msg);
+            res.setCharacterEncoding("UTF-8");
+            res.setHeader("Content-Type", "application/json");
+            res.setContentType("application/json;charset=UTF-8");
+            res.setStatus(HttpServletResponse.SC_OK);
+            res.getWriter().write(JSONArray.toJSON(result).toString());
+        } else {
+            filterChain.doFilter(req, res);
+        }
+    }
+
+    /**
+     * 销毁
+     */
+    @Override
+    public void destroy() {
+        this.filterConfig = null;
+    }
+
+    // 校验
+    protected static boolean sqlValidate(String str) {
+        str = str.toLowerCase();// 统一转为小写
+        // String badStr = "and|exec";
+        String badStr =
+                "'| and | exec | execute | insert | select | delete | update | count | drop | chr | mid | master | truncate | char | declare | sitename | net user | xp_cmdshell | or | like | - | -- | + | , | like | // | / | % | #|insert |select |delete |update";
+        /*
+         * String badStr =
+         * "'|and|exec|execute|insert|create|drop|table|from|grant|use|group_concat|column_name|" +
+         * "information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|*|" +
+         * "chr|mid|master|truncate|char|declare|or|;|-|--|+|,|like|//|/|%|#";
+         */ // 过滤掉的sql关键字，可以手动添加
+        String[] badStrs = badStr.split("\\|");
+        for (int i = 0; i < badStrs.length; i++) {
+            if (str.indexOf(badStrs[i]) != -1) {
+                log.info("匹配到：" + badStrs[i]);
+                return true;
+            }
+        }
+        return false;
+    }
+}

src/main/java/com/steerinfo/dil/controller/UniversalController.java

@@ -282,4 +282,11 @@ public class UniversalController extends BaseRESTfulController {
         requireMap.put("requirementNo",requirementNo);
         return success(requireMap);
     }
+
+    @ApiOperation("查询APP版本更新")
+    @PostMapping("/getAppVersion")
+    public RESTfulResult getAppVersion() {
+        Map<String,Object> config = universalMapper.getConfigByName("APP最新版本");
+        return success(config.get("valueString"));
+    }
 }

src/main/java/com/steerinfo/dil/mapper/UniversalMapper.java

@@ -95,4 +95,5 @@ public interface UniversalMapper {
 
     List<Map<String, Object>> getDriverByLike(Map<String, Object> map);
 
+    Map<String,Object> getConfigByName(String configName);
 }

src/main/resources/com/steerinfo/dil/mapper/UniversalMapper.xml

@@ -451,6 +451,11 @@
         RCA .CAPACITY_ID "capacityId",
         RCA .CAPACITY_ID "id",
         RCA .CAPACITY_ID "value",
+        RCA .CAPACITY_LICENCE_NUMBER "capacityLicenceNumber",
+        RCA. CAPACITY_OPERATE_NUMBER "capacityOperateNumber",
+        RCA. CAPACITY_AXIS_NUMBER "capacityAxisNumber",
+        RCA.CAPACITY_WEIGHT_MAIN "capacityWeightMain",
+        RCA.CAPACITY_WEIGHT_TRAILER "capacityWeightTrailer",
         CASE WHEN RC.COMPANY_TYPE = '业务单位'
         THEN RC.COMPANY_ID
         else -1
@@ -547,8 +552,6 @@
             <if test="!((driverId!=null and driverId!='') or (driverId2!=null and driverId2!=''))">
                 order by RCA.CAPACITY_ID desc
             </if>
-
-            FETCH NEXT 10 ROWS ONLY
         )
         <if test="id!=null and id.size>0">
             UNION
@@ -629,6 +632,7 @@
     <if test="(driverId!=null and driverId!='') or (driverId2!=null and driverId2!='')">
         ORDER BY "countNumber" DESC
     </if>
+    FETCH NEXT 10 ROWS ONLY
     </select>
 
     <select id="getCapacityByLikeSc" resultType="java.util.Map">
@@ -698,7 +702,6 @@
             <if test="(driverId!=null and driverId!='') or (driverId2!=null and driverId2!='')">
                 ORDER BY "countNumber" DESC
             </if>
-            FETCH NEXT 10 ROWS ONLY
         )
         <if test="id!=null and id.size>0">
             UNION
@@ -750,6 +753,7 @@
     <if test="(driverId!=null and driverId!='') or (driverId2!=null and driverId2!='')">
         ORDER BY "countNumber" DESC
     </if>
+    FETCH NEXT 10 ROWS ONLY
     </select>
 
     <select id="getrmsrmsjobinfosBylike" resultType="java.util.Map">
@@ -1650,4 +1654,18 @@
             ORDER BY "countNumber" DESC
         </if>
     </select>
+
+    <select id="getConfigByName" resultType="java.util.Map">
+        SELECT CONFIG_ID           "configId",
+               CONFIG_NAME         "configName",
+               CONFIG_VALUE_STRING "valueString",
+               CONFIG_VALUE_NUMBER "valueNumber",
+               CONFIG_VALUE_DATE   "valueDate",
+               CONFIG_DESCRIPTION  "configDescription",
+               DELETED             "deleted"
+        FROM DIL_CONFIG
+        WHERE DELETED!=1
+    AND CONFIG_NAME= #{configName}
+            FETCH NEXT 1 ROWS ONLY
+    </select>
 </mapper>