If v4.5.1 of the management system has been released, the update log:
- Prevent arbitrary file download vulnerabilities
- Upgrade shiro to the latest version 1.7.0 to prevent permission bypass vulnerability
- Upgrade druid to the latest version v1.2.2
- New table row trigger events (onCheck, onUncheck, onCheckAll, onUncheckAll)
- Fix the problem of blanking when closing non-current options in multiple tabs
- Code generation preview supports highlighting
- MapperLocations configuration supports separators
- Permission information adjustment
- Add default picture for profile picture and upload picture
- The global configuration class remains the same as other applications
- Arbitrary file download vulnerability
RuoYi <= v4.5.0
Any file download vulnerability, the normal use is to download server files, such as script code, server configuration or system configuration, etc. It can be used ../to guess the path layer by layer.
Due to business needs, websites often need to provide file viewing or file downloading functions, but if there are no restrictions on the files that users can view or download, malicious users can view or download any sensitive files. This is a file viewing and downloading vulnerability.
Detection of vulnerabilities: CommonController.java, /common/download/resourcethe interface is included checkAllowDownloadfor checking whether files can be downloaded, if there is no need to modify this method to prevent critical information is downloaded.
Solution: upgrade the RuoYiversion to >=4.5.1, or re-add file download check to prevent arbitrary file download.
/**
* 本地资源通用下载
*/
@GetMapping("/common/download/resource")
public void resourceDownload(String resource, HttpServletRequest request, HttpServletResponse response)
throws Exception
{
try
{
if (!FileUtils.checkAllowDownload(resource))
{
throw new Exception(StringUtils.format("资源文件({})非法,不允许下载。 ", resource));
}
// 本地资源路径
String localPath = Global.getProfile();
// 数据库资源地址
String downloadPath = localPath + StringUtils.substringAfter(resource, Constants.RESOURCE_PREFIX);
// 下载名称
String downloadName = StringUtils.substringAfterLast(downloadPath, "/");
response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);
FileUtils.setAttachmentResponseHeader(response, downloadName);
FileUtils.writeBytes(downloadPath, response.getOutputStream());
}
catch (Exception e)
{
log.error("下载文件失败", e);
}
}
/**
* 检查文件是否可下载
*
* @param resource 需要下载的文件
* @return true 正常 false 非法
*/
public static boolean checkAllowDownload(String resource)
{
// 禁止目录上跳级别
if (StringUtils.contains(resource, ".."))
{
return false;
}
// 检查允许下载的文件规则
if (ArrayUtils.contains(MimeTypeUtils.DEFAULT_ALLOWED_EXTENSION, FileTypeUtils.getFileType(resource)))
{
return true;
}
// 不在允许下载的文件规则
return false;
}Built-in function
1. User management: The user is the system operator, this function mainly completes the system user configuration.
2. Department management: configure the system organization (company, department, group), and display the support authority in the tree structure.
3. Position management: configure the positions of system users.
4. Menu management: configure the system menu, operation authority, button authority identification, etc.
5. Role management: Role menu permission assignment and role setting are divided into data scope permissions by organization.
6. Dictionary management: Maintain some relatively fixed data frequently used in the system.
7. Parameter management: dynamically configure common parameters for the system.
8. Notice announcement: The system informs the announcement of information release and maintenance.
9. Operation log: system normal operation log record and query; system abnormal information log record and query.
10. Login log: The system login log record query contains login exceptions.
11. Online users: monitor the status of active users in the current system.
12. Timed tasks: online (add, modify, delete) task scheduling includes execution result logs.
13. Code generation: front-end and back-end code generation (java, html, xml, sql) supports CRUD download.
14. System interface: automatically generate related api interface documents according to the business code.
15. Service monitoring: monitor current system CPU, memory, disk, stack and other related information.
16. Online builder: Drag form elements to generate corresponding HTML code.
17. Connection pool monitoring: Monitor the current system database connection pool status, and analyze SQL to find system performance bottlenecks.
System demo http://www.ruoyi.vip
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |