From 9a6102e887d3d8d6834a748a03c127dfb1903242 Mon Sep 17 00:00:00 2001
From: paulGao <paulgao0831@gmail.com>
Date: Fri, 7 Jan 2022 17:46:42 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96xss=E8=BF=87=E6=BB=A4?=
 =?UTF-8?q?=EF=BC=8C=E4=BD=BF=E7=94=A8owasp=E7=9A=84=E9=A2=84=E8=AE=BE?=
 =?UTF-8?q?=E8=A7=84=E5=88=99=E8=BF=87=E6=BB=A4=E3=80=82=E4=BC=98=E5=8C=96?=
 =?UTF-8?q?=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../lili/listener/GoodsMessageListener.java   |  1 +
 .../filter/XssHttpServletRequestWrapper.java  | 26 ++++++++++++-------
 .../dto/DistributionGoodsSearchParams.java    |  7 ++---
 .../DistributionSelectedGoodsService.java     | 10 +++----
 .../DistributionSelectedGoodsServiceImpl.java |  6 -----
 5 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/consumer/src/main/java/cn/lili/listener/GoodsMessageListener.java b/consumer/src/main/java/cn/lili/listener/GoodsMessageListener.java
index 95c07362..1d69b148 100644
--- a/consumer/src/main/java/cn/lili/listener/GoodsMessageListener.java
+++ b/consumer/src/main/java/cn/lili/listener/GoodsMessageListener.java
@@ -133,6 +133,7 @@ public class GoodsMessageListener implements RocketMQListener<MessageExt> {
             case GENERATOR_GOODS_INDEX:
                 try {
                     String goodsId = new String(messageExt.getBody());
+                    log.info("生成索引: {}", goodsId);
                     Goods goods = this.goodsService.getById(goodsId);
                     updateGoodsIndex(goods);
                 } catch (Exception e) {
diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
index 4e6d6f93..2aca42cb 100644
--- a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
@@ -2,6 +2,7 @@ package cn.lili.common.security.filter;
 
 
 import cn.hutool.core.text.CharSequenceUtil;
+import cn.hutool.http.HtmlUtil;
 import cn.hutool.json.JSONUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.html.Sanitizers;
@@ -17,7 +18,6 @@ import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
-import java.util.Locale;
 import java.util.Map;
 
 /**
@@ -257,9 +257,16 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
 
     private String cleanXSS(String value) {
         if (value != null) {
-            value = Sanitizers.FORMATTING.and(Sanitizers.LINKS).sanitize(value);
+            // basic prepackaged policies for links, tables, integers, images, styles, blocks
+            value = Sanitizers.FORMATTING
+                    .and(Sanitizers.STYLES)
+                    .and(Sanitizers.IMAGES)
+                    .and(Sanitizers.LINKS)
+                    .and(Sanitizers.BLOCKS)
+                    .and(Sanitizers.TABLES)
+                    .sanitize(value);
         }
-        return value;
+        return HtmlUtil.unescape(value);
     }
 
     /**
@@ -270,12 +277,13 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
      * @return 参数值
      */
     private String filterXss(String name, String value) {
-        if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), IGNORE_FIELD)) {
-            // 忽略的处理，（过滤敏感字符）
-            return value;
-        } else {
-            return cleanXSS(value);
-        }
+//        if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), IGNORE_FIELD)) {
+//            // 忽略的处理，（过滤敏感字符）
+//            return value;
+//        } else {
+//            return cleanXSS(value);
+//        }
+        return cleanXSS(value);
     }
 
 }
diff --git a/framework/src/main/java/cn/lili/modules/distribution/entity/dto/DistributionGoodsSearchParams.java b/framework/src/main/java/cn/lili/modules/distribution/entity/dto/DistributionGoodsSearchParams.java
index 4f895f69..4f9cd438 100644
--- a/framework/src/main/java/cn/lili/modules/distribution/entity/dto/DistributionGoodsSearchParams.java
+++ b/framework/src/main/java/cn/lili/modules/distribution/entity/dto/DistributionGoodsSearchParams.java
@@ -2,13 +2,14 @@ package cn.lili.modules.distribution.entity.dto;
 
 import cn.hutool.core.text.CharSequenceUtil;
 import cn.lili.common.security.context.UserContext;
-import cn.lili.common.utils.StringUtils;
 import cn.lili.common.vo.PageVO;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
 
+import java.util.Objects;
+
 /**
  * 分销员商品查询条件
  *
@@ -37,13 +38,13 @@ public class DistributionGoodsSearchParams extends PageVO {
 
     public <T> QueryWrapper<T> storeQueryWrapper() {
         QueryWrapper<T> queryWrapper = this.distributionQueryWrapper();
-        queryWrapper.eq("dg.store_id", UserContext.getCurrentUser().getStoreId());
+        queryWrapper.eq("dg.store_id", Objects.requireNonNull(UserContext.getCurrentUser()).getStoreId());
         return queryWrapper;
     }
 
     public <T> QueryWrapper<T> distributionQueryWrapper() {
         QueryWrapper<T> queryWrapper = new QueryWrapper<>();
-        queryWrapper.like(StringUtils.isNotEmpty(goodsName), "dg.goods_name", goodsName);
+        queryWrapper.like(CharSequenceUtil.isNotEmpty(goodsName), "dg.goods_name", goodsName);
         return queryWrapper;
     }
 
diff --git a/framework/src/main/java/cn/lili/modules/distribution/service/DistributionSelectedGoodsService.java b/framework/src/main/java/cn/lili/modules/distribution/service/DistributionSelectedGoodsService.java
index 733475f9..5a11b548 100644
--- a/framework/src/main/java/cn/lili/modules/distribution/service/DistributionSelectedGoodsService.java
+++ b/framework/src/main/java/cn/lili/modules/distribution/service/DistributionSelectedGoodsService.java
@@ -13,21 +13,21 @@ public interface DistributionSelectedGoodsService extends IService<DistributionS
     /**
      * 分销员添加分销商品
      * @param distributionGoodsId 分销商品ID
-     * @return
+     * @return 是否添加成功
      */
     boolean add(String distributionGoodsId);
 
     /**
-     * 分销员添加分销商品
+     * 分销员删除分销商品
      * @param distributionGoodsId 分销商品ID
-     * @return
+     * @return 是否删除成功
      */
     boolean delete(String distributionGoodsId);
 
     /**
-     * 分销员添加分销商品
+     * 分销员删除分销商品（管理员操作）
      * @param distributionGoodsId 分销商品ID
-     * @return
+     * @return 是否删除成功
      */
     boolean deleteByDistributionGoodsId(String distributionGoodsId);
 }
diff --git a/framework/src/main/java/cn/lili/modules/distribution/serviceimpl/DistributionSelectedGoodsServiceImpl.java b/framework/src/main/java/cn/lili/modules/distribution/serviceimpl/DistributionSelectedGoodsServiceImpl.java
index c9411725..92ffc97b 100644
--- a/framework/src/main/java/cn/lili/modules/distribution/serviceimpl/DistributionSelectedGoodsServiceImpl.java
+++ b/framework/src/main/java/cn/lili/modules/distribution/serviceimpl/DistributionSelectedGoodsServiceImpl.java
@@ -47,12 +47,6 @@ public class DistributionSelectedGoodsServiceImpl extends ServiceImpl<Distributi
                 .eq(DistributionSelectedGoods::getDistributionId, distributionId));
     }
 
-    /**
-     * 分销员添加分销商品
-     *
-     * @param distributionGoodsId 商品ID
-     * @return
-     */
     @Override
     public boolean deleteByDistributionGoodsId(String distributionGoodsId) {
         return this.remove(new LambdaQueryWrapper<DistributionSelectedGoods>()