"CVE-2022-43183" 越权漏洞修复。

7 months ago · 738d7721f0
parent 8da97ebd8e
commit 738d7721f0
4 changed files with 60 additions and 16 deletions
--- a/doc/XXL-JOB官方文档.md
+++ b/doc/XXL-JOB官方文档.md
@ -2363,9 +2363,10 @@ public void execute() {
 - 2、【修复】"CVE-2022-43402" groovy低版本漏洞修复。
 - 3、【修复】"CVE-2024-29025" netty低版本漏洞修复。
 - 4、【修复】"CVE-2024-3366" freemarker模板注入漏洞修复。
- 5、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。
- 6、【优化】执行器注册节点显示优化，解决注册节点过多时无法展示问题。
- 7、[规划中]登陆态Token声称逻辑优化，混淆登陆时间属性，降低token泄漏风险。
+- 5、【修复】"CVE-2022-43183" 越权漏洞修复。
+- 6、【修复】调度日志页面XSS漏洞修复(ISSUE-3360)。
+- 7、【优化】执行器注册节点显示优化，解决注册节点过多时无法展示问题。
+- 8、[规划中]登陆态Token声称逻辑优化，混淆登陆时间属性，降低token泄漏风险。

 ### TODO LIST
 - 1、调度隔离：调度中心针对不同执行器，各自维护不同的调度和远程触发组件。
--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java
@ -1,6 +1,5 @@
 package com.xxl.job.admin.controller;

-import com.xxl.job.admin.core.cron.CronExpression;
 import com.xxl.job.admin.core.exception.XxlJobException;
 import com.xxl.job.admin.core.model.XxlJobGroup;
 import com.xxl.job.admin.core.model.XxlJobInfo;
@ -9,8 +8,6 @@ import com.xxl.job.admin.core.route.ExecutorRouteStrategyEnum;
 import com.xxl.job.admin.core.scheduler.MisfireStrategyEnum;
 import com.xxl.job.admin.core.scheduler.ScheduleTypeEnum;
 import com.xxl.job.admin.core.thread.JobScheduleHelper;
-import com.xxl.job.admin.core.thread.JobTriggerPoolHelper;
-import com.xxl.job.admin.core.trigger.TriggerTypeEnum;
 import com.xxl.job.admin.core.util.I18nUtil;
 import com.xxl.job.admin.dao.XxlJobGroupDao;
 import com.xxl.job.admin.service.LoginService;
@ -29,7 +26,6 @@ import org.springframework.web.bind.annotation.ResponseBody;

 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
-import java.text.ParseException;
 import java.util.*;

 /**
@ -139,15 +135,11 @@ public class JobInfoController {
 	
 	@RequestMapping("/trigger")
 	@ResponseBody
-	//@PermissionLimit(limit = false)
-	public ReturnT<String> triggerJob(int id, String executorParam, String addressList) {
-		// force cover job param
-		if (executorParam == null) {
-			executorParam = "";
-		}
-
-		JobTriggerPoolHelper.trigger(id, TriggerTypeEnum.MANUAL, -1, null, executorParam, addressList);
-		return ReturnT.SUCCESS;
+	public ReturnT<String> triggerJob(HttpServletRequest request, int id, String executorParam, String addressList) {
+		// login user
+		XxlJobUser loginUser = (XxlJobUser) request.getAttribute(LoginService.LOGIN_IDENTITY_KEY);
+		// trigger
+		return xxlJobService.trigger(loginUser, id, executorParam, addressList);
 	}

 	@RequestMapping("/nextTriggerTime")
--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java
@ -2,6 +2,7 @@ package com.xxl.job.admin.service;


 import com.xxl.job.admin.core.model.XxlJobInfo;
+import com.xxl.job.admin.core.model.XxlJobUser;
 import com.xxl.job.core.biz.model.ReturnT;

 import java.util.Date;
@ -67,6 +68,17 @@ public interface XxlJobService {
 	 */
 	public ReturnT<String> stop(int id);

+	/**
+	 * trigger
+	 *
+	 * @param loginUser
+	 * @param jobId
+	 * @param executorParam
+	 * @param addressList
+	 * @return
+	 */
+	public ReturnT<String> trigger(XxlJobUser loginUser, int jobId, String executorParam, String addressList);
+
 	/**
 	 * dashboard info
 	 *
--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java
@ -4,10 +4,13 @@ import com.xxl.job.admin.core.cron.CronExpression;
 import com.xxl.job.admin.core.model.XxlJobGroup;
 import com.xxl.job.admin.core.model.XxlJobInfo;
 import com.xxl.job.admin.core.model.XxlJobLogReport;
+import com.xxl.job.admin.core.model.XxlJobUser;
 import com.xxl.job.admin.core.route.ExecutorRouteStrategyEnum;
 import com.xxl.job.admin.core.scheduler.MisfireStrategyEnum;
 import com.xxl.job.admin.core.scheduler.ScheduleTypeEnum;
 import com.xxl.job.admin.core.thread.JobScheduleHelper;
+import com.xxl.job.admin.core.thread.JobTriggerPoolHelper;
+import com.xxl.job.admin.core.trigger.TriggerTypeEnum;
 import com.xxl.job.admin.core.util.I18nUtil;
 import com.xxl.job.admin.dao.*;
 import com.xxl.job.admin.service.XxlJobService;
@ -345,6 +348,42 @@ public class XxlJobServiceImpl implements XxlJobService {
 		return ReturnT.SUCCESS;
 	}

+
+
+	@Override
+	public ReturnT<String> trigger(XxlJobUser loginUser, int jobId, String executorParam, String addressList) {
+		// permission
+		if (loginUser == null) {
+			return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("system_permission_limit"));
+		}
+		XxlJobInfo xxlJobInfo = xxlJobInfoDao.loadById(jobId);
+		if (xxlJobInfo == null) {
+			return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("jobinfo_glue_jobid_unvalid"));
+		}
+		if (!hasPermission(loginUser, xxlJobInfo.getJobGroup())) {
+			return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("system_permission_limit"));
+		}
+
+		// force cover job param
+		if (executorParam == null) {
+			executorParam = "";
+		}
+
+		JobTriggerPoolHelper.trigger(jobId, TriggerTypeEnum.MANUAL, -1, null, executorParam, addressList);
+		return ReturnT.SUCCESS;
+	}
+
+	private boolean hasPermission(XxlJobUser loginUser, int jobGroup){
+		if (loginUser.getRole() == 1) {
+			return true;
+		}
+		List<String> groupIdStrs = new ArrayList<>();
+		if (loginUser.getPermission()!=null && loginUser.getPermission().trim().length()>0) {
+			groupIdStrs = Arrays.asList(loginUser.getPermission().trim().split(","));
+		}
+		return groupIdStrs.contains(String.valueOf(jobGroup));
+	}
+
 	@Override
 	public Map<String, Object> dashboardInfo() {