【修复】IDOR越权问题修复，提升任务操作及日志管理安全性；

4 weeks ago · b683e65168
parent 260874b849
commit b683e65168
3 changed files with 41 additions and 23 deletions
--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobInfoController.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobInfoController.java
@ -75,7 +75,8 @@ public class JobInfoController {

 	@RequestMapping("/pageList")
 	@ResponseBody
-	public Map<String, Object> pageList(@RequestParam(value = "start", required = false, defaultValue = "0") int start,
+	public Map<String, Object> pageList(HttpServletRequest request,
+										@RequestParam(value = "start", required = false, defaultValue = "0") int start,
 										@RequestParam(value = "length", required = false, defaultValue = "10") int length,
 										@RequestParam("jobGroup") int jobGroup,
 										@RequestParam("triggerStatus") int triggerStatus,
@ -83,6 +84,10 @@ public class JobInfoController {
 										@RequestParam("executorHandler") String executorHandler,
 										@RequestParam("author") String author) {

+		// valid jobGroup permission
+		validJobGroupPermission(request, jobGroup);
+
+		// page
 		return xxlJobService.pageList(start, length, jobGroup, triggerStatus, jobDesc, executorHandler, author);
 	}
 	
@ -108,20 +113,23 @@ public class JobInfoController {
 	
 	@RequestMapping("/remove")
 	@ResponseBody
-	public ReturnT<String> remove(@RequestParam("id") int id) {
-		return xxlJobService.remove(id);
+	public ReturnT<String> remove(HttpServletRequest request, @RequestParam("id") int id) {
+		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
+		return xxlJobService.remove(id, loginInfoResponse.getData());
 	}
 	
 	@RequestMapping("/stop")
 	@ResponseBody
-	public ReturnT<String> pause(@RequestParam("id") int id) {
-		return xxlJobService.stop(id);
+	public ReturnT<String> pause(HttpServletRequest request, @RequestParam("id") int id) {
+		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
+		return xxlJobService.stop(id, loginInfoResponse.getData());
 	}
 	
 	@RequestMapping("/start")
 	@ResponseBody
-	public ReturnT<String> start(@RequestParam("id") int id) {
-		return xxlJobService.start(id);
+	public ReturnT<String> start(HttpServletRequest request, @RequestParam("id") int id) {
+		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
+		return xxlJobService.start(id, loginInfoResponse.getData());
 	}
 	
 	@RequestMapping("/trigger")
@ -130,11 +138,7 @@ public class JobInfoController {
 									  @RequestParam("id") int id,
 									  @RequestParam("executorParam") String executorParam,
 									  @RequestParam("addressList") String addressList) {
-
-		// login user
 		Response<LoginInfo> loginInfoResponse = XxlSsoHelper.loginCheckWithAttr(request);
-
-		// trigger
 		return xxlJobService.trigger(loginInfoResponse.getData(), id, executorParam, addressList);
 	}

--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/XxlJobService.java
@ -51,7 +51,7 @@ public interface XxlJobService {
 	 * @param id
 	 * @return
 	 */
-	public ReturnT<String> remove(int id);
+	public ReturnT<String> remove(int id, LoginInfo loginInfo);

 	/**
 	 * start job
@ -59,7 +59,7 @@ public interface XxlJobService {
 	 * @param id
 	 * @return
 	 */
-	public ReturnT<String> start(int id);
+	public ReturnT<String> start(int id, LoginInfo loginInfo);

 	/**
 	 * stop job
@ -67,7 +67,7 @@ public interface XxlJobService {
 	 * @param id
 	 * @return
 	 */
-	public ReturnT<String> stop(int id);
+	public ReturnT<String> stop(int id, LoginInfo loginInfo);

 	/**
 	 * trigger
--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java
@ -313,12 +313,18 @@ public class XxlJobServiceImpl implements XxlJobService {
 	}

 	@Override
-	public ReturnT<String> remove(int id) {
+	public ReturnT<String> remove(int id, LoginInfo loginInfo) {
+		// valid job
 		XxlJobInfo xxlJobInfo = xxlJobInfoMapper.loadById(id);
 		if (xxlJobInfo == null) {
 			return ReturnT.ofSuccess();
 		}

+		// valid jobGroup permission
+		if (!JobInfoController.hasJobGroupPermission(loginInfo, xxlJobInfo.getJobGroup())) {
+			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
+		}
+
 		xxlJobInfoMapper.delete(id);
 		xxlJobLogMapper.delete(id);
 		xxlJobLogGlueMapper.deleteByJobId(id);
@ -326,13 +332,18 @@ public class XxlJobServiceImpl implements XxlJobService {
 	}

 	@Override
-	public ReturnT<String> start(int id) {
+	public ReturnT<String> start(int id, LoginInfo loginInfo) {
 		// load and valid
 		XxlJobInfo xxlJobInfo = xxlJobInfoMapper.loadById(id);
 		if (xxlJobInfo == null) {
 			return ReturnT.ofFail(I18nUtil.getString("jobinfo_glue_jobid_unvalid"));
 		}

+		// valid jobGroup permission
+		if (!JobInfoController.hasJobGroupPermission(loginInfo, xxlJobInfo.getJobGroup())) {
+			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
+		}
+
 		// valid
 		ScheduleTypeEnum scheduleTypeEnum = ScheduleTypeEnum.match(xxlJobInfo.getScheduleType(), ScheduleTypeEnum.NONE);
 		if (ScheduleTypeEnum.NONE == scheduleTypeEnum) {
@ -362,13 +373,18 @@ public class XxlJobServiceImpl implements XxlJobService {
 	}

 	@Override
-	public ReturnT<String> stop(int id) {
+	public ReturnT<String> stop(int id, LoginInfo loginInfo) {
 		// load and valid
        XxlJobInfo xxlJobInfo = xxlJobInfoMapper.loadById(id);
 		if (xxlJobInfo == null) {
 			return ReturnT.ofFail(I18nUtil.getString("jobinfo_glue_jobid_unvalid"));
 		}

+		// valid jobGroup permission
+		if (!JobInfoController.hasJobGroupPermission(loginInfo, xxlJobInfo.getJobGroup())) {
+			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
+		}
+
 		// stop
 		xxlJobInfo.setTriggerStatus(0);
 		xxlJobInfo.setTriggerLastTime(0);
@ -383,15 +399,13 @@ public class XxlJobServiceImpl implements XxlJobService {

 	@Override
 	public ReturnT<String> trigger(LoginInfo loginInfo, int jobId, String executorParam, String addressList) {
-		// permission
-		if (loginInfo == null) {
-			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
-		}
+		// valid job
 		XxlJobInfo xxlJobInfo = xxlJobInfoMapper.loadById(jobId);
 		if (xxlJobInfo == null) {
 			return ReturnT.ofFail(I18nUtil.getString("jobinfo_glue_jobid_unvalid"));
 		}

+		// valid jobGroup permission
 		if (!JobInfoController.hasJobGroupPermission(loginInfo, xxlJobInfo.getJobGroup())) {
 			return ReturnT.ofFail(I18nUtil.getString("system_permission_limit"));
 		}