Home Explore Help
Register Sign In
liulc
/
ShangHaiLifeECIF
forked from liulc/dgtis-cloud
Watch 2
Star 0
Fork 0
Files
Browse Source

修复FastJson的AutoType漏洞 https://github.com/alibaba/fastjson/wiki/fastjson_safemode

luGuangChen 2 years ago
parent
c23cdf2a58
commit
a92c7ac412
2 changed files with 36 additions and 1 deletions
Split View Show Diff Stats
  1. 13 1
      dgtis-common/dgtis-common-redis/pom.xml
  2. 23 0
      dgtis-common/dgtis-common-redis/src/main/java/com/dgtis/common/redis/configure/FastJson2JsonRedisSerializer.java

+ 13 - 1
dgtis-common/dgtis-common-redis/pom.xml
View File 

@@ -28,6 +28,18 @@
 
             <groupId>com.dgtis</groupId>
 
             <artifactId>dgtis-common-core</artifactId>
 
         </dependency>
 
-        
+
 
+        <dependency>
 
+            <groupId>junit</groupId>
 
+            <artifactId>junit</artifactId>
 
+            <version>4.13.2</version>
 
+            <scope>test</scope>
 
+        </dependency>
 
+
 
+        <dependency>
 
+            <groupId>com.dgtis</groupId>
 
+            <artifactId>dgtis-api-system</artifactId>
 
+        </dependency>
 
+
 
     </dependencies>
 
 </project>

+ 23 - 0
dgtis-common/dgtis-common-redis/src/main/java/com/dgtis/common/redis/configure/FastJson2JsonRedisSerializer.java
View File 

@@ -2,6 +2,7 @@ package com.dgtis.common.redis.configure;
 
 
 import com.alibaba.fastjson.JSON;
 
 import com.alibaba.fastjson.serializer.SerializerFeature;
 
+import com.dgtis.system.api.model.LoginUser;
 
 import com.fasterxml.jackson.databind.JavaType;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 
 import com.fasterxml.jackson.databind.type.TypeFactory;
 
@@ -28,6 +29,28 @@ public class FastJson2JsonRedisSerializer<T> implements RedisSerializer<T>
 
     static
 
     {
 
         ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
 
+        // 2022/5/24 陆光晨 start 2022/5/23FastJson爆出autoType漏洞,需要将jar包升级到1.2.68及以上并设置safeMode为true
 
+        ParserConfig.getGlobalInstance().setSafeMode(true);
 
+        ParserConfig.getGlobalInstance().addAutoTypeCheckHandler(autoTypeCheckHandler());
 
+        // 2022/5/24 陆光晨 end 2022/5/23FastJson爆出autoType漏洞,需要将jar包升级到1.2.68及以上并设置safeMode为true
 
+    }
 
+    public static ParserConfig.AutoTypeCheckHandler autoTypeCheckHandler() {
 
+        return new ParserConfig.AutoTypeCheckHandler() {
 
+
 
+            @Override
 
+            public Class<?> handler(String typeName, Class<?> expectClass, int features) {
 
+                if ("com.dgtis.system.api.model.LoginUser".equals(typeName)
 
+                        || "LoginUser".equals(typeName)) {
 
+                    return LoginUser.class;
 
+                } else {
 
+                    try {
 
+                        return Class.forName(typeName);
 
+                    } catch (ClassNotFoundException e) {
 
+                        throw new IllegalArgumentException(e);
 
+                    }
 
+                }
 
+            }
 
+        };
 
     }
 
 
     public FastJson2JsonRedisSerializer(Class<T> clazz)