漏洞修复

src/main/java/cn/quantgroup/xyqb/aspect/limit/PasswordFreeAccessValidateAdvisor.java

@@ -6,6 +6,7 @@ import cn.quantgroup.xyqb.model.JsonResult;
 import cn.quantgroup.xyqb.model.session.SessionStruct;
 import cn.quantgroup.xyqb.session.XyqbSessionContextHolder;
 import cn.quantgroup.xyqb.util.IpUtil;
+import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
 import org.aspectj.lang.ProceedingJoinPoint;
 import org.aspectj.lang.annotation.Around;
@@ -28,11 +29,11 @@ import java.util.Set;
  * @version 1.0.0
  * @since 2017-11-21
  */
+@Slf4j
 @Aspect
 @Component
 public class PasswordFreeAccessValidateAdvisor {
 
-    private static final Logger LOGGER = LoggerFactory.getLogger(PasswordFreeAccessValidateAdvisor.class);
     private static final String USER_ID = "userId";
 
     /**
@@ -68,39 +69,39 @@ public class PasswordFreeAccessValidateAdvisor {
         String clientIp = IpUtil.getRemoteIP(request);
         Set<String> paramKeys = request.getParameterMap().keySet();
         if (!paramKeys.contains(Constants.PHONE_NO) && !paramKeys.contains(USER_ID)) {
-            LOGGER.info("非法请求 - 缺少参数, paramKeys={}, clientIp={}", paramKeys, clientIp);
+            log.info("非法请求 - 缺少参数, paramKeys={}, clientIp={}", paramKeys, clientIp);
             return false;
         }
         // 当前请求的phoneNo/userId
         String phoneNo = request.getParameter(Constants.PHONE_NO);
         String userId = request.getParameter(USER_ID);
         if (StringUtils.isBlank(phoneNo) && StringUtils.isBlank(userId)) {
-            LOGGER.info("非法请求 - 缺少参数, phoneNo={}, userId={}, clientIp={}", phoneNo, userId, clientIp);
+            log.info("非法请求 - 缺少参数, phoneNo={}, userId={}, clientIp={}", phoneNo, userId, clientIp);
             return false;
         }
         // 当前请求的Token
         String token = request.getHeader(Constants.X_AUTH_TOKEN);
         if (StringUtils.length(token) != Constants.TOKEN_LENGTH) {
-            LOGGER.info("非法请求 - 无效token, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, clientIp);
+            log.info("非法请求 - 无效token, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, clientIp);
             return false;
         }
         // 当前session
         SessionStruct session = XyqbSessionContextHolder.getXSessionFromRedis(token);
         if (Objects.isNull(session) || Objects.isNull(session.getValues()) || Objects.isNull(session.getValues().getUser())) {
-            LOGGER.info("非法请求 - 未登录, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, clientIp);
+            log.info("非法请求 - 未登录, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, clientIp);
             return false;
         }
         // 当前用户
         User user = session.getValues().getUser();
         if (Objects.isNull(user.getId()) && StringUtils.isBlank(user.getPhoneNo())) {
-            LOGGER.info("非法请求 - 未登录, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, clientIp);
+            log.info("非法请求 - 未登录, token={}, phoneNo={}, userId={}, clientIp={}", token, phoneNo, userId, clientIp);
             return false;
         }
         // 校对用户信息是否匹配
         boolean valid = (Objects.nonNull(user.getId()) && Objects.equals(userId, user.getId().toString()));
         valid = valid || (StringUtils.isNotBlank(phoneNo) && Objects.equals(phoneNo, user.getPhoneNo()));
         if (!valid) {
-            LOGGER.info("非法请求 - 身份不匹配, token={}, phoneNo=({},{}), userId=({},{}), clientIp={}", token, phoneNo, user.getPhoneNo(), userId, user.getId(), clientIp);
+            log.info("非法请求 - 身份不匹配, token={}, phoneNo=({},{}), userId=({},{}), clientIp={}", token, phoneNo, user.getPhoneNo(), userId, user.getId(), clientIp);
         }
         return valid;
     }

src/main/java/cn/quantgroup/xyqb/controller/external/WeChatController.java

@@ -296,7 +296,7 @@ public class WeChatController implements IBaseController {
             out.write(html.toString());
             out.close();
         } catch (IOException e) {
-            e.printStackTrace();
+            log.error("测试：重定向失败", e);
         }
     }
 

src/main/java/cn/quantgroup/xyqb/service/mq/impl/IRegisterMqServiceImpl.java

@@ -22,14 +22,14 @@ public class IRegisterMqServiceImpl implements IRegisterMqService {
 
     @Autowired
     @Qualifier("registerRabbitTemplate")
-    RabbitTemplate registerRabTemplate;
+    private RabbitTemplate registerRabTemplate;
     @Autowired
     @Qualifier("registerRabbitTemplate4Gdt")
-    RabbitTemplate registerRabbitTemplate4Gdt;
+    private RabbitTemplate registerRabbitTemplate4Gdt;
 
     @Autowired
     @Qualifier(value = "registerMqQueue")
-    Queue registerMqQueue;
+    private Queue registerMqQueue;
 
     /**
      * 发送用登陆统计信息

src/main/java/cn/quantgroup/xyqb/service/mq/impl/LoanVestMqServiceImpl.java

@@ -3,9 +3,7 @@ package cn.quantgroup.xyqb.service.mq.impl;
 import cn.quantgroup.xyqb.model.UserStatistics;
 import cn.quantgroup.xyqb.service.mq.IVestService;
 import com.alibaba.fastjson.JSONObject;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.amqp.core.Queue;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.amqp.rabbit.core.RabbitTemplate;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.scheduling.annotation.Async;
@@ -17,18 +15,14 @@ import javax.annotation.Resource;
  * Created by xuran on 2017/6/21.
  * 用户统计信息
  */
+@Slf4j
 @Service("loanVestMqService")
 public class LoanVestMqServiceImpl implements IVestService {
-    private static final Logger LOGGER = LoggerFactory.getLogger(LoanVestMqServiceImpl.class);
 
     @Resource
     @Qualifier("rabbitTemplate")
     private RabbitTemplate rabbitTemplate;
 
-    @Resource
-    @Qualifier(value = "loanVestQueue")
-    Queue loanVestQueue;
-
     /**
      * 发送用登陆统计信息
      *
@@ -38,12 +32,13 @@ public class LoanVestMqServiceImpl implements IVestService {
     @Async
     public void send(UserStatistics message) {
         if (null == message) {
-            LOGGER.error("用户登陆统计消息不能为空");
+            log.error("用户登陆统计消息不能为空");
+            return;
         }
-        LOGGER.info("用户登陆统计发送,message={}", message);
+        log.info("用户登陆统计发送,message={}", message);
         String msg = JSONObject.toJSONString(message);
         rabbitTemplate.convertAndSend("statistics-user", msg);
-        LOGGER.info("用户登陆统计成功,message={}", msg);
+        log.info("用户登陆统计成功,message={}", msg);
     }
 
 }

src/main/java/cn/quantgroup/xyqb/service/sms/impl/SmsServiceImpl.java

@@ -21,8 +21,8 @@ import java.util.Collections;
  * @author mengfan.feng
  * @time 2015-07-25 18:47
  */
-@Service
 @Slf4j
+@Service
 public class SmsServiceImpl implements ISmsService {
 
     private static SmsSender smsSender = null;
@@ -57,7 +57,7 @@ public class SmsServiceImpl implements ISmsService {
             //smsSender.sendAndForget(new SendAndForgetMsg(Collections.emptyList(), "24", "1", phoneNo));
             log.info("注册完成，发送短信, phoneNo:{}", phoneNo);
         } catch (Exception e) {
-            e.printStackTrace();
+            log.error("注册完成短信发送异常", e);
         }
     }
 
@@ -108,7 +108,7 @@ public class SmsServiceImpl implements ISmsService {
             //smsSender.confirmSmsResult("1", unqiueId);
             log.info("confirmMsg send success, uniqueId={}", unqiueId);
         } catch (Exception e) {
-            log.info("短信验证向短信中心确认失效");
+            log.info("短信验证向短信中心确认失效", e);
         }
         return StringUtils.equals(code, smsVerificationCode);
     }

src/main/java/cn/quantgroup/xyqb/service/user/impl/UserServiceImpl.java

@@ -37,7 +37,7 @@ import java.util.concurrent.TimeUnit;
 public class UserServiceImpl implements IUserService {
 
     @Autowired
-    RedisTemplate<String, String> stringRedisTemplate;
+    private RedisTemplate<String, String> stringRedisTemplate;
     @Autowired
     private IUserRepository userRepository;
 

src/main/java/cn/quantgroup/xyqb/util/encrypt/Rsa.java

 package cn.quantgroup.xyqb.util.encrypt;
 
+import lombok.extern.slf4j.Slf4j;
+
 import javax.crypto.Cipher;
 import java.io.ByteArrayOutputStream;
 import java.math.BigInteger;
@@ -10,6 +12,7 @@ import java.security.spec.X509EncodedKeySpec;
 import java.util.HashMap;
 import java.util.Map;
 
+@Slf4j
 public class Rsa {
     /**
      * 指定key的大小
@@ -166,19 +169,14 @@ public class Rsa {
                     Base64.decodeBase64(privateKey.getBytes()));
             KeyFactory keyf = KeyFactory.getInstance("Rsa");
             PrivateKey priKey = keyf.generatePrivate(priPKCS8);
-
             Signature signature = Signature.getInstance("SHA1WithRSA");
-
             signature.initSign(priKey);
             signature.update(content.getBytes(charset));
-
             byte[] signed = signature.sign();
-
             return new String(Base64.encodeBase64(signed));
         } catch (Exception e) {
-
+            log.error("出错了", e);
         }
-
         return null;
     }
 
@@ -187,19 +185,13 @@ public class Rsa {
             KeyFactory keyFactory = KeyFactory.getInstance("Rsa");
             byte[] encodedKey = Base64.decode2(publicKey);
             PublicKey pubKey = keyFactory.generatePublic(new X509EncodedKeySpec(encodedKey));
-
-
-            Signature signature = Signature
-                    .getInstance("SHA1WithRSA");
-
+            Signature signature = Signature.getInstance("SHA1WithRSA");
             signature.initVerify(pubKey);
             signature.update(content.getBytes("utf-8"));
-
             boolean bverify = signature.verify(Base64.decode2(sign));
             return bverify;
-
         } catch (Exception e) {
-            e.printStackTrace();
+            log.error("出错了", e);
         }
 
         return false;

src/test/java/common/Jdk8Test.java

@@ -19,7 +19,7 @@ import cn.quantgroup.xyqb.util.ValidationUtil;
 @Slf4j
 @RunWith(JUnit4.class)
 public class Jdk8Test {
-    final static String RANDOM_CHARS = "0123456789";
+    private final static String RANDOM_CHARS = "0123456789";
 
     @Test
     public void testString() {

src/test/java/common/Md5Test.java

 package common;
 
-import cn.quantgroup.xyqb.service.captcha.GeetestLib;
 import cn.quantgroup.xyqb.util.encrypt.Md5Util;
 import lombok.extern.slf4j.Slf4j;
 import org.junit.Test;
@@ -10,11 +9,11 @@ import org.junit.runners.JUnit4;
 @Slf4j
 @RunWith(JUnit4.class)
 public class Md5Test {
-    final static String PWD = "123456";
+    private final static String PWD = "123456";
 
     @Test
     public void test() {
-        log.info("pwd:{},Md5Util:{},Geetest:{}", PWD, Md5Util.build(PWD), GeetestLib.md5Encode(PWD));
+        log.info("pwd:{},Md5Util:{}", PWD, Md5Util.build(PWD));
     }
 
 }

src/test/java/demo/DynamicTest.java

@@ -73,8 +73,8 @@ public class DynamicTest {
         // a number evenly divisible by 7 is encountered.
         Iterator<Integer> inputGenerator = new Iterator<Integer>() {
 
-            SecureRandom random = new SecureRandom();
-            int current;
+            private SecureRandom random = new SecureRandom();
+            private int current;
 
             @Override
             public boolean hasNext() {

src/test/java/demo/MvcTest.java

@@ -29,7 +29,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 public class MvcTest {
   private MockMvc mvc;
   @Resource
-  WebApplicationContext webApplicationConnect;
+  private WebApplicationContext webApplicationConnect;
 
   @Before
   public void setUp() throws JsonProcessingException {

src/test/java/login/StringCodeTest.java

@@ -10,9 +10,9 @@ public class StringCodeTest {
         System.out.println(pc_base64("18222288391", "0000"));
 	}
 
-	final static String AUTHORIZATION = "authorization";
-	final static String PREFIX_AP = "Basic ";
-	final static String PREFIX_PC = "Verification ";
+	private final static String AUTHORIZATION = "authorization";
+	private final static String PREFIX_AP = "Basic ";
+	private final static String PREFIX_PC = "Verification ";
     /*
      * 4.153
      * 13576450525	123456	318e235d3e52648b236faa3f748000d5

src/test/java/login/UserLoginTest.java

@@ -31,9 +31,9 @@ import java.util.List;
 /**
  * Created by 11 on 2017/1/3.
  */
+@Slf4j
 @RunWith(SpringJUnit4ClassRunner.class)
 @SpringBootTest(classes = Bootstrap.class )
-@Slf4j
 public class UserLoginTest {
 
   private MockHttpServletRequest request = new MockHttpServletRequest();;
@@ -93,15 +93,14 @@ public class UserLoginTest {
         try {
             entity = new UrlEncodedFormEntity(pairList, "UTF-8");
         }catch (Exception e){
-            e.printStackTrace();
+            log.error("error", e);
         }
         post.setEntity(entity);
-        String result = "";
         try {
             CloseableHttpResponse response = httpClient.execute(post);
-            result = EntityUtils.toString(response.getEntity());
+            EntityUtils.toString(response.getEntity());
         } catch (IOException e) {
-            e.printStackTrace();
+            log.error("error", e);
         }
   }
 

src/test/java/repsitory/UserAuthorizedRepsitoryTest.java

@@ -37,7 +37,7 @@ public class UserAuthorizedRepsitoryTest extends BaseParametersTest {
     @Resource
     private IUserAuthorizedRepository userAuthorizedRepository;
 
-    UserAuthorized obj = new UserAuthorized();
+    private UserAuthorized obj = new UserAuthorized();
     public UserAuthorizedRepsitoryTest(String userUuid, String idNo, String name, AuthPattern authPattern, Boolean available) {
         obj.setUserUuid(userUuid);
         obj.setIdNo(idNo);

src/test/java/service/UserAuthorizedServiceTest.java

@@ -41,7 +41,7 @@ public class UserAuthorizedServiceTest extends BaseParametersTest {
     @Resource
     private IUserAuthorizedService userAuthorizedService;
 
-    UserAuthorizedParam obj = new UserAuthorizedParam();
+    private UserAuthorizedParam obj = new UserAuthorizedParam();
     public UserAuthorizedServiceTest(String userUuid, String idNo, String name, AuthPattern authPattern, Boolean available) {
         obj.setUserUuid(userUuid);
         obj.setIdNo(idNo);