解决问题：spring-boot-starter-data-rest包有严重的安全漏洞

d086ffb2 · 技术部-任文超 · 3b5e384f · d086ffb2 · d086ffb2 · d086ffb2
Commit d086ffb2 authored Mar 30, 2018 by 技术部-任文超
Showing with 33 additions and 15 deletions

pom.xml pom.xml +0 -4

HttpConfig.java src/main/java/cn/quantgroup/xyqb/config/http/HttpConfig.java +17 -11

MyWebMvcConfigurer.java ...va/cn/quantgroup/xyqb/config/http/MyWebMvcConfigurer.java +16 -0

No files found.
--- a/pom.xml
+++ b/pom.xml
@@ -66,10 +66,6 @@
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-jpa</artifactId>
        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-rest</artifactId>
-        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-integration</artifactId>

--- a/src/main/java/cn/quantgroup/xyqb/config/http/HttpConfig.java
+++ b/src/main/java/cn/quantgroup/xyqb/config/http/HttpConfig.java
@@ -30,6 +30,8 @@ import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.convert.converter.ConverterRegistry;
+import org.springframework.format.support.DefaultFormattingConversionService;
+import org.springframework.format.support.FormattingConversionService;
 import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
 import org.springframework.web.filter.CharacterEncodingFilter;
@@ -78,20 +80,24 @@ public class HttpConfig {
    return builder;
  }
-  // hack spring mvc.
  @Bean
-  public IntegerToEnumConverterFactory getIntegerToEnumConverterFactory(
+  public ConverterRegistry defaultConversionService() {
-      ConverterRegistry defaultConversionService, ConverterRegistry mvcConversionService, ConverterRegistry integrationConversionService) {
+    FormattingConversionService conversionService = new DefaultFormattingConversionService();
-    IntegerToEnumConverterFactory factory = new IntegerToEnumConverterFactory();
+    addFormatters(conversionService);
+    return conversionService;
+  }
+  @Bean
+  public ConverterRegistry integrationConversionService() {
+    FormattingConversionService conversionService = new DefaultFormattingConversionService();
+    addFormatters(conversionService);
+    return conversionService;
+  }
-    defaultConversionService.removeConvertible(String.class, Enum.class);
-    mvcConversionService.removeConvertible(String.class, Enum.class);
-    integrationConversionService.removeConvertible(String.class, Enum.class);
-    defaultConversionService.addConverterFactory(factory);
+  private void addFormatters(FormattingConversionService conversionService) {
-    mvcConversionService.addConverterFactory(factory);
+    IntegerToEnumConverterFactory factory = new IntegerToEnumConverterFactory();
-    integrationConversionService.addConverterFactory(factory);
+    conversionService.removeConvertible(String.class,Enum.class);
-    return factory;
+    conversionService.addConverterFactory(factory);
  }
  @Bean(name = "httpClient")

--- a/src/main/java/cn/quantgroup/xyqb/config/http/MyWebMvcConfigurer.java
+++ b/src/main/java/cn/quantgroup/xyqb/config/http/MyWebMvcConfigurer.java
+package cn.quantgroup.xyqb.config.http;
+import org.springframework.format.FormatterRegistry;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
+@Component
+public class MyWebMvcConfigurer extends WebMvcConfigurerAdapter {
+  @Override
+  public void addFormatters(FormatterRegistry registry) {
+    registry.removeConvertible(String.class,Enum.class);
+    registry.addConverterFactory(new IntegerToEnumConverterFactory());
+  }
+}
\ No newline at end of file