严格校验入参，封堵逻辑漏洞，维持原有功能

e956ada5 · 技术部-任文超 · 1ec96cf6 · e956ada5 · e956ada5
Commit e956ada5 authored Jul 30, 2018 by 技术部-任文超
Showing with 42 additions and 25 deletions

InnerController.java ...tgroup/xyqb/controller/external/user/InnerController.java +21 -8

UserDetailServiceImpl.java ...ntgroup/xyqb/service/user/impl/UserDetailServiceImpl.java +21 -17

No files found.
--- a/src/main/java/cn/quantgroup/xyqb/controller/external/user/InnerController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/external/user/InnerController.java
@@ -587,9 +587,14 @@ public class InnerController implements IBaseController {
        if (StringUtils.isBlank(name) && StringUtils.isBlank(phoneNo) && StringUtils.isBlank(idNo)) {
            return JsonResult.buildErrorStateResult("至少必须满足一个条件不为空", null);
        }
+        boolean nameValid = StringUtils.isBlank(name) || ValidationUtil.validateChinese(name);
-        List<UserDetailVO> userDetails = userDetailService.searchUserDetailList(name, phoneNo, idNo);
+        boolean phoneNoValid = StringUtils.isBlank(phoneNo) || ValidationUtil.validatePhoneNo(phoneNo);
-        return JsonResult.buildSuccessResult("success", userDetails);
+        boolean idNoValid = StringUtils.isBlank(idNo) || Objects.equals(idNo.length(), 18);
+        if(nameValid && phoneNoValid && idNoValid){
+            List<UserDetailVO> userDetails = userDetailService.searchUserDetailList(name, phoneNo, idNo);
+            return JsonResult.buildSuccessResult("success", userDetails);
+        }
+        return JsonResult.buildErrorStateResult("查询条件不规范！", null);
    }
    /**
@@ -604,11 +609,19 @@ public class InnerController implements IBaseController {
    public JsonResult<List<UserDetail>> fuzzyQueryUserDetailList(@ApiParam(value = "手机号", required = true) @RequestParam(name = "phoneNo") String phoneNo,
                                                                 @ApiParam(value = "身份证号", required = true) @RequestParam(name = "idNo") String idNo) {
        log.info("fuzzyQueryUserDetailList, phone:{},idNo:{},ip:{}", phoneNo, idNo, getIp());
-        if (StringUtils.isBlank(phoneNo) && StringUtils.isBlank(idNo)) {
+        if (StringUtils.isBlank(phoneNo) || StringUtils.isBlank(idNo)) {
-            return JsonResult.buildErrorStateResult("至少必须满足一个条件不为空", null);
+            return JsonResult.buildErrorStateResult("查询条件不能为空", null);
        }
-        List<UserDetail> userDetailList = userDetailService.fuzzyQueryByPhoneNoAndIdNo(phoneNo, idNo);
+        int phoneNoMaskSize = 9;
-        return JsonResult.buildSuccessResult("success", userDetailList);
+        int idNoMaskSize = 16;
+        int idNoFullSize = 18;
+        boolean phoneNoValid = Objects.equals(phoneNo.length(), phoneNoMaskSize) || ValidationUtil.validatePhoneNo(phoneNo);
+        boolean idNoValid =  Objects.equals(idNo.length(), idNoMaskSize) || Objects.equals(idNo.length(), idNoFullSize);
+        if (phoneNoValid && idNoValid) {
+            List<UserDetail> userDetailList = userDetailService.fuzzyQueryByPhoneNoAndIdNo(phoneNo, idNo);
+            return JsonResult.buildSuccessResult("success", userDetailList);
+        }
+        return JsonResult.buildErrorStateResult("查询条件不规范！", null);
    }
    @RequestMapping("/user_ext_info/search/user_id")

--- a/src/main/java/cn/quantgroup/xyqb/service/user/impl/UserDetailServiceImpl.java
+++ b/src/main/java/cn/quantgroup/xyqb/service/user/impl/UserDetailServiceImpl.java
 package cn.quantgroup.xyqb.service.user.impl;
+import java.util.*;
+import java.util.stream.Collectors;
+import javax.annotation.Resource;
+import javax.persistence.criteria.Predicate;
+import org.apache.commons.lang.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.dao.DataIntegrityViolationException;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.data.domain.Sort;
+import org.springframework.data.jpa.domain.Specification;
+import org.springframework.stereotype.Service;
+import org.springframework.util.CollectionUtils;
+import com.google.common.collect.Maps;
+import lombok.extern.slf4j.Slf4j;
 import cn.quantgroup.acolyte.buddhistscriptures.pojo.UserRealInfo;
 import cn.quantgroup.xyqb.Constants;
 import cn.quantgroup.xyqb.entity.User;
@@ -13,23 +34,6 @@ import cn.quantgroup.xyqb.service.auth.IIdCardService;
 import cn.quantgroup.xyqb.service.user.IUserDetailService;
 import cn.quantgroup.xyqb.service.user.vo.UserDetailVO;
 import cn.quantgroup.xyqb.util.ValidationUtil;
-import com.google.common.collect.Maps;
-import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.lang.StringUtils;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.context.ApplicationEventPublisher;
-import org.springframework.dao.DataIntegrityViolationException;
-import org.springframework.data.domain.Page;
-import org.springframework.data.domain.PageRequest;
-import org.springframework.data.domain.Sort;
-import org.springframework.data.jpa.domain.Specification;
-import org.springframework.stereotype.Service;
-import org.springframework.util.CollectionUtils;
-import javax.annotation.Resource;
-import javax.persistence.criteria.Predicate;
-import java.util.*;
-import java.util.stream.Collectors;
 /**
 * Created by 11 on 2016/12/29.