安全报告问题

dongjian-dashboard-back-controller/src/main/java/com/dongjian/dashboard/back/configurator/CrosXssFilter.java

@@ -8,7 +8,7 @@ import jakarta.servlet.FilterConfig;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.ServletRequest;
 import jakarta.servlet.ServletResponse;
-import javax.servlet.annotation.WebFilter;
+import jakarta.servlet.annotation.WebFilter;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 
@@ -17,16 +17,20 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import java.util.UUID;
 
+import org.apache.commons.lang3.StringUtils;
 import org.jboss.logging.MDC;
 
 @WebFilter
 public class CrosXssFilter implements Filter {
-	
+
     private static final Logger logger = LoggerFactory.getLogger(CrosXssFilter.class);
-    
+
     @Value("${crosxss.filter.disable:false}")
     private boolean disable;
 
+    @Value("${response.access.control.allow.origin:*}")
+    private String accessControlAllowOrigin;
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
     }
@@ -37,34 +41,89 @@ public class CrosXssFilter implements Filter {
         try {
             MDC.put("processNo", UUID.randomUUID().toString().replace("-", ""));
             request.setCharacterEncoding("utf-8");
-//            response.setContentType("text/html;charset=utf-8");
+            response.setContentType("application/json;charset=UTF-8");
             if (disable) {
                 chain.doFilter(request, response);
             } else {
-                //跨域设置
                 if (response instanceof HttpServletResponse) {
+
                     HttpServletResponse httpServletResponse = (HttpServletResponse) response;
-                    //禁用浏览器缓存
-                    httpServletResponse.setHeader("Cache-Control", "no-store");
-                    //禁止被IFrame嵌套
-                    httpServletResponse.setHeader("X-Frame-Options", "deny");
-                    //安全性配置
+                    HttpServletRequest httpRequest = (HttpServletRequest) request;
+
+                    String referer = httpRequest.getHeader("Referer");
+                    if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)) {
+                        // 允许多个域名，逗号分隔
+                        String[] allowedOrigins = accessControlAllowOrigin.split(",");
+                        boolean matched = false;
+                        for (String origin : allowedOrigins) {
+                            origin = origin.trim();
+                            if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) {
+                                matched = true;
+                                break;
+                            }
+                        }
+                        // 如果一个都不匹配，则返回 403
+                        if (!matched) {
+                            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer");
+                            return;
+                        }
+                    }
+
+
+                    httpServletResponse.setHeader("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0");
+                    httpServletResponse.setHeader("Pragma", "no-cache");
+                    httpServletResponse.setDateHeader("Expires", 0);
+
+                    httpServletResponse.setHeader("X-Frame-Options", "SAMEORIGIN");
+
+                    String nonce = UUID.randomUUID().toString().replace("-", "").substring(0, 16); // 生成随机 nonce
+                    httpServletResponse.setHeader("Content-Security-Policy",
+                            "default-src 'self'; " +
+                                    "img-src 'self' data:; "+
+                                    "font-src 'self' https://i.alicdn.com data:; "+ //阿里系的ui组件
+//                    	    "script-src 'self' 'nonce-" + nonce + "'; " + //nonce针对内联 JavaScript
+//            	    	    "style-src 'self' 'nonce-" + nonce + "'; " + //nonce针对内联 CSS
+                                    "script-src 'self'; " +
+                                    "style-src 'self'; " +
+                                    "object-src 'none'; " +
+                                    "base-uri 'none'; " +
+                                    "form-action 'self'; " +
+                                    "frame-ancestors 'none'"
+                    );
                     httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");
                     httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
                     httpServletResponse.setHeader("Referrer-Policy", "origin");
+                    httpServletResponse.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload");
+
+                    //add
+                    httpServletResponse.addHeader("Vary", "Origin");
+                    httpServletResponse.addHeader("Vary", "Access-Control-Request-Method");
+                    httpServletResponse.addHeader("Vary", "Access-Control-Request-Headers");
+
+                    httpServletResponse.setHeader("Access-Control-Allow-Headers", "*");
+                    httpServletResponse.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS");
+                    // 设置允许的域名
+                    httpServletResponse.setHeader("Access-Control-Allow-Origin", accessControlAllowOrigin);
+                    httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
+
+
+
+                    if ("OPTIONS".equals(((HttpServletRequest) request).getMethod())) {
+                        httpServletResponse.setStatus(HttpServletResponse.SC_OK); // 200
+                        return;
+                    }
                 }
                 ServletRequest requestWrapper = null;
                 if(request instanceof HttpServletRequest) {
                     requestWrapper = new RequestWrapper((HttpServletRequest) request);
                 }
                 if(requestWrapper == null) {
-                	chain.doFilter(request, response);
+                    chain.doFilter(request, response);
                 } else {
-                	chain.doFilter(requestWrapper, response);
+                    chain.doFilter(requestWrapper, response);
                 }
             }
         } finally {
-            // 避免线程泄漏
             MDC.clear();
         }
 

dongjian-dashboard-back-controller/src/main/resources/config/application.properties

@@ -101,11 +101,14 @@ mybatis.configuration.map-underscore-to-camel-case=true
 
 server.servlet.session.cookie.http-only=true
 server.servlet.session.cookie.secure=true
+server.servlet.session.cookie.same-site=strict
 
 springdoc.swagger-ui.doc-expansion=none
 springdoc.swagger-ui.operations-sorter=alpha
 springdoc.swagger-ui.tags-sorter=alpha
 
+response.access.control.allow.origin = ${accessControlAllowOrigin:*}
+
 web.login.url=${webLoginUrl}
 web.admin.login.url=${webAdminLoginUrl}
 

dongjian-dashboard-back-dao/pom.xml

@@ -43,7 +43,7 @@
                 <dependency>
 				    <groupId>com.mysql</groupId>
 				    <artifactId>mysql-connector-j</artifactId>
-				    <version>9.3.0</version>
+				    <version>9.5.0</version>
 				</dependency>
               	</dependencies>
               	<executions>

dongjian-dashboard-back-model/pom.xml

@@ -20,11 +20,11 @@
 		<artifactId>hibernate-validator</artifactId>
 		<version>6.1.0.Final</version>
 	</dependency>
-	<dependency>
-		<groupId>org.glassfish</groupId>
-		<artifactId>javax.el</artifactId>
-		<version>3.0.1-b11</version>
-	</dependency>
+      <dependency>
+          <groupId>jakarta.el</groupId>
+          <artifactId>jakarta.el-api</artifactId>
+          <version>6.0.1</version>
+      </dependency>
 	<dependency>
 		<groupId>org.hibernate</groupId>
 		<artifactId>hibernate-validator-cdi</artifactId>

dongjian-dashboard-back-service/pom.xml

@@ -50,11 +50,5 @@
           <artifactId>s3</artifactId>
       </dependency>
 
-    <dependency>
-		  <groupId>com.github.penggle</groupId>
-		  <artifactId>kaptcha</artifactId>
-		  <version>2.3.2</version>
-	</dependency>
-
   </dependencies>
 </project>

dongjian-dashboard-back-service/src/main/java/com/dongjian/dashboard/back/service/captcha/KaptchaConfig.java

@@ -1,36 +0,0 @@
-package com.dongjian.dashboard.back.service.captcha;
-
-import java.util.Properties;
-
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-import com.google.code.kaptcha.impl.DefaultKaptcha;
-import com.google.code.kaptcha.util.Config;
-
-@Configuration
-public class KaptchaConfig {
-    @Bean
-    public DefaultKaptcha producer(){
-
-        DefaultKaptcha defaultKaptcha = new DefaultKaptcha();
-        Properties properties = new Properties();
-        properties.setProperty("kaptcha.border", "no");
-        properties.setProperty("kaptcha.border.color", "105,179,90");
-        properties.setProperty("kaptcha.textproducer.font.color", "black");
-        properties.setProperty("kaptcha.image.width", "110");
-        properties.setProperty("kaptcha.image.height", "40");
-        properties.setProperty("kaptcha.textproducer.char.string","23456789abcdefghkmnpqrstuvwxyzABCDEFGHKMNPRSTUVWXYZ");
-        properties.setProperty("kaptcha.textproducer.font.size", "30");
-        properties.setProperty("kaptcha.textproducer.char.space","3");
-        properties.setProperty("kaptcha.session.key", "code");
-        properties.setProperty("kaptcha.textproducer.char.length", "4");
-        properties.setProperty("kaptcha.textproducer.font.names", "宋体,楷体,微软雅黑");
-//        properties.setProperty("kaptcha.obscurificator.impl","com.xxx");可以重写实现类
-        properties.setProperty("kaptcha.noise.impl","com.google.code.kaptcha.impl.NoNoise");
-        Config config = new Config(properties);
-        defaultKaptcha.setConfig(config);
-
-        return defaultKaptcha;
-    }
-}

dongjian-dashboard-back-util/pom.xml

@@ -31,12 +31,8 @@
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-data-redis</artifactId>
     </dependency>
-    
+
     <dependency>
-      	<groupId>org.apache.commons</groupId>
-      	<artifactId>commons-lang3</artifactId>
-   	</dependency>
-   	<dependency>
 		 <groupId>org.apache.commons</groupId>
 		 <artifactId>commons-pool2</artifactId>
 	</dependency>
@@ -60,7 +56,7 @@
 	<dependency>
 	    <groupId>commons-io</groupId>
 	    <artifactId>commons-io</artifactId>
-	    <version>2.11.0</version>
+		<version>2.18.0</version>
 	</dependency>
 	
 	<dependency>
@@ -78,7 +74,7 @@
 	  <dependency>
 		  <groupId>org.springframework.security</groupId>
 		  <artifactId>spring-security-oauth2-authorization-server</artifactId>
-		  <version>1.5.1</version>
+		  <version>1.5.3</version>
 	  </dependency>
 
 	  <!-- https://mvnrepository.com/artifact/software.amazon.awssdk/sts -->

pom.xml

@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.2.12</version>
+		<version>3.5.7</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	
@@ -55,7 +55,7 @@
 		<dependency>
 		    <groupId>org.apache.tomcat.embed</groupId>
 		    <artifactId>tomcat-embed-core</artifactId>
-		    <version>10.1.42</version>
+		    <version>10.1.49</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
@@ -80,7 +80,7 @@
 		 <dependency>
 		    <groupId>org.springdoc</groupId>
 		    <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
-		    <version>2.5.0</version>
+		    <version>2.8.14</version>
 		 </dependency>
 <!-- 		<dependency> -->
 <!-- 		    <groupId>io.springfox</groupId> -->
@@ -91,17 +91,17 @@
 		<dependency>
 		    <groupId>com.fasterxml.jackson.core</groupId>
 		    <artifactId>jackson-core</artifactId>
-		    <version>2.19.0</version> <!-- 与 jackson-databind 版本一致 -->
+		    <version>2.19.4</version> <!-- 与 jackson-databind 版本一致 -->
 		</dependency>
 		<dependency>
 		    <groupId>com.fasterxml.jackson.core</groupId>
 		    <artifactId>jackson-databind</artifactId>
-		    <version>2.19.0</version>
+		    <version>2.19.4</version>
 		</dependency>
 		<dependency>
 		    <groupId>com.fasterxml.jackson.core</groupId>
 		    <artifactId>jackson-annotations</artifactId>
-		    <version>2.19.0</version>
+		    <version>2.19.4</version>
 		</dependency>
 		
 		<dependency>
@@ -113,7 +113,7 @@
 		<dependency>
 		    <groupId>com.mysql</groupId>
 		    <artifactId>mysql-connector-j</artifactId>
-		    <version>9.3.0</version>
+		    <version>9.5.0</version>
 		</dependency>
 		
 		<dependency>
@@ -139,20 +139,27 @@
 		<dependency>
 		    <groupId>ch.qos.logback</groupId>
 		    <artifactId>logback-classic</artifactId>
-		    <version>1.5.18</version>
+            <version>1.5.21</version>
 		    <scope>compile</scope>
 		</dependency>
 		<dependency>
 		    <groupId>ch.qos.logback</groupId>
 		    <artifactId>logback-core</artifactId>
-		    <version>1.5.18</version>
+            <version>1.5.21</version>
 		    <scope>compile</scope>
 		</dependency>
+
+        <!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.20.0</version>
+        </dependency>
 		
 		<dependency>
 		    <groupId>org.apache.commons</groupId>
 		    <artifactId>commons-compress</artifactId>
-		    <version>1.27.1</version>
+            <version>1.28.0</version>
 		</dependency>
 		
 		<dependency>
@@ -177,19 +184,19 @@
         <dependency>
             <groupId>io.lettuce</groupId>
             <artifactId>lettuce-core</artifactId>
-            <version>6.7.1.RELEASE</version>
+            <version>6.8.1.RELEASE</version>
         </dependency>
 		
 		<!-- log4j -->
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.25.1</version>
+            <version>2.25.2</version>
         </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-api</artifactId>
-            <version>2.25.1</version>
+            <version>2.25.2</version>
         </dependency>
 
         <!-- https://mvnrepository.com/artifact/com.alibaba/easyexcel -->
@@ -198,6 +205,12 @@
             <artifactId>easyexcel</artifactId>
             <version>4.0.3</version>
         </dependency>
+
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>10.6</version> <!-- 这是截至 2025 年推荐的稳定版本 -->
+        </dependency>
         
 	</dependencies>
 
@@ -210,6 +223,39 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>4.1.128.Final</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+
+            <dependency>
+                <groupId>org.apache.poi</groupId>
+                <artifactId>poi</artifactId>
+                <version>5.5.0</version>
+            </dependency>
+
+            <dependency>
+                <groupId>org.apache.poi</groupId>
+                <artifactId>poi-ooxml</artifactId>
+                <version>5.5.0</version>
+            </dependency>
+
+            <dependency>
+                <groupId>org.apache.poi</groupId>
+                <artifactId>poi-ooxml-lite</artifactId>
+                <version>5.5.0</version>
+            </dependency>
+
+            <!-- POI 5.5.0 必须搭配 xmlbeans 5.2.0（否则会冲突） -->
+            <dependency>
+                <groupId>org.apache.xmlbeans</groupId>
+                <artifactId>xmlbeans</artifactId>
+                <version>5.2.0</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>