渗透测试整改问题修改，除了xff攻击，其他都改了

backend/src/main/java/com/jiayue/ssi/aspectj/OperateLogAspect.java

@@ -1,5 +1,6 @@
 package com.jiayue.ssi.aspectj;
 
+import cn.hutool.core.util.DesensitizedUtil;
 import cn.hutool.json.JSONUtil;
 import com.jiayue.ssi.annotation.OperateLog;
 import com.jiayue.ssi.backenum.BusinessStatus;
@@ -183,6 +184,25 @@ public class OperateLogAspect {
 //            System.out.print("属性"+name);
             String value=request.getParameter(name);//是通过页面中的name属性得到值。
 //            System.out.println(",值："+value);
+
+            // 脱敏处理
+            if ("mailbox".equals(name)){
+                value = DesensitizedUtil.email(value);
+            }
+            else if ("nickname".equals(name)){
+                // 姓名
+                value = DesensitizedUtil.chineseName(value);
+            }
+            else if ("phonenumber".equals(name)){
+                // 手机号
+                value = DesensitizedUtil.mobilePhone(value);
+            }
+            else if ("againPwd".equals(name) || "oldPassword".equals(name) || "newPassword".equals(name) || "confirmPassword".equals(name)){
+                // 密码
+                value = DesensitizedUtil.password(value);
+            }
+
+
             map.put(name,value);
         }
         return JSONUtil.parseObj(map).toString();

backend/src/main/java/com/jiayue/ssi/constant/CacheConstants.java

@@ -28,6 +28,11 @@ public class CacheConstants {
     public static final String MAIL_CODE_KEY = "mail_codes:";
 
     /**
+     * 防止邮箱口令频繁访问
+     */
+    public static final String PREVENT_MAIL_CODE = "prevent_mail_codes:";
+
+    /**
      * 参数管理 cache key
      */
     public static final String SYS_CONFIG_KEY = "sys_config:";

backend/src/main/java/com/jiayue/ssi/controller/SysUserController.java

@@ -369,7 +369,7 @@ public class SysUserController {
             String[] mailArray = {AesUtils.decryptStr(sysUser.getMailbox())};
             sendMailUtil.executeSendMail(mailArray, "系统登录密码", "密码：" + randomPwd);
         } catch (Exception e) {
-            log.error("用户名："+sysUser.getUsername()+",邮箱验证码发送失败！",e);
+//            log.error("用户名："+sysUser.getUsername()+",邮箱验证码发送失败！",e);
             return ResponseVO.fail("发送邮箱失败");
         }
         return ResponseVO.success();

backend/src/main/java/com/jiayue/ssi/controller/UserLoginController.java

@@ -112,6 +112,8 @@ public class UserLoginController {
     public ResponseVO getMailCode(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws CustomException {
         try {
             String username = httpServletRequest.getParameter("username");
+            // 暂存1分钟，防止频繁访问
+            LocalCache.set(CacheConstants.PREVENT_MAIL_CODE + username, username, 60000);
             // 口令保存到服务器
             String mailKey = CacheConstants.MAIL_CODE_KEY + username;
             SysUser sysUser = sysUserService.queryUserName(username);
@@ -120,12 +122,12 @@ public class UserLoginController {
                 String mailRandom = RandomUtil.mailRandom();
                 // uuid存入缓存，失效时间4分钟
                 LocalCache.set(mailKey, mailRandom, 60000 * 4);
-                log.info("动态口令后台输出======> 用户名："+username+"  动态口令："+mailRandom);
+                log.info("动态口令后台输出======> 用户名："+username+"  动态口令："+mailRandom+"  ");
                 try {
                     String[] mailArray = {AesUtils.decryptStr(sysUser.getMailbox())};
                     sendMailUtil.executeSendMail(mailArray, "邮箱验证码", "口令：" + mailRandom + ",有效期4分钟。");
                 } catch (Exception e) {
-                    log.error("用户名："+username+",邮箱验证码发送失败！",e);
+//                    log.error("用户名："+username+",邮箱验证码发送失败！",e);
                     return ResponseVO.fail("邮箱验证码发送失败！");
                 }
             }

backend/src/main/java/com/jiayue/ssi/filter/InterfaceLimitFilter.java

@@ -3,12 +3,11 @@ package com.jiayue.ssi.filter;
 import com.jiayue.ssi.constant.CacheConstants;
 import com.jiayue.ssi.entity.SysBlacklist;
 import com.jiayue.ssi.service.SysBlacklistService;
-import com.jiayue.ssi.util.IPUtils;
-import com.jiayue.ssi.util.InterfaceLimitUtil;
-import com.jiayue.ssi.util.SpringUtils;
+import com.jiayue.ssi.util.*;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.core.annotation.Order;
+import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
 import org.springframework.web.filter.OncePerRequestFilter;
 
@@ -43,6 +42,15 @@ public class InterfaceLimitFilter extends OncePerRequestFilter {
         response.setHeader("Cache-Control", "no-cache='set-cookie'");
         response.setHeader("Pragma", "no-cache");
 
+        String method = request.getMethod();
+        if (!(method.toUpperCase().equals("GET") || method.toUpperCase().equals("POST"))){
+            response.setHeader("Access-Control-Allow-Origin", "*");
+            response.setStatus(405);
+            response.setContentType("text/html;charset=utf-8");
+            response.getWriter().write("方法不允许访问");
+            return;
+        }
+
         checkIp(request,response,filterChain);
     }
 

backend/src/main/java/com/jiayue/ssi/filter/MailCodeFilter.java

@@ -35,18 +35,27 @@ public class MailCodeFilter extends OncePerRequestFilter {
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
         try {
+            if ("GET".equalsIgnoreCase(request.getMethod()) && "/getMailCode".equals(request.getServletPath())) {
+                String username = request.getParameter("username");
+                Object preventMailCode = LocalCache.get(CacheConstants.PREVENT_MAIL_CODE + username);
+                if (preventMailCode != null && !"".equals(preventMailCode)) {
+                    ResponseInfo.doResponse(response, "动态口令已发送过，请耐心等待再获取！", 405);
+                    return;
+                }
+            }
             if ("POST".equalsIgnoreCase(request.getMethod()) && defaultFilterProcessUrl.equals(request.getServletPath())) {
                 // 是否需要邮箱口令验证
                 if (true) {
                     // 验证码验证
                     String username = request.getParameter("username");
+                    LocalCache.remove(CacheConstants.PREVENT_MAIL_CODE + username);
                     Object mailCode = LocalCache.get(CacheConstants.MAIL_CODE_KEY + username);
 
                     // 校验服务端验证码
                     if (mailCode == null || "".equals(mailCode)) {
                         // 记录用户失败日志
                         LoginFactory.recordLogininfor(username, Constants.LOGIN_FAIL, "邮箱口令错误");
-                        ResponseInfo.doResponse(response, "邮箱口令无效,需要重新获取！", 401);
+                        ResponseInfo.doResponse(response, "邮箱口令错误！", 401);
                         return;
                     }
                     // 页面录入的邮箱口令
@@ -56,13 +65,13 @@ public class MailCodeFilter extends OncePerRequestFilter {
                     if (StringUtils.isEmpty(mailbox)) {
                         // 记录用户失败日志
                         LoginFactory.recordLogininfor(username, Constants.LOGIN_FAIL, "邮箱口令错误");
-                        ResponseInfo.doResponse(response, "非法访问,邮箱口令错误！", 401);
+                        ResponseInfo.doResponse(response, "邮箱口令错误！", 401);
                         return;
                     }
                     if (mailbox.length() != 6) {
                         // 记录用户失败日志
                         LoginFactory.recordLogininfor(username, Constants.LOGIN_FAIL, "邮箱口令错误");
-                        ResponseInfo.doResponse(response, "需要6位邮箱口令！", 401);
+                        ResponseInfo.doResponse(response, "邮箱口令错误！", 401);
                         return;
                     }
                     if (!String.valueOf(mailCode).toLowerCase().equals(mailbox.toLowerCase())) {
@@ -70,6 +79,7 @@ public class MailCodeFilter extends OncePerRequestFilter {
                         LoginFactory.recordLogininfor(username, Constants.LOGIN_FAIL, "邮箱口令错误");
                         // 删除缓存邮箱口令
                         LocalCache.remove(CacheConstants.MAIL_CODE_KEY + username);
+                        LocalCache.remove(CacheConstants.PREVENT_MAIL_CODE + username);
                         ResponseInfo.doResponse(response, "邮箱口令错误！", 401);
                         return;
                     }

backend/src/main/java/com/jiayue/ssi/filter/VerifyCodeFilter.java

@@ -48,20 +48,20 @@ public class VerifyCodeFilter extends OncePerRequestFilter {
                 if (uuidObj == null || "".equals(uuidObj)) {
                     // 记录验证码失败日志
                     LoginFactory.recordLogininfor(username, Constants.LOGIN_FAIL, "验证码错误");
-                    ResponseInfo.doResponse(response, "验证码无效,需要重新获取！", 401);
+                    ResponseInfo.doResponse(response, "验证码错误！", 401);
                     return;
                 }
                 // 校验页面验证码
                 if (StringUtils.isEmpty(requestCaptcha)) {
                     // 记录验证码失败日志
                     LoginFactory.recordLogininfor(username, Constants.LOGIN_FAIL, "验证码错误");
-                    ResponseInfo.doResponse(response, "非法访问,验证码错误！", 401);
+                    ResponseInfo.doResponse(response, "验证码错误！", 401);
                     return;
                 }
                 if (requestCaptcha.length() != 4) {
                     // 记录验证码失败日志
                     LoginFactory.recordLogininfor(username, Constants.LOGIN_FAIL, "验证码错误");
-                    ResponseInfo.doResponse(response, "需要4位验证码！", 401);
+                    ResponseInfo.doResponse(response, "验证码错误！", 401);
                     return;
                 }
                 if (!String.valueOf(uuidObj).toLowerCase().equals(requestCaptcha.toLowerCase())) {
@@ -75,7 +75,7 @@ public class VerifyCodeFilter extends OncePerRequestFilter {
             }
             filterChain.doFilter(request, response);
         } catch (Exception e) {
-            ResponseInfo.doResponse(response, "验证码校验失败！", 401);
+            ResponseInfo.doResponse(response, "验证码错误！", 401);
             return;
         }
     }

backend/src/main/java/com/jiayue/ssi/handler/CustomAuthenticationFailureHandler.java

@@ -128,6 +128,7 @@ public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationF
 
         // 删除缓存邮箱口令
         LocalCache.remove(CacheConstants.MAIL_CODE_KEY + username);
+        LocalCache.remove(CacheConstants.PREVENT_MAIL_CODE + username);
         // 清除
         response.addHeader("Access-Control-Allow-Origin", "*");
         response.setContentType("text/html;charset=UTF-8");

backend/src/main/java/com/jiayue/ssi/handler/CustomAuthenticationSuccessHandler.java

@@ -58,6 +58,7 @@ public class CustomAuthenticationSuccessHandler extends SavedRequestAwareAuthent
         String username = request.getParameter("username");
         // 删除缓存邮箱口令
         LocalCache.remove(CacheConstants.MAIL_CODE_KEY + username);
+        LocalCache.remove(CacheConstants.PREVENT_MAIL_CODE + username);
         SysUser sysUser = (SysUser) authentication.getPrincipal();
         sysUser.setErrNum(0);
         sysUser.setLockTime(0L);

backend/src/main/java/com/jiayue/ssi/job/AutoAuditBak.java

@@ -52,7 +52,7 @@ public class AutoAuditBak {
     /**
      * 每月1号3点执行执行一次
      */
-    @Scheduled(cron = "0 0 3 1 * ?")
+    @Scheduled(cron = "0 30 14 * * ?")
     public void auditBak() throws Exception{
         SysPolicy sysPolicy = sysPolicyService.getOne(new QueryWrapper<>());
         // 保留月份数

backend/src/main/java/com/jiayue/ssi/util/IPUtils.java

@@ -59,7 +59,7 @@ public class IPUtils {
             ip = request.getRemoteAddr();
         }
 
-        return "0:0:0:0:0:0:0:1".equals(ip) ? "127.0.0.1" : getMultistageReverseProxyIp(ip);
+        return "0:0:0:0:0:0:0:1".equals(ip) ? "127.0.0.1" : ip;
     }
 
     /**

ui/src/utils/request.js

@@ -127,6 +127,13 @@ service.interceptors.response.use(
             duration: 5 * 1000
           })
           break
+        case 405:
+          Message({
+            message: error.response.data,
+            type: 'error',
+            duration: 5 * 1000
+          })
+          break
         case 401:
           console.log('用户验证失败！')
           // 返回 401 清除token信息并跳转到登录页面

ui/src/views/login/index.vue

@@ -240,7 +240,11 @@ export default {
       this.$axios.get(
         '/getMailCode', {params: searchParams}
       ).then((res) => {
-        this.$message.success('邮件发送成功')
+        if (res!=undefined){
+          if (res.code==0){
+            this.$message.success('邮件发送成功')
+          }
+        }
       })
     }, 1000),
     // 获取验证码