定时任务目标字符串验证包名白名单

2026-01-27 12:11:56 +08:00 · 2022-01-06 14:58:56 +08:00
parent cde32b45c0
commit c44cf9b9f6
3 changed files with 51 additions and 10 deletions
--- a/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java
+++ b/ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java
@@ -26,6 +26,7 @@ import com.ruoyi.common.security.utils.SecurityUtils;
 import com.ruoyi.job.domain.SysJob;
 import com.ruoyi.job.service.ISysJobService;
 import com.ruoyi.job.util.CronUtils;
+import com.ruoyi.job.util.ScheduleUtils;

 /**
 * 调度任务信息操作处理
@@ -88,20 +89,24 @@ public class SysJobController extends BaseController
        }
        else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI))
        {
-            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'rmi:'调用");
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'rmi'调用");
        }
-        else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP))
+        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS }))
        {
-            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'ldap:'调用");
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'ldap'调用");
        }
        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
        {
-            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)//'调用");
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)'调用");
        }
        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
        {
            return error("新增任务'" + job.getJobName() + "'失败，目标字符串存在违规");
        }
+        else if (!ScheduleUtils.whiteList(job.getInvokeTarget()))
+        {
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不在白名单内");
+        }
        job.setCreateBy(SecurityUtils.getUsername());
        return toAjax(jobService.insertJob(job));
    }
@@ -120,20 +125,24 @@ public class SysJobController extends BaseController
        }
        else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI))
        {
-            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'rmi:'调用");
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'rmi'调用");
        }
-        else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP))
+        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS }))
        {
-            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'ldap:'调用");
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'ldap'调用");
        }
        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
        {
-            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)//'调用");
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)'调用");
        }
        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
        {
            return error("修改任务'" + job.getJobName() + "'失败，目标字符串存在违规");
        }
+        else if (!ScheduleUtils.whiteList(job.getInvokeTarget()))
+        {
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不在白名单内");
+        }
        job.setUpdateBy(SecurityUtils.getUsername());
        return toAjax(jobService.updateJob(job));
    }