diff --git a/maxkey-core/src/main/java/org/maxkey/util/StringUtils.java b/maxkey-core/src/main/java/org/maxkey/util/StringUtils.java index 24fbbbc9..2ccd17be 100644 --- a/maxkey-core/src/main/java/org/maxkey/util/StringUtils.java +++ b/maxkey-core/src/main/java/org/maxkey/util/StringUtils.java @@ -518,4 +518,33 @@ public final class StringUtils { return flag; } + public static ArrayList sqlInjection = null; + + static{ + sqlInjection = new ArrayList(); + sqlInjection.add("--"); + sqlInjection.add(";"); + sqlInjection.add("/"); + sqlInjection.add("\\"); + sqlInjection.add("#"); + sqlInjection.add("drop"); + sqlInjection.add("create"); + sqlInjection.add("delete"); + sqlInjection.add("alter"); + sqlInjection.add("truncate"); + sqlInjection.add("update"); + sqlInjection.add("insert"); + sqlInjection.add("and"); + sqlInjection.add("or"); + } + + public static boolean filtersSQLInjection(String filters) { + for(String s : sqlInjection) { + if(filters.indexOf(s)>-1) { + return true; + } + } + return false; + } + } diff --git a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java index f35ef818..c1d8cc8c 100644 --- a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java +++ b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/GroupsService.java @@ -22,13 +22,16 @@ import java.util.List; import org.apache.mybatis.jpa.persistence.JpaBaseService; import org.maxkey.domain.Groups; import org.maxkey.persistence.mapper.GroupsMapper; +import org.maxkey.util.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Service; @Service public class GroupsService extends JpaBaseService{ - + final static Logger _logger = LoggerFactory.getLogger(GroupsService.class); @Autowired @Qualifier("groupMemberService") GroupMemberService groupMemberService; @@ -62,10 +65,22 @@ public class GroupsService extends JpaBaseService{ if(dynamicGroup.getOrgIdsList()!=null && !dynamicGroup.getOrgIdsList().equals("")) { dynamicGroup.setOrgIdsList("'"+dynamicGroup.getOrgIdsList().replace(",", "','")+"'"); } + String filters = dynamicGroup.getFilters(); + if(StringUtils.filtersSQLInjection(filters.toLowerCase())) { + _logger.info("filters include SQL Injection Attack Risk."); + return; + } + + filters = filters.replace("&", " AND "); + filters = filters.replace("|", " OR "); + + dynamicGroup.setFilters(filters); groupMemberService.deleteDynamicGroupMember(dynamicGroup); groupMemberService.addDynamicGroupMember(dynamicGroup); } } + + } diff --git a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java index 631a5cae..0d5db580 100644 --- a/maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java +++ b/maxkey-persistence/src/main/java/org/maxkey/persistence/service/RolesService.java @@ -23,13 +23,17 @@ import org.apache.mybatis.jpa.persistence.JpaBaseService; import org.maxkey.domain.RolePermissions; import org.maxkey.domain.Roles; import org.maxkey.persistence.mapper.RolesMapper; +import org.maxkey.util.StringUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Service; @Service public class RolesService extends JpaBaseService{ - + final static Logger _logger = LoggerFactory.getLogger(RolesService.class); + @Autowired @Qualifier("roleMemberService") RoleMemberService roleMemberService; @@ -74,6 +78,17 @@ public class RolesService extends JpaBaseService{ dynamicRole.setOrgIdsList("'"+dynamicRole.getOrgIdsList().replace(",", "','")+"'"); } + String filters = dynamicRole.getFilters(); + if(StringUtils.filtersSQLInjection(filters.toLowerCase())) { + _logger.info("filters include SQL Injection Attack Risk."); + return; + } + + filters = filters.replace("&", " AND "); + filters = filters.replace("|", " OR "); + + dynamicRole.setFilters(filters); + roleMemberService.deleteDynamicRoleMember(dynamicRole); roleMemberService.addDynamicRoleMember(dynamicRole); } diff --git a/maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml b/maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml index be2727dd..5a264315 100644 --- a/maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml +++ b/maxkey-persistence/src/main/resources/org/maxkey/persistence/mapper/xml/mysql/GroupMemberMapper.xml @@ -227,7 +227,7 @@ AND GM.TYPE='USER-DYNAMIC' ) - ${filters} + AND (${filters}) AND U.DEPARTMENTID IN( ${orgIdsList}) @@ -244,10 +244,10 @@ WHERE 1 = 1 AND U.ID=GM.MEMBERID - ${filters} + AND (${filters}) - AND U.DEPARTMENTID IN( ${orgIdsList}) + AND U.DEPARTMENTID IN ( ${orgIdsList}) ) diff --git a/maxkey-web-manage/src/main/resources/static/css/base.css b/maxkey-web-manage/src/main/resources/static/css/base.css index 6d1a1f46..1e16b2d3 100644 --- a/maxkey-web-manage/src/main/resources/static/css/base.css +++ b/maxkey-web-manage/src/main/resources/static/css/base.css @@ -148,7 +148,7 @@ header .header-container .nav-left>li, .header .header-container .nav-right>li { } .page-container .main-content { - padding: calc(50px + 35px) 15px 15px; + padding: calc(35px + 35px) 15px 15px; min-height: calc(100vh - 65px); background: #e6e8ea; width: 100%; @@ -178,13 +178,17 @@ header .header-container .nav-left>li, .header .header-container .nav-right>li { } .breadcrumb-wrapper { - margin-bottom: 20px; + margin-bottom: 10px; display: flex; -webkit-box-align: center; -ms-flex-align: center; align-items: center; } +.content-wrapper { + padding-top: 15px; +} + .breadcrumb-wrapper .breadcrumb li { display: inline-block; font-size: 14px; diff --git a/maxkey-web-manage/src/main/resources/templates/views/accounts/appAccountsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/accounts/appAccountsList.ftl index 7e543102..cb21de7f 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/accounts/appAccountsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/accounts/appAccountsList.ftl @@ -33,7 +33,7 @@
- +
@@ -113,6 +113,7 @@
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/apps/appsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/apps/appsList.ftl index 14c1e5e0..bdabac6b 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/apps/appsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/apps/appsList.ftl @@ -111,6 +111,7 @@
+
@@ -209,6 +210,7 @@
+
<#include "../layout/footer.ftl"/>
diff --git a/maxkey-web-manage/src/main/resources/templates/views/config/passwordpolicy/passwordpolicy.ftl b/maxkey-web-manage/src/main/resources/templates/views/config/passwordpolicy/passwordpolicy.ftl index 09efc8ab..6015df84 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/config/passwordpolicy/passwordpolicy.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/config/passwordpolicy/passwordpolicy.ftl @@ -57,6 +57,7 @@
+
@@ -241,6 +242,7 @@
+
<#include "../../layout/footer.ftl"/>
diff --git a/maxkey-web-manage/src/main/resources/templates/views/groupapp/groupAppsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/groupapp/groupAppsList.ftl index 6d56f052..7d25ee8b 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/groupapp/groupAppsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/groupapp/groupAppsList.ftl @@ -58,6 +58,7 @@
+
@@ -140,7 +141,7 @@
<#include "../layout/footer.ftl"/>
- +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/groups/groupsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/groups/groupsList.ftl index d7067b2b..0cb5b96c 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/groups/groupsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/groups/groupsList.ftl @@ -37,6 +37,7 @@
+
@@ -113,6 +114,7 @@
+
<#include "../layout/footer.ftl"/>
diff --git a/maxkey-web-manage/src/main/resources/templates/views/groupuser/groupUsersList.ftl b/maxkey-web-manage/src/main/resources/templates/views/groupuser/groupUsersList.ftl index c5eef799..897967d6 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/groupuser/groupUsersList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/groupuser/groupUsersList.ftl @@ -57,6 +57,7 @@
+
@@ -151,7 +152,7 @@
- +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/layout/top.ftl b/maxkey-web-manage/src/main/resources/templates/views/layout/top.ftl index 1909bcd6..501c2a4a 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/layout/top.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/layout/top.ftl @@ -11,28 +11,22 @@ <@locale code="global.application"/>
    -
  • - <@locale code="global.text.welcome"/>: +
  • + <@locale code="global.text.welcome"/>: <#if Session["current_user"]?exists> - ${Session["current_user"].displayName} + ${Session["current_user"].displayName} + (${Session["current_user"].username}) - ( - <#if Session["current_user"]?exists> - ${Session["current_user"].username} - - )   +  
    • -
  • - - +
  • + +
    • -
  • -   -
    • -
  • +
  • - Exit +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/logs/loginAppsHistoryList.ftl b/maxkey-web-manage/src/main/resources/templates/views/logs/loginAppsHistoryList.ftl index 685c5ffe..d84ec8c3 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/logs/loginAppsHistoryList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/logs/loginAppsHistoryList.ftl @@ -37,7 +37,7 @@
- +
@@ -121,6 +121,7 @@
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/logs/loginHistoryList.ftl b/maxkey-web-manage/src/main/resources/templates/views/logs/loginHistoryList.ftl index 5e53807b..574cb6c3 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/logs/loginHistoryList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/logs/loginHistoryList.ftl @@ -37,7 +37,7 @@
- +
@@ -130,6 +130,7 @@
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/logs/logsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/logs/logsList.ftl index dc580b3e..53cd05f6 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/logs/logsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/logs/logsList.ftl @@ -37,7 +37,7 @@
- +
@@ -124,6 +124,7 @@
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/main.ftl b/maxkey-web-manage/src/main/resources/templates/views/main.ftl index 049059f7..e66af222 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/main.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/main.ftl @@ -41,10 +41,10 @@
-
+
-
-
+
+
@@ -54,8 +54,8 @@
-
-
+
+
@@ -65,8 +65,8 @@
-
-
+
+
@@ -76,8 +76,8 @@
-
-
+
+
diff --git a/maxkey-web-manage/src/main/resources/templates/views/orgs/orgsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/orgs/orgsList.ftl index ac458090..f76cb8ea 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/orgs/orgsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/orgs/orgsList.ftl @@ -163,7 +163,7 @@ $(function () {
- +
@@ -249,10 +249,11 @@ $(function () {
+
<#include "../layout/footer.ftl"/>
- +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/permissions/permissionsList.ftl b/maxkey-web-manage/src/main/resources/templates/views/permissions/permissionsList.ftl index 0a960948..bf52a153 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/permissions/permissionsList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/permissions/permissionsList.ftl @@ -232,6 +232,7 @@ $('#datagrid').on('click-row.bs.table', function (row, element, field) {
+
@@ -314,6 +315,7 @@ $('#datagrid').on('click-row.bs.table', function (row, element, field) {
+
<#include "../layout/footer.ftl"/>
diff --git a/maxkey-web-manage/src/main/resources/templates/views/resources/resourcesList.ftl b/maxkey-web-manage/src/main/resources/templates/views/resources/resourcesList.ftl index 869a97a7..51184538 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/resources/resourcesList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/resources/resourcesList.ftl @@ -163,6 +163,7 @@ $(function () {
+
@@ -254,12 +255,12 @@ $(function () {
+
<#include "../layout/footer.ftl"/>
-
diff --git a/maxkey-web-manage/src/main/resources/templates/views/roles/rolesList.ftl b/maxkey-web-manage/src/main/resources/templates/views/roles/rolesList.ftl index 3355fa5b..f1d46775 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/roles/rolesList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/roles/rolesList.ftl @@ -36,6 +36,7 @@
+
@@ -112,10 +113,10 @@
+
<#include "../layout/footer.ftl"/>
-
diff --git a/maxkey-web-manage/src/main/resources/templates/views/roleusers/roleUsersList.ftl b/maxkey-web-manage/src/main/resources/templates/views/roleusers/roleUsersList.ftl index 1f21b597..bc7227e0 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/roleusers/roleUsersList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/roleusers/roleUsersList.ftl @@ -57,6 +57,7 @@
+
@@ -146,10 +147,11 @@
+
<#include "../layout/footer.ftl"/>
- +
diff --git a/maxkey-web-manage/src/main/resources/templates/views/userinfo/usersList.ftl b/maxkey-web-manage/src/main/resources/templates/views/userinfo/usersList.ftl index 0fdf514a..8992d01e 100644 --- a/maxkey-web-manage/src/main/resources/templates/views/userinfo/usersList.ftl +++ b/maxkey-web-manage/src/main/resources/templates/views/userinfo/usersList.ftl @@ -177,7 +177,7 @@ $(function () {
- +
@@ -292,6 +292,7 @@ $(function () {
+