优化西宁浦发银行 渗透测试漏洞解决

wuxw

2023-10-23 16d1b061d8462aa5da6792cd65e36819b21f9d3f

 service-user/src/main/java/com/java110/user/cmd/user/UserSendSmsCmd.java

@@ -13,7 +13,9 @@
import com.java110.intf.user.IUserInnerServiceSMO;
import com.java110.utils.cache.CommonCache;
import com.java110.utils.cache.MappingCache;
import com.java110.utils.constant.MappingConstant;
import com.java110.utils.exception.CmdException;
import com.java110.utils.lock.DistributedLock;
import com.java110.utils.util.Assert;
import com.java110.utils.util.StringUtil;
import com.java110.utils.util.ValidatorUtil;
@@ -50,23 +52,32 @@
            throw new IllegalArgumentException("手机号格式错误");
        }

        //校验是否有有效的验证码
        String smsCode = CommonCache.getValue(reqJson.getString("tel") + SendSmsFactory.VALIDATE_CODE);
        String requestId = DistributedLock.getLockUUID();
        String key = this.getClass().getSimpleName() + reqJson.getString("tel");
        try {
            DistributedLock.waitGetDistributedLock(key, requestId);
            //校验是否有有效的验证码
            String smsCode = CommonCache.getValue(reqJson.getString("tel") + SendSmsFactory.VALIDATE_CODE);

        if (!StringUtil.isEmpty(smsCode) && smsCode.contains("-")) {
            long oldTime = Long.parseLong(smsCode.substring(smsCode.indexOf("-"), smsCode.length()));
            long nowTime = new Date().getTime();
            if (nowTime - oldTime < 1000 * 60 * 2) {
                throw new IllegalArgumentException("请不要重复发送验证码");
            if (!StringUtil.isEmpty(smsCode) && smsCode.contains("-")) {
                long oldTime = Long.parseLong(smsCode.substring(smsCode.indexOf("-") + 1, smsCode.length()));
                long nowTime = new Date().getTime();
                if (nowTime - oldTime < 1000 * 60 * 2) {
                    throw new IllegalArgumentException("请不要重复发送验证码");
                }
            }
        } finally {
            //清理事务信息
            DistributedLock.releaseDistributedLock(key, requestId);
        }

    }

    @Override
    public void doCmd(CmdEvent event, ICmdDataFlowContext context, JSONObject reqJson) throws CmdException {
        String tel = reqJson.getString("tel");
        String captchaType = reqJson.getString("captchaType");
        if(!StringUtil.isEmpty(captchaType) && "ownerBinding".equals(captchaType)){
        if (!StringUtil.isEmpty(captchaType) && "ownerBinding".equals(captchaType)) {
            OwnerDto ownerDto = new OwnerDto();
            ownerDto.setCommunityId(reqJson.getString("communityId"));
            ownerDto.setName(reqJson.getString("appUserName"));
@@ -75,21 +86,21 @@
            //取出开关映射的值
            String val = MappingCache.getValue(DOMAIN_COMMON, ID_CARD_SWITCH);
            //取出身份证
            String idCardErrorMsg ="";
            String idCardErrorMsg = "";
            String idCard = reqJson.getString("idCard");
            if ("1".equals(val) && !StringUtil.isEmpty(idCard)) {
                ownerDto.setIdCard(idCard);
                idCardErrorMsg="或者身份证号";
                idCardErrorMsg = "或者身份证号";
            }
            List<OwnerDto> ownerDtos = ownerInnerServiceSMOImpl.queryOwnerMembers(ownerDto);
            Assert.listOnlyOne(ownerDtos, "填写业主信息错误，请确认，预留业主姓名、手机号"+idCardErrorMsg+"信息是否正确！");
            Assert.listOnlyOne(ownerDtos, "填写业主信息错误，请确认，预留业主姓名、手机号" + idCardErrorMsg + "信息是否正确！");
        }
        //校验是否传了 分页信息
        String msgCode = SendSmsFactory.generateMessageCode(6);
        SmsDto smsDto = new SmsDto();
        smsDto.setTel(tel);
        smsDto.setCode(msgCode);
        if ("ON".equals(MappingCache.getValue(SendSmsFactory.SMS_SEND_SWITCH))) {
        if ("ON".equals(MappingCache.getValue(MappingConstant.SMS_DOMAIN, SendSmsFactory.SMS_SEND_SWITCH))) {
            smsDto = smsInnerServiceSMOImpl.send(smsDto);
        } else {
            CommonCache.setValue(smsDto.getTel() + SendSmsFactory.VALIDATE_CODE, smsDto.getCode().toLowerCase() + "-" + new Date().getTime(), CommonCache.defaultExpireTime);