mall-common模块下WebLogAspect的切面类可能会造成信息泄漏

[BACMiao]

您好， 我们使用您的项目作为我们静态代码分析工具的测试样例，我们发现在mall-common模块下的 com.macro.mall.common.log.WebLogAspect.doAround(ProceedingJoinPoint joinPoint) 方法的倒数第3行（源码中89行）的日志打印语句 LOGGER.info(Markers.appendEntries(logMap), JSONUtil.parse(webLog).toString()); 可能会造成敏感信息泄漏的情况。

@Around("webLog()")
    public Object doAround(ProceedingJoinPoint joinPoint) throws Throwable {
        long startTime = System.currentTimeMillis();
        //获取当前请求对象
        ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
        HttpServletRequest request = attributes.getRequest();
        //记录请求信息(通过Logstash传入Elasticsearch)
        WebLog webLog = new WebLog();
        Object result = joinPoint.proceed();
        Signature signature = joinPoint.getSignature();
        MethodSignature methodSignature = (MethodSignature) signature;
        Method method = methodSignature.getMethod();
        if (method.isAnnotationPresent(ApiOperation.class)) {
            ApiOperation log = method.getAnnotation(ApiOperation.class);
            webLog.setDescription(log.value());
        }
        long endTime = System.currentTimeMillis();
        String urlStr = request.getRequestURL().toString();
        webLog.setBasePath(StrUtil.removeSuffix(urlStr, URLUtil.url(urlStr).getPath()));
        webLog.setIp(request.getRemoteUser());
        webLog.setMethod(request.getMethod());
        webLog.setParameter(getParameter(method, joinPoint.getArgs()));
        webLog.setResult(result);
        webLog.setSpendTime((int) (endTime - startTime));
        webLog.setStartTime(startTime);
        webLog.setUri(request.getRequestURI());
        webLog.setUrl(request.getRequestURL().toString());
        Map<String,Object> logMap = new HashMap<>();
        logMap.put("url",webLog.getUrl());
        logMap.put("method",webLog.getMethod());
        logMap.put("parameter",webLog.getParameter());
        logMap.put("spendTime",webLog.getSpendTime());
        logMap.put("description",webLog.getDescription());
//        LOGGER.info("{}", JSONUtil.parse(webLog));
        LOGGER.info(Markers.appendEntries(logMap), JSONUtil.parse(webLog).toString());
        return result;
    }

该AOP方法在拦截所有controller方法的同时会通过joinPoint.getArgs()获取到所有的用户输入信息（如用户名和密码），这些敏感信息经过数据流的传递会打印到日志文件和控制台上，造成敏感信息的泄漏。 部署后实际运行这个例子后的打印输出如下：

2021-04-07 16:51:23.881 DEBUG 405252 --- [nio-8080-exec-2] c.m.m.m.UmsAdminMapper.selectByExample   : ==>  Preparing: select id, username, password, icon, email, nick_name, note, create_time, login_time, status from ums_admin WHERE ( username = ? )
2021-04-07 16:51:23.881 DEBUG 405252 --- [nio-8080-exec-2] c.m.m.m.UmsAdminMapper.selectByExample   : ==> Parameters: 123(String)
2021-04-07 16:51:23.883 DEBUG 405252 --- [nio-8080-exec-2] c.m.m.m.UmsAdminMapper.selectByExample   : <==      Total: 0
2021-04-07 16:51:23.884  WARN 405252 --- [nio-8080-exec-2] c.m.m.service.impl.UmsAdminServiceImpl   : 登录异常:用户名或密码错误 
2021-04-07 16:51:23.915  INFO 405252 --- [nio-8080-exec-2] com.macro.mall.common.log.WebLogAspect   : {"method":"POST","description":"登录以后返回token","uri":"/admin/login","url":"http://localhost:8080/admin/login","result":{"code":404,"message":"用户名或密码错误"},"basePath":"http://localhost:8080","parameter":{"password":"456","username":"123"},"startTime":1617785483846,"spendTime":39}

[ohpder]

前端密码明文传递？？？？