mall
mall copied to clipboard
mall-common模块下WebLogAspect的切面类可能会造成信息泄漏
您好,
我们使用您的项目作为我们静态代码分析工具的测试样例,我们发现在mall-common模块下的
com.macro.mall.common.log.WebLogAspect.doAround(ProceedingJoinPoint joinPoint)
方法的倒数第3行(源码中89行)的日志打印语句
LOGGER.info(Markers.appendEntries(logMap), JSONUtil.parse(webLog).toString());
可能会造成敏感信息泄漏的情况。
@Around("webLog()")
public Object doAround(ProceedingJoinPoint joinPoint) throws Throwable {
long startTime = System.currentTimeMillis();
//获取当前请求对象
ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
HttpServletRequest request = attributes.getRequest();
//记录请求信息(通过Logstash传入Elasticsearch)
WebLog webLog = new WebLog();
Object result = joinPoint.proceed();
Signature signature = joinPoint.getSignature();
MethodSignature methodSignature = (MethodSignature) signature;
Method method = methodSignature.getMethod();
if (method.isAnnotationPresent(ApiOperation.class)) {
ApiOperation log = method.getAnnotation(ApiOperation.class);
webLog.setDescription(log.value());
}
long endTime = System.currentTimeMillis();
String urlStr = request.getRequestURL().toString();
webLog.setBasePath(StrUtil.removeSuffix(urlStr, URLUtil.url(urlStr).getPath()));
webLog.setIp(request.getRemoteUser());
webLog.setMethod(request.getMethod());
webLog.setParameter(getParameter(method, joinPoint.getArgs()));
webLog.setResult(result);
webLog.setSpendTime((int) (endTime - startTime));
webLog.setStartTime(startTime);
webLog.setUri(request.getRequestURI());
webLog.setUrl(request.getRequestURL().toString());
Map<String,Object> logMap = new HashMap<>();
logMap.put("url",webLog.getUrl());
logMap.put("method",webLog.getMethod());
logMap.put("parameter",webLog.getParameter());
logMap.put("spendTime",webLog.getSpendTime());
logMap.put("description",webLog.getDescription());
// LOGGER.info("{}", JSONUtil.parse(webLog));
LOGGER.info(Markers.appendEntries(logMap), JSONUtil.parse(webLog).toString());
return result;
}
该AOP方法在拦截所有controller方法的同时会通过joinPoint.getArgs()
获取到所有的用户输入信息(如用户名和密码),这些敏感信息经过数据流的传递会打印到日志文件和控制台上,造成敏感信息的泄漏。
部署后实际运行这个例子后的打印输出如下:
2021-04-07 16:51:23.881 DEBUG 405252 --- [nio-8080-exec-2] c.m.m.m.UmsAdminMapper.selectByExample : ==> Preparing: select id, username, password, icon, email, nick_name, note, create_time, login_time, status from ums_admin WHERE ( username = ? )
2021-04-07 16:51:23.881 DEBUG 405252 --- [nio-8080-exec-2] c.m.m.m.UmsAdminMapper.selectByExample : ==> Parameters: 123(String)
2021-04-07 16:51:23.883 DEBUG 405252 --- [nio-8080-exec-2] c.m.m.m.UmsAdminMapper.selectByExample : <== Total: 0
2021-04-07 16:51:23.884 WARN 405252 --- [nio-8080-exec-2] c.m.m.service.impl.UmsAdminServiceImpl : 登录异常:用户名或密码错误
2021-04-07 16:51:23.915 INFO 405252 --- [nio-8080-exec-2] com.macro.mall.common.log.WebLogAspect : {"method":"POST","description":"登录以后返回token","uri":"/admin/login","url":"http://localhost:8080/admin/login","result":{"code":404,"message":"用户名或密码错误"},"basePath":"http://localhost:8080","parameter":{"password":"456","username":"123"},"startTime":1617785483846,"spendTime":39}
前端密码明文传递????