fix: 修复查询系统配置参数漏洞 💥

Closes #96
continew-org · Nov 14, 2024 · 8c3fe35 · 8c3fe35
1 parent 1ddac12
commit 8c3fe35
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 7 deletions.
diff --git a/continew-module-system/src/main/java/top/continew/admin/system/enums/OptionCategoryEnum.java b/continew-module-system/src/main/java/top/continew/admin/system/enums/OptionCategoryEnum.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2022-present Charles7c Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package top.continew.admin.system.enums;
+
+/**
+ * 参数类别枚举
+ *
+ * @author Charles7c
+ * @since 2024/11/14 20:00
+ */
+public enum OptionCategoryEnum {
+
+    /**
+     * 系统配置
+     */
+    SITE,
+
+    /**
+     * 密码配置
+     */
+    PASSWORD,
+
+    /**
+     * 邮箱配置
+     */
+    MAIL,
+}
diff --git a/continew-module-system/src/main/java/top/continew/admin/system/model/query/OptionQuery.java b/continew-module-system/src/main/java/top/continew/admin/system/model/query/OptionQuery.java
@@ -18,6 +18,7 @@
 
 import io.swagger.v3.oas.annotations.media.Schema;
 import lombok.Data;
+import top.continew.admin.system.enums.OptionCategoryEnum;
 import top.continew.starter.data.core.annotation.Query;
 import top.continew.starter.data.core.enums.QueryType;
 
@@ -49,5 +50,5 @@ public class OptionQuery implements Serializable {
      * 类别
      */
     @Schema(description = "类别", example = "SITE")
-    private String category;
+    private OptionCategoryEnum category;
 }
diff --git a/continew-webapi/src/main/java/top/continew/admin/controller/common/CommonController.java b/continew-webapi/src/main/java/top/continew/admin/controller/common/CommonController.java
@@ -24,14 +24,14 @@
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.enums.ParameterIn;
 import io.swagger.v3.oas.annotations.tags.Tag;
-import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
 import lombok.RequiredArgsConstructor;
 import org.dromara.x.file.storage.core.FileInfo;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 import top.continew.admin.common.constant.CacheConstants;
+import top.continew.admin.system.enums.OptionCategoryEnum;
 import top.continew.admin.system.model.query.*;
 import top.continew.admin.system.model.resp.FileUploadResp;
 import top.continew.admin.system.service.*;
@@ -104,12 +104,12 @@ public List<LabelValueResp> listDict(@PathVariable String code) {
     }
 
     @SaIgnore
-    @Operation(summary = "查询参数字典", description = "查询参数字典")
-    @GetMapping("/dict/option")
-    @Cached(key = "#category", name = CacheConstants.OPTION_KEY_PREFIX)
-    public List<LabelValueResp<String>> listOptionDict(@NotBlank(message = "类别不能为空") String category) {
+    @Operation(summary = "查询系统配置参数", description = "查询系统配置参数")
+    @GetMapping("/dict/option/site")
+    @Cached(key = "'SITE'", name = CacheConstants.OPTION_KEY_PREFIX)
+    public List<LabelValueResp<String>> listSiteOptionDict() {
         OptionQuery optionQuery = new OptionQuery();
-        optionQuery.setCategory(category);
+        optionQuery.setCategory(OptionCategoryEnum.SITE);
         return optionService.list(optionQuery)
             .stream()
             .map(option -> new LabelValueResp<>(option.getCode(), StrUtil.nullToDefault(option.getValue(), option