"CVE-2022-43183" SSRF漏洞修复。

xuxueli · Mar 23, 2023 · 9293c61 · 9293c61
1 parent 730c106
commit 9293c61
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 12 deletions.
diff --git a/doc/XXL-JOB官方文档.md b/doc/XXL-JOB官方文档.md
@@ -2304,7 +2304,8 @@ public void execute() {
 ### 7.33 版本 v2.4.0 Release Notes[规划中]
 - 1、【优化】执行器任务Bean扫描逻辑优化：解决懒加载注解失效问题。
 - 2、【优化】多个项目依赖升级至较新稳定版本，涉及netty、groovy、spring、springboot、mybatis等；
-- 3、【修复】"CVE-2022-36157"授权漏洞修复。 
+- 3、【修复】"CVE-2022-36157" 授权漏洞修复。 
+- 4、【修复】"CVE-2022-43183" SSRF漏洞修复。
 
 
 ### 7.34 新版本规划 [规划中]

diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java
@@ -1,7 +1,7 @@
 package com.xxl.job.admin.controller;
 
-import com.xxl.job.admin.core.exception.XxlJobException;
 import com.xxl.job.admin.core.complete.XxlJobCompleter;
+import com.xxl.job.admin.core.exception.XxlJobException;
 import com.xxl.job.admin.core.model.XxlJobGroup;
 import com.xxl.job.admin.core.model.XxlJobInfo;
 import com.xxl.job.admin.core.model.XxlJobLog;
@@ -129,22 +129,26 @@ public String logDetailPage(int id, Model model){
 
  model.addAttribute("triggerCode", jobLog.getTriggerCode());
  model.addAttribute("handleCode", jobLog.getHandleCode());
- model.addAttribute("executorAddress", jobLog.getExecutorAddress());
- model.addAttribute("triggerTime", jobLog.getTriggerTime().getTime());
  model.addAttribute("logId", jobLog.getId());
  return "joblog/joblog.detail";
  }
 
  @RequestMapping("/logDetailCat")
  @ResponseBody
- public ReturnT<LogResult> logDetailCat(String executorAddress, long triggerTime, long logId, int fromLineNum){
+ public ReturnT<LogResult> logDetailCat(long logId, int fromLineNum){
  try {
- ExecutorBiz executorBiz = XxlJobScheduler.getExecutorBiz(executorAddress);
- ReturnT<LogResult> logResult = executorBiz.log(new LogParam(triggerTime, logId, fromLineNum));
+ // valid
+ XxlJobLog jobLog = xxlJobLogDao.load(logId); // todo, need to improve performance
+ if (jobLog == null) {
+ return new ReturnT<LogResult>(ReturnT.FAIL_CODE, I18nUtil.getString("joblog_logid_unvalid"));
+ }
+
+ // log cat
+ ExecutorBiz executorBiz = XxlJobScheduler.getExecutorBiz(jobLog.getExecutorAddress());
+ ReturnT<LogResult> logResult = executorBiz.log(new LogParam(jobLog.getTriggerTime().getTime(), logId, fromLineNum));
 
  // is end
  if (logResult.getContent()!=null && logResult.getContent().getFromLineNum() > logResult.getContent().getToLineNum()) {
- XxlJobLog jobLog = xxlJobLogDao.load(logId);
  if (jobLog.getHandleCode() > 0) {
  logResult.getContent().setEnd(true);
  }

diff --git a/xxl-job-admin/src/main/resources/static/js/joblog.detail.1.js b/xxl-job-admin/src/main/resources/static/js/joblog.detail.1.js
@@ -25,8 +25,6 @@ $(function() {
  async: false, // sync, make log ordered
  url : base_url + '/joblog/logDetailCat',
  data : {
- "executorAddress":executorAddress,
- "triggerTime":triggerTime,
  "logId":logId,
  "fromLineNum":fromLineNum
  },

diff --git a/xxl-job-admin/src/main/resources/templates/joblog/joblog.detail.ftl b/xxl-job-admin/src/main/resources/templates/joblog/joblog.detail.ftl
@@ -62,8 +62,6 @@
  // 参数
  var triggerCode = '${triggerCode}';
  var handleCode = '${handleCode}';
- var executorAddress = '${executorAddress!}';
- var triggerTime = '${triggerTime?c}';
  var logId = '${logId}';
 </script>
 <script src="${request.contextPath}/static/js/joblog.detail.1.js"></script>