定时任务目标字符串验证包名白名单

ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java

@@ -27,6 +27,11 @@ public class Constants
      */
     public static final String LOOKUP_LDAP = "ldap:";
 
+    /**
+     * LDAPS 远程方法调用
+     */
+    public static final String LOOKUP_LDAPS = "ldaps:";
+
     /**
      * http请求
      */
@@ -113,9 +118,14 @@ public class Constants
      */
     public static final String RESOURCE_PREFIX = "/profile";
 
+    /**
+     * 定时任务白名单配置（仅允许访问的包名，如其他需要可以自行添加）
+     */
+    public static final String[] JOB_WHITELIST_STR = { "com.ruoyi" };
+
     /**
      * 定时任务违规的字符
      */
     public static final String[] JOB_ERROR_STR = { "java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml",
-            "org.springframework" };
+            "org.springframework", "org.apache" };
 }

ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/controller/SysJobController.java

@@ -26,6 +26,7 @@ import com.ruoyi.common.security.utils.SecurityUtils;
 import com.ruoyi.job.domain.SysJob;
 import com.ruoyi.job.service.ISysJobService;
 import com.ruoyi.job.util.CronUtils;
+import com.ruoyi.job.util.ScheduleUtils;
 
 /**
  * 调度任务信息操作处理
@@ -88,20 +89,24 @@ public class SysJobController extends BaseController
         }
         else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI))
         {
-            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'rmi:'调用");
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'rmi'调用");
         }
-        else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP))
+        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS }))
         {
-            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'ldap:'调用");
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'ldap'调用");
         }
         else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
         {
-            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)//'调用");
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)'调用");
         }
         else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
         {
             return error("新增任务'" + job.getJobName() + "'失败，目标字符串存在违规");
         }
+        else if (!ScheduleUtils.whiteList(job.getInvokeTarget()))
+        {
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串不在白名单内");
+        }
         job.setCreateBy(SecurityUtils.getUsername());
         return toAjax(jobService.insertJob(job));
     }
@@ -120,20 +125,24 @@ public class SysJobController extends BaseController
         }
         else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_RMI))
         {
-            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'rmi:'调用");
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'rmi'调用");
         }
-        else if (StringUtils.containsIgnoreCase(job.getInvokeTarget(), Constants.LOOKUP_LDAP))
+        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.LOOKUP_LDAP, Constants.LOOKUP_LDAPS }))
         {
-            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'ldap:'调用");
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'ldap'调用");
         }
         else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), new String[] { Constants.HTTP, Constants.HTTPS }))
         {
-            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)//'调用");
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)'调用");
         }
         else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
         {
             return error("修改任务'" + job.getJobName() + "'失败，目标字符串存在违规");
         }
+        else if (!ScheduleUtils.whiteList(job.getInvokeTarget()))
+        {
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串不在白名单内");
+        }
         job.setUpdateBy(SecurityUtils.getUsername());
         return toAjax(jobService.updateJob(job));
     }

ruoyi-modules/ruoyi-job/src/main/java/com/ruoyi/job/util/ScheduleUtils.java

@@ -10,9 +10,11 @@ import org.quartz.Scheduler;
 import org.quartz.SchedulerException;
 import org.quartz.TriggerBuilder;
 import org.quartz.TriggerKey;
+import com.ruoyi.common.core.constant.Constants;
 import com.ruoyi.common.core.constant.ScheduleConstants;
 import com.ruoyi.common.core.exception.job.TaskException;
 import com.ruoyi.common.core.exception.job.TaskException.Code;
+import com.ruoyi.common.core.utils.StringUtils;
 import com.ruoyi.job.domain.SysJob;
 
 /**
@@ -110,4 +112,24 @@ public class ScheduleUtils
                         + "' cannot be used in cron schedule tasks", Code.CONFIG_ERROR);
         }
     }
-}
+
+    /**
+     * 检查包名是否为白名单配置
+     * 
+     * @param invokeTarget 目标字符串
+     * @return 结果
+     */
+    public static boolean whiteList(String invokeTarget)
+    {
+        String packageName = StringUtils.substringBefore(invokeTarget, ")");
+        int count = StringUtils.countMatches(packageName, ".");
+        if (count > 1)
+        {
+            if (!StringUtils.containsAnyIgnoreCase(invokeTarget, Constants.JOB_WHITELIST_STR))
+            {
+                return false;
+            }
+        }
+        return true;
+    }
+}