Merge pull request #13370 from dataease/pr@dev-v2@fix_unsafe_requests

fix: 禁用不安全的请求类型

core/core-frontend/src/api/sync/syncTask.ts

@@ -208,7 +208,7 @@ export const addApi = (data: ITaskInfoInsertReq) => {
 }
 
 export const removeApi = (taskId: string) => {
-  return request.delete({ url: `/sync/task/remove/${taskId}` })
+  return request.post({ url: `/sync/task/remove/${taskId}` })
 }
 
 export const batchRemoveApi = (taskIds: string[]) => {

core/core-frontend/src/api/sync/syncTaskLog.ts

@@ -8,7 +8,7 @@ export const getTaskLogListApi = (current: number, size: number, data: any) => {
 }
 
 export const removeApi = (logId: string) => {
-  return request.delete({ url: `/sync/task/log/delete/${logId}` })
+  return request.post({ url: `/sync/task/log/delete/${logId}` })
 }
 
 export const getTaskLogDetailApi = (logId: string, fromLineNum: number) => {

core/core-frontend/src/api/visualization/dataVisualization.ts

@@ -68,7 +68,7 @@ export const moveResource = data => request.post({ url: '/dataVisualization/move
 export const copyResource = data => request.post({ url: '/dataVisualization/copy', data })
 
 export const deleteLogic = (dvId, busiFlag) =>
-  request.delete({ url: '/dataVisualization/deleteLogic/' + dvId + '/' + busiFlag })
+  request.post({ url: '/dataVisualization/deleteLogic/' + dvId + '/' + busiFlag })
 
 export const querySubjectWithGroupApi = data =>
   request.post({ url: '/visualizationSubject/querySubjectWithGroup', data })
@@ -76,7 +76,7 @@ export const querySubjectWithGroupApi = data =>
 export const saveOrUpdateSubject = data =>
   request.post({ url: '/visualizationSubject/update', data })
 
-export const deleteSubject = id => request.delete({ url: '/visualizationSubject/delete/' + id })
+export const deleteSubject = id => request.post({ url: '/visualizationSubject/delete/' + id })
 
 export const dvNameCheck = async data => request.post({ url: '/dataVisualization/nameCheck', data })
 

sdk/api/api-base/src/main/java/io/dataease/api/ds/DatasourceDriverApi.java

@@ -33,13 +33,13 @@ public interface DatasourceDriverApi {
     @PostMapping("/update")
     DriveDTO update(@RequestBody DriveDTO datasourceDrive);
 
-    @DeleteMapping("/delete/{driverId}")
+    @PostMapping("/delete/{driverId}")
     void delete(@PathVariable("driverId") String driverId);
 
     @GetMapping("/listDriverJar/{driverId}")
     List<DriveJarDTO> listDriverJar(@PathVariable("driverId") String driverId);
 
-    @DeleteMapping("/deleteDriverJar/{jarId}")
+    @PostMapping("/deleteDriverJar/{jarId}")
     void deleteDriverJar(@PathVariable("jarId") String jarId);
 
     @PostMapping("/uploadJar")

sdk/api/api-base/src/main/java/io/dataease/api/visualization/DataVisualizationApi.java

@@ -41,7 +41,7 @@ public interface DataVisualizationApi {
 
     @GetMapping("/findCopyResource/{dvId}/{busiFlag}")
     @Operation(summary = "查询临时复制资源")
-    DataVisualizationVO findCopyResource(@PathVariable("dvId") Long dvId,@PathVariable("busiFlag") String busiFlag);
+    DataVisualizationVO findCopyResource(@PathVariable("dvId") Long dvId, @PathVariable("busiFlag") String busiFlag);
 
 
     @PostMapping("/saveCanvas")
@@ -64,10 +64,10 @@ public interface DataVisualizationApi {
     @Operation(summary = "可视化资源基础信息更新")
     void updateBase(@RequestBody DataVisualizationBaseRequest request);
 
-    @DeleteMapping("/deleteLogic/{dvId}/{busiFlag}")
+    @PostMapping("/deleteLogic/{dvId}/{busiFlag}")
     @DePermit(value = {"#p0+':manage'"}, busiFlag = "#p1")
     @Operation(summary = "可视化资源删除")
-    void deleteLogic(@PathVariable("dvId") Long dvId,@PathVariable("busiFlag") String busiFlag);
+    void deleteLogic(@PathVariable("dvId") Long dvId, @PathVariable("busiFlag") String busiFlag);
 
     @PostMapping("/tree")
     @Operation(summary = "查询可视化资源树")
@@ -98,7 +98,7 @@ public interface DataVisualizationApi {
 
     @GetMapping("/findDvType/{dvId}")
     @Operation(summary = "查询可视化资源类型")
-    String findDvType(@PathVariable("dvId")Long dvId);
+    String findDvType(@PathVariable("dvId") Long dvId);
 
     /**
      * 从模板解压可视化资源 模板来源包括 模板市场、内部模板管理

sdk/api/api-base/src/main/java/io/dataease/api/visualization/VisualizationSubjectApi.java

@@ -5,7 +5,9 @@ import io.dataease.api.visualization.request.VisualizationSubjectRequest;
 import io.dataease.api.visualization.vo.VisualizationSubjectVO;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
 
 import java.util.List;
 
@@ -25,8 +27,8 @@ public interface VisualizationSubjectApi {
     @Operation(summary = "更新")
     void update(@RequestBody VisualizationSubjectRequest request);
 
-    @DeleteMapping("/delete/{id}")
+    @PostMapping("/delete/{id}")
     @Operation(summary = "删除")
-    void delete(@PathVariable String id);
+    void delete(@PathVariable("id") String id);
 
 }

sdk/api/api-sync/src/main/java/io/dataease/api/sync/task/api/TaskApi.java

@@ -28,7 +28,7 @@ public interface TaskApi {
     @PostMapping("/update")
     void update(@RequestBody TaskInfoDTO jobInfo) throws DEException;
 
-    @DeleteMapping("/remove/{id}")
+    @PostMapping("/remove/{id}")
     void remove(@PathVariable(value = "id") String id) throws DEException;
 
     @GetMapping("start/{id}")

sdk/api/api-sync/src/main/java/io/dataease/api/sync/task/api/TaskLogApi.java

@@ -27,10 +27,10 @@ public interface TaskLogApi {
     @PostMapping("/update")
     void updateLog(@RequestBody TaskLogVO logDetail);
 
-    @DeleteMapping("/deleteByJobId/{jobId}")
+    @PostMapping("/deleteByJobId/{jobId}")
     void deleteByJobId(@PathVariable("jobId") String jobId);
 
-    @DeleteMapping("/delete/{logId}")
+    @PostMapping("/delete/{logId}")
     void deleteById(@PathVariable("logId") String logId);
 
     @PostMapping("/clear")

sdk/common/src/main/java/io/dataease/auth/filter/TokenFilter.java

@@ -5,6 +5,7 @@ import io.dataease.constant.AuthConstant;
 import io.dataease.utils.*;
 import jakarta.servlet.*;
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.apache.commons.lang3.StringUtils;
 
 import java.io.IOException;
@@ -16,6 +17,22 @@ public class TokenFilter implements Filter {
     @Override
     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
         HttpServletRequest request = (HttpServletRequest) servletRequest;
+        String method = request.getMethod();
+        if (!StringUtils.equalsAny(method, "GET", "POST", "OPTIONS")) {
+            HttpServletResponse res = (HttpServletResponse) servletResponse;
+            res.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+            return;
+        }
+        if (StringUtils.equalsIgnoreCase("OPTIONS", method)) {
+            String origin = request.getHeader("Origin");
+            if (StringUtils.isBlank(origin)) {
+                HttpServletResponse res = (HttpServletResponse) servletResponse;
+                res.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+                return;
+            }
+            filterChain.doFilter(servletRequest, servletResponse);
+            return;
+        }
         String requestURI = request.getRequestURI();
 
         if (ModelUtils.isDesktop()) {
@@ -28,10 +45,7 @@ public class TokenFilter implements Filter {
             filterChain.doFilter(servletRequest, servletResponse);
             return;
         }
-        if (StringUtils.equalsIgnoreCase("OPTIONS", ServletUtils.request().getMethod())) {
+
-            filterChain.doFilter(servletRequest, servletResponse);
-            return;
-        }
         String executeVersion = null;
         if (StringUtils.isNotBlank(executeVersion = VersionUtil.getRandomVersion())) {
             Objects.requireNonNull(ServletUtils.response()).addHeader(AuthConstant.DE_EXECUTE_VERSION, executeVersion);

sdk/common/src/main/java/io/dataease/auth/interceptor/CorsConfig.java

@@ -1,12 +1,12 @@
 package io.dataease.auth.interceptor;
 
 import io.dataease.constant.AuthConstant;
-import jakarta.annotation.Resource;
+import org.apache.commons.collections4.CollectionUtils;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.config.annotation.CorsRegistration;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
-import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.PathMatchConfigurer;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
@@ -15,17 +15,11 @@ import java.util.List;
 @Configuration
 public class CorsConfig implements WebMvcConfigurer {
 
-    @Resource(name = "deCorsInterceptor")
-    private CorsInterceptor corsInterceptor;
 
     @Value("#{'${dataease.origin-list:http://127.0.0.1:8100}'.split(',')}")
     private List<String> originList;
 
-    @Override
+    private CorsRegistration operateCorsRegistration;
-    public void addInterceptors(InterceptorRegistry registry) {
-        corsInterceptor.addOriginList(originList);
-        registry.addInterceptor(corsInterceptor).addPathPatterns("/**");
-    }
 
     @Override
     public void configurePathMatch(PathMatchConfigurer configurer) {
@@ -34,11 +28,21 @@ public class CorsConfig implements WebMvcConfigurer {
 
     @Override
     public void addCorsMappings(CorsRegistry registry) {
-        registry.addMapping("/**")
+        operateCorsRegistration = registry.addMapping("/**")
                 .allowCredentials(true)
-                .allowedOriginPatterns("*")
+                .allowedOrigins(originList.toArray(new String[0]))
                 .allowedHeaders("*")
                 .maxAge(3600)
-                .allowedMethods("*");
+                .allowedMethods("GET", "POST");
+    }
+
+    public void addAllowedOrigins(List<String> origins) {
+        if (CollectionUtils.isEmpty(origins)) {
+            return;
+        }
+        origins.addAll(originList);
+        List<String> newOrigins = origins.stream().distinct().toList();
+        String[] originArray = newOrigins.toArray(new String[0]);
+        operateCorsRegistration.allowedOrigins(originArray);
     }
 }

sdk/common/src/main/java/io/dataease/auth/interceptor/CorsInterceptor.java

@@ -1,86 +0,0 @@
-package io.dataease.auth.interceptor;
-
-import io.dataease.utils.CommonBeanFactory;
-import io.dataease.utils.DeReflectUtil;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
-import org.apache.commons.collections4.CollectionUtils;
-import org.apache.commons.lang3.ObjectUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.springframework.stereotype.Component;
-import org.springframework.util.ReflectionUtils;
-import org.springframework.web.servlet.HandlerInterceptor;
-
-import java.lang.reflect.Method;
-import java.util.ArrayList;
-import java.util.List;
-
-@Component("deCorsInterceptor")
-public class CorsInterceptor implements HandlerInterceptor {
-
-
-    private final List<String> originList;
-
-    private final List<String> busiOriginList = new ArrayList<>();
-
-    private Class<?> aClass;
-
-    private Object bean;
-
-
-    public CorsInterceptor(List<String> originList) {
-        this.originList = originList;
-    }
-
-    public void addOriginList(List<String> list) {
-        List<String> strings = list.stream().filter(item -> !originList.contains(item)).toList();
-        originList.addAll(strings);
-    }
-
-
-    public void addOriginList() {
-        busiOriginList.clear();
-        String className = "io.dataease.api.permissions.embedded.api.EmbeddedApi";
-        String methodName = "domainList";
-        if (ObjectUtils.isEmpty(aClass)) {
-            try {
-                aClass = Class.forName(className);
-            } catch (ClassNotFoundException e) {
-                return;
-            }
-        }
-        if (ObjectUtils.isEmpty(bean)) {
-            bean = CommonBeanFactory.getBean(aClass);
-        }
-        if (ObjectUtils.isNotEmpty(bean)) {
-            Method method = DeReflectUtil.findMethod(aClass, methodName);
-            Object result = ReflectionUtils.invokeMethod(method, bean);
-            if (ObjectUtils.isNotEmpty(result)) {
-                List<String> list = (List<String>) result;
-                if (CollectionUtils.isNotEmpty(list)) {
-                    busiOriginList.addAll(list.stream().distinct().toList());
-                }
-            }
-        }
-    }
-
-    @Override
-    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
-        addOriginList();
-        String origin = request.getHeader("Origin");
-        boolean embedded = StringUtils.startsWithAny(request.getRequestURI(), "/assets/", "/js/");
-        if ((StringUtils.isNotBlank(origin) && originList.contains(origin)) || busiOriginList.contains(origin) || embedded) {
-            response.setHeader("Access-Control-Allow-Origin", embedded ? "*" : origin);
-            response.setHeader("Access-Control-Allow-Credentials", "true");
-            response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS");
-            response.setHeader("Access-Control-Allow-Headers", "*");
-            response.setHeader("Access-Control-Max-Age", "3600");
-        }
-
-        if (StringUtils.equalsIgnoreCase(request.getMethod(), "options")) {
-            response.setStatus(200);
-            return false;
-        }
-        return true;
-    }
-}