Skip to content

T
TrainSys
提交 7e8ed31b 编写于 作者: Cano1997's avatar Cano1997
浏览文件
操作

update: 页面重定向添加白名单校验

上级 9e57e46c
显示空白字符变更
内嵌 并排
正在显示 包含 63 行增加20 行删除
app_Web/environment.config
浏览文件 @ 7e8ed31b
......@@ -15,3 +15,4 @@ enableGridRowBreak:ENABLEGRIDROWBREAK
publicKey:PUBLICKEY
enableRSA:ENABLERSA
customParams:CUSTOMPARAMS
redirectWhiteList: REDIRECTWHITELIST
\ No newline at end of file
app_Web/public/assets/js/cas-login.js
浏览文件 @ 7e8ed31b
......@@ -53,6 +53,26 @@ function setCookie(name, value, day, isDomain, path) {
function clearCookie(cookieName, isDomain) {
this.setCookie(cookieName, '', -1, isDomain);
}
function isAllowed(url) {
if (!url) return false;
const { protocol, hostname, origin } = new URL(url, window.location.origin);
if (!['blob:', 'https:', 'http:'].includes(protocol)) return false;
if (window.location.origin === origin) {
return true;
}
const allowList = ibiz.env.redirectWhiteList.split(',');
return allowList.some(rule => {
if (typeof rule === 'string') {
if (rule.includes('*')) {
const reg = new RegExp(`^${rule.replace(/\*/g, '[^/]+')}$`);
return reg.test(hostname);
}
return rule === `${protocol}//${hostname}`;
}
return rule.test(url);
});
};
window.onload = function () {
var infoEl = document.getElementById('redirect-info');
var errInfoEl = document.getElementById('redirect-error');
......@@ -78,7 +98,11 @@ window.onload = function () {
const expiredDate =
new Date().getTime() + (expirein || 7199) * 1000;
setCookie('access_token_expires', `${expiredDate}`, 0, true);
if (ru && isAllowed(ru)) {
window.location.href = ru;
} else {
console.error(`重定向路径${ru}不在白名单中,请确认是否正确!`);
}
};
var redirectInfoActionEl = document.getElementById('redirect-info-action');
redirectInfoActionEl.onclick = function () {
......
app_Web/public/bapproxy.html
浏览文件 @ 7e8ed31b
......@@ -20,6 +20,27 @@
</div>
</body>
<script>
function isAllowed(url) {
if (!url) return false;
const { protocol, hostname, origin } = new URL(url, window.location.origin);
if (!['blob:', 'https:', 'http:'].includes(protocol)) return false;
if (window.location.origin === origin) {
return true;
}
const allowList = ibiz.env.redirectWhiteList.split(',');
return allowList.some(rule => {
if (typeof rule === 'string') {
if (rule.includes('*')) {
const reg = new RegExp(`^${rule.replace(/\*/g, '[^/]+')}$`);
return reg.test(hostname);
}
return rule === `${protocol}//${hostname}`;
}
return rule.test(url);
});
};
function created()
{
try
......@@ -45,12 +66,14 @@
}
if(response.appdata.user) {
setCookie('ibzuaa-user', JSON.stringify(response.appdata.user), 7, true);
// 设置cookie,保存账号密码7天
setCookie('loginname', response.appdata.user.loginname, 7, true);
}
if (bapru && isAllowed(bapru)) {
window.location.href = bapru;
} else {
console.error(`重定向路径${bapru}不在白名单中,请确认是否正确!`);
}
}
else
{
......@@ -69,17 +92,8 @@
}
}
/**
* 获取指定的URL参数值
* URL:http://www.xxx.com/index?name=123
* 参数:param URL参数
* 调用方法:getParam("name")
* 返回值:123
* alert(getParam('date'));
*/
function getParam(name) {
let reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)", "i");
//search,查询?后面的参数,并匹配正则
let r = location.search.substr(1).match(reg);
if (r != null) return decodeURI(decodeURI(r[2]));
}
......@@ -87,7 +101,7 @@
function showinfo(arg)
{
var ele=document.getElementById("info");
ele.innerHTML=ele.innerHTML+"<br>"+arg;
ele.innerText=`${ele.innerText}\n${arg}`;
}
......
app_Web/src/guard/unauthorized-handler/unauthorized-handler.ts
浏览文件 @ 7e8ed31b
import qs from 'qs';
import { safeRedirect } from '@ibiz-template/runtime';
import { LoginMode, RuntimeError, UrlHelper } from '@ibiz-template/core';
import router from '@/router';
......@@ -49,7 +50,7 @@ export class UnauthorizedHandler {
);
// 跳转cas登录地址
window.location.href = targetUrl;
safeRedirect(targetUrl, { type: 'href' });
}
/**
......@@ -63,7 +64,7 @@ export class UnauthorizedHandler {
*/
protected static async normalLogin(): Promise<void> {
if (ibiz.env.noAuthRedirectUrl) {
window.open(ibiz.env.noAuthRedirectUrl, '_self');
safeRedirect(ibiz.env.noAuthRedirectUrl, { type: '_self' });
return;
}
// 禁止跳转登录视图时不处理
......
app_Web/src/router/index.ts
浏览文件 @ 7e8ed31b
import Router from 'vue-router';
import { Environment } from '@ibiz-template/core';
import { safeRedirect } from '@ibiz-template/runtime';
import { AuthGuard } from '../guard';
import RouterShell from '@/components/router-shell/router-shell';
import appRedirectView from '@/views/app-redirect-view/app-redirect-view';
......@@ -36,7 +37,7 @@ const router = new Router({
name: 'loginView',
beforeEnter: async (_to, _from, next) => {
if (ibiz.env.noAuthRedirectUrl) {
window.open(ibiz.env.noAuthRedirectUrl, '_self');
safeRedirect(ibiz.env.noAuthRedirectUrl, { type: '_self' });
}
if (ibiz.env.disabledLogin) {
next(false);
......
app_Web/src/util/open-view-util/open-view-util.ts
浏览文件 @ 7e8ed31b
......@@ -3,6 +3,7 @@ import {
IModal,
IModalData,
IOpenViewUtil,
safeRedirect,
ViewMode,
} from '@ibiz-template/runtime';
import { generateRoutePath } from '@ibiz-template/vue-util';
......@@ -176,7 +177,7 @@ export class OpenViewUtil implements IOpenViewUtil {
url = `${UrlHelper.routeBase}${path}`;
}
if (srfopenmode === 'open') {
window.open(url, srfopentarget);
safeRedirect(url, { type: srfopentarget });
}
// 其他方式待补充
}
......
app_Web/src/views/todo-redirect/todo-redirect.tsx
浏览文件 @ 7e8ed31b
import { safeRedirect } from '@ibiz-template/runtime';
import { useRouter } from '@ibiz-template/vue-util';
import qs from 'qs';
import { defineComponent, getCurrentInstance } from 'vue';
......@@ -35,7 +36,7 @@ export default defineComponent({
let url: string = res.data.linkurl;
// apptype存在,带ip、端口等完整数据
if (apptype) {
window.location.href = url;
safeRedirect(url, { type: 'href' });
} else {
if (url.indexOf('/') !== 0) {
url = `/${url}`;
......
Markdown 格式
0% or
您添加了 0 到此讨论。请谨慎行事。
先完成此消息的编辑!
想要评论请 注册