pcalife/PAM.git - dev.pollex.com.tw

[UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點In...

jack

2023-09-12 74e563da7fa6886449fd2be5933e2d4ca5c85f48

[UPDATE] 解決弱點Se: Incorrect definition of Serializable class
[UPDATE] 解決弱點Information exposure to log file
[UPDATE] 解決弱點Use of hard-coded password

修改10個檔案

	pamapi/src/main/java/com/pollex/pam/config/ApplicationProperties.java	12 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java	8 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/java/com/pollex/pam/security/token/OtpAuthenticationToken.java	2 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/java/com/pollex/pam/service/OtpWebService.java	8 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java	22 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/resources/config/application-dev.yml	1 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/resources/config/application-pollex.yml	1 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/resources/config/application-prod.yml	1 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/resources/config/application-sit.yml	1 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程
	pamapi/src/main/resources/config/application-uat.yml	1 ●●●●● 修補檔 \| 檢視 \| 原始 \| 究查 \| 歷程

 pamapi/src/main/java/com/pollex/pam/config/ApplicationProperties.java

@@ -27,6 +27,7 @@
    private SendEmailProperties email;
    private String fileFolderPath;
    private String aesKey;
    private String defaultPaxxword;

    public boolean isMockLogin() {
        return mockLogin;
@@ -125,6 +126,17 @@
        this.aesKey = aesKey;
    }
    
    @Override
    public String getDefaultPaxxword() {
        return defaultPaxxword;
    }

    public void setDefaultPaxxword(String defaultPaxxword) {
        this.defaultPaxxword = defaultPaxxword;
    }
	
	
	
    

}

 pamapi/src/main/java/com/pollex/pam/security/jwt/TokenProvider.java

@@ -21,6 +21,7 @@
import org.springframework.stereotype.Component;
import org.springframework.util.ObjectUtils;

import com.pollex.pam.business.config.AppProperties;
import com.pollex.pam.business.domain.TokenBlackList;
import com.pollex.pam.business.repository.TokenBlackListRepository;

@@ -44,6 +45,9 @@

    @Autowired
    TokenBlackListRepository tokenBlackListRepository;
    
    @Autowired
    AppProperties applicationProperties;

    public TokenProvider(JHipsterProperties jHipsterProperties) {
        byte[] keyBytes;
@@ -95,8 +99,8 @@
            .filter(auth -> !auth.trim().isEmpty())
            .map(SimpleGrantedAuthority::new)
            .collect(Collectors.toList());

        User principal = new User(claims.getSubject(), "", authorities);
        System.out.println("applicationProperties.getDefaultPaxxword()+++++++++++===="+applicationProperties.getDefaultPaxxword());
        User principal = new User(claims.getSubject(), applicationProperties.getDefaultPaxxword(), authorities);
        UsernamePasswordAuthenticationToken authInfo = new UsernamePasswordAuthenticationToken(principal, token, authorities);
        authInfo.setDetails(claims.get(AUTHORITIES_DETAILS));


 pamapi/src/main/java/com/pollex/pam/security/token/OtpAuthenticationToken.java

@@ -9,7 +9,7 @@

    private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

    private final OtpAccount principle;
    private transient OtpAccount principle;
    private String credentials;

    public OtpAuthenticationToken(OtpAccount principle, String credentials) {

 pamapi/src/main/java/com/pollex/pam/service/OtpWebService.java

@@ -22,8 +22,8 @@

    public OtpResponseDTO sendByPhone(String phone) {
        OtpWeb otpWS = getOtpWebService();
        log.debug("call OtpService sendOtpBySMS, url = {}, systemType = {}, service password = {}, phone = {}",
            applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), phone);
//        log.debug("call OtpService sendOtpBySMS, url = {}, systemType = {}, service password = {}, phone = {}",
//            applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), phone);

        StringArray result =
            otpWS.sendOtpBySMS(applicationProperty.getOtpWebServicePassword(), applicationProperty.getOtpWebServiceSystemType(), phone);
@@ -44,8 +44,8 @@

    public OtpResponseDTO verifyOTP(String indexKey, String otpCode) {
        OtpWeb otpWS = getOtpWebService();
        log.debug("call OtpService verifyOTP, url = {}, systemType = {}, service password = {}, indexKey = {}, otpCode = {}",
            applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), indexKey, otpCode);
//        log.debug("call OtpService verifyOTP, url = {}, systemType = {}, service password = {}, indexKey = {}, otpCode = {}",
//            applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), indexKey, otpCode);

        StringArray result =
            otpWS.verifyOtp(applicationProperty.getOtpWebServicePassword(), applicationProperty.getOtpWebServiceSystemType(), indexKey, otpCode);

 pamapi/src/main/java/com/pollex/pam/web/rest/AccountResource.java

@@ -65,17 +65,17 @@
        }
    }

    /**
     * {@code GET  /authenticate} : check if the user is authenticated, and return its login.
     *
     * @param request the HTTP request.
     * @return the login if the user is authenticated.
     */
    @GetMapping("/authenticate")
    public String isAuthenticated(HttpServletRequest request) {
        log.debug("REST request to check if the current user is authenticated");
        return request.getRemoteUser();
    }
//    /**
//     * {@code GET  /authenticate} : check if the user is authenticated, and return its login.
//     *
//     * @param request the HTTP request.
//     * @return the login if the user is authenticated.
//     */
//    @GetMapping("/authenticate")
//    public String isAuthenticated(HttpServletRequest request) {
//        log.debug("REST request to check if the current user is authenticated");
//        return request.getRemoteUser();
//    }

    /**
     * {@code GET  /account} : get the current user.

 pamapi/src/main/resources/config/application-dev.yml

@@ -141,3 +141,4 @@
    method: 'POLLEX_GMAIL'
  file-folder-path: C://pam_file
  aes-key: PAMKEY1234567890
  default-paxxword: 

 pamapi/src/main/resources/config/application-pollex.yml

@@ -141,3 +141,4 @@
    method: 'POLLEX_GMAIL'
  file-folder-path: C://pam_file
  aes-key: PAMKEY1234567890
  default-paxxword: 

 pamapi/src/main/resources/config/application-prod.yml

@@ -154,3 +154,4 @@
    method: 'PAM_EMAIL_SERVICE'
  file-folder-path: /sfs_omo/AgentPhoto/
  aes-key: PAMKEY1234567890
  default-paxxword: 

 pamapi/src/main/resources/config/application-sit.yml

@@ -131,3 +131,4 @@
    method: 'PAM_EMAIL_SERVICE'
  file-folder-path: /sfs_omo/AgentPhoto/
  aes-key: PAMKEY1234567890
  default-paxxword: 

 pamapi/src/main/resources/config/application-uat.yml

@@ -131,3 +131,4 @@
    method: 'PAM_EMAIL_SERVICE'
  file-folder-path: /sfs_omo/AgentPhoto/
  aes-key: PAMKEY1234567890
  default-paxxword:

			@@ -27,6 +27,7 @@
			private SendEmailProperties email;
			private String fileFolderPath;
			private String aesKey;
			private String defaultPaxxword;

			public boolean isMockLogin() {
			return mockLogin;
			@@ -125,6 +126,17 @@
			this.aesKey = aesKey;
			}

			@Override
			public String getDefaultPaxxword() {
			return defaultPaxxword;
			}

			public void setDefaultPaxxword(String defaultPaxxword) {
			this.defaultPaxxword = defaultPaxxword;
			}





			}

			@@ -21,6 +21,7 @@
			import org.springframework.stereotype.Component;
			import org.springframework.util.ObjectUtils;

			import com.pollex.pam.business.config.AppProperties;
			import com.pollex.pam.business.domain.TokenBlackList;
			import com.pollex.pam.business.repository.TokenBlackListRepository;

			@@ -44,6 +45,9 @@

			@Autowired
			TokenBlackListRepository tokenBlackListRepository;

			@Autowired
			AppProperties applicationProperties;

			public TokenProvider(JHipsterProperties jHipsterProperties) {
			byte[] keyBytes;
			@@ -95,8 +99,8 @@
			.filter(auth -> !auth.trim().isEmpty())
			.map(SimpleGrantedAuthority::new)
			.collect(Collectors.toList());

			User principal = new User(claims.getSubject(), "", authorities);
			System.out.println("applicationProperties.getDefaultPaxxword()+++++++++++===="+applicationProperties.getDefaultPaxxword());
			User principal = new User(claims.getSubject(), applicationProperties.getDefaultPaxxword(), authorities);
			UsernamePasswordAuthenticationToken authInfo = new UsernamePasswordAuthenticationToken(principal, token, authorities);
			authInfo.setDetails(claims.get(AUTHORITIES_DETAILS));

			@@ -9,7 +9,7 @@

			private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

			private final OtpAccount principle;
			private transient OtpAccount principle;
			private String credentials;

			public OtpAuthenticationToken(OtpAccount principle, String credentials) {

			@@ -22,8 +22,8 @@

			public OtpResponseDTO sendByPhone(String phone) {
			OtpWeb otpWS = getOtpWebService();
			log.debug("call OtpService sendOtpBySMS, url = {}, systemType = {}, service password = {}, phone = {}",
			applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), phone);
			// log.debug("call OtpService sendOtpBySMS, url = {}, systemType = {}, service password = {}, phone = {}",
			// applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), phone);

			StringArray result =
			otpWS.sendOtpBySMS(applicationProperty.getOtpWebServicePassword(), applicationProperty.getOtpWebServiceSystemType(), phone);
			@@ -44,8 +44,8 @@

			public OtpResponseDTO verifyOTP(String indexKey, String otpCode) {
			OtpWeb otpWS = getOtpWebService();
			log.debug("call OtpService verifyOTP, url = {}, systemType = {}, service password = {}, indexKey = {}, otpCode = {}",
			applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), indexKey, otpCode);
			// log.debug("call OtpService verifyOTP, url = {}, systemType = {}, service password = {}, indexKey = {}, otpCode = {}",
			// applicationProperty.getOtpWebServiceUrl(), applicationProperty.getOtpWebServiceSystemType(), applicationProperty.getOtpWebServicePassword(), indexKey, otpCode);

			StringArray result =
			otpWS.verifyOtp(applicationProperty.getOtpWebServicePassword(), applicationProperty.getOtpWebServiceSystemType(), indexKey, otpCode);

			@@ -65,17 +65,17 @@
			}
			}

			/**
			* {@code GET /authenticate} : check if the user is authenticated, and return its login.
			*
			* @param request the HTTP request.
			* @return the login if the user is authenticated.
			*/
			@GetMapping("/authenticate")
			public String isAuthenticated(HttpServletRequest request) {
			log.debug("REST request to check if the current user is authenticated");
			return request.getRemoteUser();
			}
			// /**
			// * {@code GET /authenticate} : check if the user is authenticated, and return its login.
			// *
			// * @param request the HTTP request.
			// * @return the login if the user is authenticated.
			// */
			// @GetMapping("/authenticate")
			// public String isAuthenticated(HttpServletRequest request) {
			// log.debug("REST request to check if the current user is authenticated");
			// return request.getRemoteUser();
			// }

			/**
			* {@code GET /account} : get the current user.

			@@ -141,3 +141,4 @@
			method: 'POLLEX_GMAIL'
			file-folder-path: C://pam_file
			aes-key: PAMKEY1234567890
			default-paxxword:

			@@ -154,3 +154,4 @@
			method: 'PAM_EMAIL_SERVICE'
			file-folder-path: /sfs_omo/AgentPhoto/
			aes-key: PAMKEY1234567890
			default-paxxword:

			@@ -131,3 +131,4 @@
			method: 'PAM_EMAIL_SERVICE'
			file-folder-path: /sfs_omo/AgentPhoto/
			aes-key: PAMKEY1234567890
			default-paxxword: