更新了 漏洞扫描， spring-core，mybaits

shiro   fastjson

README.md

@@ -25,6 +25,9 @@
          
          公网访问：
          http://face3d.4dage.com:8104/doc.html
+
+    /usr/local/tomcat_museum_yw_8104/bin
+
          
     
     <Context path="" docBase="/root/user/java/tomcat_museum_yw_8104/webapps/cmsMuseumYw" debug="0" reloadable="true" crossContext="true"/>
@@ -36,7 +39,7 @@
     
     
    
-## uat
+# pro
     四维看展服务器，正式环境
     四维看展-120.24.33.137 
     

gis_application/src/main/resources/application.properties

@@ -1,5 +1,5 @@
-#server.port=8104
-server.port=2000
+server.port=8104
+#server.port=2000
 
 spring.profiles.active=dev
 

gis_common/pom.xml

@@ -152,7 +152,18 @@
             <!--<artifactId>poi-ooxml</artifactId>-->
         <!--</dependency>-->
 
+        <!--  2026-04-13 修复渗透测试漏洞      -->
+        <dependency>
+            <groupId>org.mybatis</groupId>
+            <artifactId>mybatis</artifactId>
+            <version>3.5.6</version>
+        </dependency>
 
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-core</artifactId>
+            <version>5.2.20.RELEASE</version>
+        </dependency>
     </dependencies>
 
 

gis_common/src/main/java/com/gis/common/util/RegexUtil.java

@@ -0,0 +1,136 @@
+package com.gis.common.util;
+
+import cn.hutool.core.util.StrUtil;
+import cn.hutool.extra.pinyin.PinyinUtil;
+import com.gis.common.exception.BaseRuntimeException;
+import lombok.extern.slf4j.Slf4j;
+import org.junit.Test;
+
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * Created by owen on 2021/11/18 0011 16:16
+ * 字符串过滤
+ */
+@Slf4j
+public class RegexUtil {
+
+    // 需要过滤的特殊字符
+//     String [] specialSql = {"%","or","=","and","truncate","delete","update","exec","'",";"};
+     static List<String> specialSql = Arrays.asList("%","or","=","and","truncate","delete","update","exec","'",";");
+
+     // 特殊符号
+     static List<String> symbol = Arrays.asList("%","=","'",";");
+
+
+
+    /** 处理特殊符号，变空值*/
+    public static String specificSymbol(String str){
+
+        String regEx = "[\\s`~!@#$%^&*()+=|{}':;\\[\\]<>/?·~！@#￥%……&*（）——+|{}【】‘；：“”。，、？]";
+        return str.replaceAll(regEx, "");
+    }
+
+
+    /** 中文转拼音*/
+    public static String getPinyinName(String str){
+        // 去除特殊符号
+        String pinyinName = RegexUtil.specificSymbol(str);
+        pinyinName = PinyinUtil.getPinyin(pinyinName, "");
+        // 转小写
+        pinyinName =  pinyinName.toLowerCase();
+        return pinyinName;
+
+    }
+
+
+    /**防止sql注入*/
+    public static void regSql(String str){
+        String key = "and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+";
+        String[] split = StrUtil.split(key, "|");
+        List<String> list = Arrays.asList(split);
+        for (String s : list) {
+            if (str.toLowerCase().contains(s)){
+                String msg = "存在sql注入字符";
+                log.error(msg);
+                throw new BaseRuntimeException(msg);
+            }
+        }
+
+    }
+
+    /**
+     * sql 过滤特殊字符
+     * @param str
+     * @return
+     */
+    public static String sqlReplaceSpecialStr(String str){
+        str = StrUtil.trim(str);
+        str = str.toLowerCase();
+//        for (String s : specialSql) {
+//            if (str.contains(s)) {
+//                str = str.replaceAll(s, "");
+//            }
+//        }
+        return str;
+    }
+
+
+    public static String cutSpecial(String str){
+        log.info("input:{}", str);
+        String[] split = str.split("\\s+");
+        StringBuilder builder = new StringBuilder();
+        boolean flag = false;
+        int i = 0;
+        for (String s : split) {
+            if (i > 0){
+                builder.append(" ");
+            }
+            for (String sym : symbol) {
+                if (s.contains(sym)){
+                    log.warn("出现了特殊符号; input:{}, 特殊符号：{}", s, sym);
+                    flag = true;
+                    // 取出现特殊符号前的值查询
+                    s = StrUtil.subBefore(s, sym, true);
+                    break;
+                }
+            }
+
+            builder.append(s);
+            if (flag){
+                break;
+            }
+            i ++;
+
+        }
+        String out = builder.toString();
+        log.info("out:{}", out);
+        return out;
+    }
+
+
+
+
+
+
+    public static void main(String[] args) {
+        String str = "我·是 中—国（人）， 你-在{干嘛}--哈—哈。 ddd.jpg";
+        System.out.println(specificSymbol(str));
+    }
+
+
+    @Test
+    public void test(){
+//        String regEx = "12,15,+ delete";
+//        regSql(regEx);
+        System.out.println("'".contains("Monk's"));
+        System.out.println("Monk's".contains("'"));
+
+
+}
+
+
+}
+
+

gis_mapper/src/main/java/com/gis/mapper/provider/GoodsProvider.java

@@ -1,5 +1,6 @@
 package com.gis.mapper.provider;
 
+import com.gis.common.util.RegexUtil;
 import com.gis.domain.request.GoodsPageRequest;
 import lombok.extern.log4j.Log4j2;
 import org.apache.commons.lang3.StringUtils;
@@ -19,6 +20,7 @@ public class GoodsProvider {
 
         String searchKey = param.getSearchKey();
         if(!StringUtils.isAllBlank(searchKey)){
+            searchKey = RegexUtil.specificSymbol(searchKey);
             sql.append(" and ( a.name like '%").append(searchKey).append("%' )");
 
         }

pom.xml

@@ -35,11 +35,13 @@
         <druid.version>1.1.14</druid.version>
         <hutool.version>5.3.3</hutool.version>
         <lombok.version>1.18.2</lombok.version>
-        <fastjson.version>1.2.51</fastjson.version>
         <lang3.version>3.7</lang3.version>
         <knife4j.version>2.0.2</knife4j.version>
         <mysql.version>8.0.15</mysql.version>
-        <shiro.version>1.4.0</shiro.version>
+<!--        <fastjson.version>1.2.51</fastjson.version>-->
+        <!--        <shiro.version>1.4.0</shiro.version>-->
+        <shiro.version>1.7.1</shiro.version>
+        <fastjson.version>1.2.83</fastjson.version>
         <jwt.version>3.2.0</jwt.version>
         <jjwt.version>0.6.0</jjwt.version>
         <aliyun.core.version>4.0.3</aliyun.core.version>