升级fastjson到最新版2.0.39

2023-08-15 12:24:16 +08:00 · 2023-08-15 12:24:16 +08:00 · 1665fa2793
parent df8d6bcd33
commit 1665fa2793
4 changed files with 16 additions and 3 deletions
--- a/pom.xml
+++ b/pom.xml
@ -30,7 +30,7 @@
        <dynamic-ds.version>3.5.2</dynamic-ds.version>
        <commons.io.version>2.13.0</commons.io.version>
        <velocity.version>2.3</velocity.version>
-        <fastjson.version>2.0.34</fastjson.version>
+        <fastjson.version>2.0.39</fastjson.version>
        <jjwt.version>0.9.1</jjwt.version>
        <minio.version>8.2.2</minio.version>
        <poi.version>4.1.2</poi.version>
--- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java
@ -117,6 +117,11 @@ public class Constants
     */
    public static final String RESOURCE_PREFIX = "/profile";

+    /**
+     * 自动识别json对象白名单配置（仅允许解析的包名，范围越小越安全）
+     */
+    public static final String[] JSON_WHITELIST_STR = { "org.springframework", "com.ruoyi" };
+
    /**
     * 定时任务白名单配置（仅允许访问的包名，如其他需要可以自行添加）
     */
--- a/ruoyi-common/ruoyi-common-redis/src/main/java/com/ruoyi/common/redis/configure/FastJson2JsonRedisSerializer.java
+++ b/ruoyi-common/ruoyi-common-redis/src/main/java/com/ruoyi/common/redis/configure/FastJson2JsonRedisSerializer.java
@ -6,6 +6,8 @@ import org.springframework.data.redis.serializer.SerializationException;
 import com.alibaba.fastjson2.JSON;
 import com.alibaba.fastjson2.JSONReader;
 import com.alibaba.fastjson2.JSONWriter;
+import com.alibaba.fastjson2.filter.Filter;
+import com.ruoyi.common.core.constant.Constants;

 /**
 * Redis使用FastJson序列化
@ -16,8 +18,9 @@ public class FastJson2JsonRedisSerializer<T> implements RedisSerializer<T>
 {
    public static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");

-    private Class<T> clazz;
+    static final Filter AUTO_TYPE_FILTER = JSONReader.autoTypeFilter(Constants.JSON_WHITELIST_STR);

+    private Class<T> clazz;

    public FastJson2JsonRedisSerializer(Class<T> clazz)
    {
@ -44,6 +47,6 @@ public class FastJson2JsonRedisSerializer<T> implements RedisSerializer<T>
        }
        String str = new String(bytes, DEFAULT_CHARSET);

-        return JSON.parseObject(str, clazz, JSONReader.Feature.SupportAutoType);
+        return JSON.parseObject(str, clazz, AUTO_TYPE_FILTER);
    }
 }
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/service/TokenService.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/service/TokenService.java
@ -4,6 +4,8 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 import javax.servlet.http.HttpServletRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import com.ruoyi.common.core.constant.CacheConstants;
@ -25,6 +27,8 @@ import com.ruoyi.system.api.model.LoginUser;
@Component
 public class TokenService
 {
+    private static final Logger log = LoggerFactory.getLogger(TokenService.class);
+
    @Autowired
    private RedisService redisService;

@ -106,6 +110,7 @@ public class TokenService
        }
        catch (Exception e)
        {
+            log.error("获取用户信息异常'{}'", e.getMessage());
        }
        return user;
    }