joychou93 / java-sec-code Goto Github PK
View Code? Open in Web Editor NEWJava web common vulnerabilities and security code which is base on springboot and spring security
Java web common vulnerabilities and security code which is base on springboot and spring security
%0d%0a会被替换成20
大佬你好。文件上传中/file/目录下上传任意文件后按照代码会跳转到/file/status页面,但实际上却没有这个页面。请问您实际上是想跳转到别的页面还是页面丢失还是有别的什么意图。
Yes, I apply it in Java 11, and it still can not work. Can you help me?
Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)
Originally posted by @JoyChou93 in #34 (comment)
Public Key Retrieval is not allowed
Hi,,there is a dependency **org.apache.tomcat.embed:tomcat-embed-core:8.5.11
** that calls the risk method.
The scope of this CVE affected version is [9.0.0.M1, 9.0.30),[8.5.0,8.5.50),[,7.0.99)
After further analysis, in this project, the main Api called is org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 6
org.joychou.controller.Index: appInfo(javax.servlet.http.HttpServletRequest)Ljava.lang.String; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.connector.Request: getUserPrincipal()Ljava.security.Principal; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.connector.Request: logout() .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: logout(org.apache.catalina.connector.Request) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)
Dependency tree--
[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] | | \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] | | | \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] | +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | | \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] | +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] | +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] | | \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] | | +- ognl:ognl:jar:3.0.8:compile
[INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | | \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] | \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] | \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] | \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] | \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] | \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] | \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] | \- cglib:cglib:jar:2.2.2:compile
[INFO] | \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] | \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] | \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] | | | \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] | | \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] | | \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] | +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] | | +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] | | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | | +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] | | | +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] | | | | +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] | | | | +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] | | | | +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] | | | | | +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] | | | | | \- antlr:antlr:jar:2.7.7:runtime
[INFO] | | | | \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] | | | \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] | | +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] | | +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] | | | \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] | | +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] | | +- com.google.inject:guice:jar:4.0:runtime
[INFO] | | | \- javax.inject:javax.inject:jar:1:runtime
[INFO] | | \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] | +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] | | +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] | | | +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] | | | | +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] | | | \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] | | \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] | | \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] | | +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] | | | +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] | | | | +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] | | | | \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] | | \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] | \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] | +- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] | +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] | \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] | | \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] | +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] | +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] | \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] | +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] | +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] | | \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] | \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] | +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] | | +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] | | | +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] | | | \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] | | \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] | \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] | +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] | +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] | +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] | | \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] | | \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] | +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] | +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] | +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] | \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
Hi,,there is a dependency **org.jolokia:jolokia-core:1.6.0
** that calls the risk method.
The scope of this CVE affected version is [1.2.0,1.6.1)
After further analysis, in this project, the main Api called is org.jolokia.http.AgentServlet: doOptions(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 10
org.joychou.controller.URLRedirect: forward(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: forward(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: doForward(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: processRequest(javax.servlet.ServletRequest,javax.servlet.ServletResponse,org.apache.catalina.core.ApplicationDispatcher$State) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationDispatcher: invoke(javax.servlet.ServletRequest,javax.servlet.ServletResponse,org.apache.catalina.core.ApplicationDispatcher$State) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationFilterChain: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.core.ApplicationFilterChain: internalDoFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
javax.servlet.http.HttpServlet: service(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
javax.servlet.http.HttpServlet: service(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.jolokia.http.AgentServlet: doOptions(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)
Dependency tree--
[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] | | \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] | | | \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] | +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | | \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] | +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] | +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] | | \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] | | +- ognl:ognl:jar:3.0.8:compile
[INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | | \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] | \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] | \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] | \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] | \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] | \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] | \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] | \- cglib:cglib:jar:2.2.2:compile
[INFO] | \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] | \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] | \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] | | | \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] | | \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] | | \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] | +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] | | +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] | | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | | +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] | | | +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] | | | | +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] | | | | +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] | | | | +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] | | | | | +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] | | | | | \- antlr:antlr:jar:2.7.7:runtime
[INFO] | | | | \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] | | | \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] | | +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] | | +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] | | | \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] | | +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] | | +- com.google.inject:guice:jar:4.0:runtime
[INFO] | | | \- javax.inject:javax.inject:jar:1:runtime
[INFO] | | \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] | +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] | | +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] | | | +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] | | | | +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] | | | \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] | | \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] | | \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] | | +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] | | | +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] | | | | +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] | | | | \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] | | \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] | \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] | +- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] | +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] | \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] | | \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] | +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] | +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] | \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] | +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] | +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] | | \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] | \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] | +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] | | +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] | | | +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] | | | \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] | | \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] | \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] | +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] | +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] | +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] | | \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] | | \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] | +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] | +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] | +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] | \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
Apologies!
I accidentally edited the pom.xml in the master and not in my fork!
Please ignore.
I have fixed my code to respect the beautiful ZH characters in the pom.xml, so no need to make any changes.
Best regards.
老哥你这个,是我不会配还是怎么的,就是很奇怪,
你这个必须登录嘛,要不就会一直在login
但是你那个在线的地址,和docker 我都试了一下,admin都登陆不了,不能用,我看下源码,登陆功能是空的,有点不懂
xsrf-token
的信息添加到 X-CSRF-TOKEN
的请求头字段中进行表单提交即可。/swagger-ui.html
是需要登录的,关闭重定向后如果能访问成功说明token有效。# coding:utf-8
import os
import re
from urllib.parse import urlencode
import requests
try:
from lib.web_sdk.logger import Log
logging = Log(log_flag='java_code_sec')
except:
import logging
default_header = {
"User-Agent": "DEFAULT-SecurityLab-Tool-FOR-JAVA-SEC"
}
DATA_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'data')
if not os.path.exists(DATA_DIR):
os.makedirs(DATA_DIR)
cookie_save_path = os.path.join(DATA_DIR, 'cookie.txt')
def get_cookie_token(login_url='http://10.27.106.240/login'):
headers = {}
res = requests.get(login_url, headers=headers)
cookie = [(';'.join(['='.join(item) for item in res.cookies.items()]))][0]
# user_token = re.findall("name='user_token' value='(\w+)' />", res.text)[0]
csrf_token = res.headers
return cookie, csrf_token
def get_javacodesec_cookie(
host_root_dir='http://10.27.106.240',
username='admin',
password='admin123',
write_local=True):
login_url = host_root_dir + '/login'
_cookie, xsrf_token = get_cookie_token(login_url=login_url)
# TODO 注意这里的登录使用的是 headers:X-XSRF-TOKEN 校验 而不是 `headers:XSRF-TOKEN`
headers = {
'Cookie': _cookie,
'X-XSRF-TOKEN': re.match('XSRF-TOKEN=([0-9a-z-]+)', str(_cookie)).group(1),
'Content-Type': 'application/x-www-form-urlencoded'
}
values = {'username': username,
'password': password,
**{"remember-me": "false"}
}
response = requests.post(login_url, data=urlencode(values), headers=headers)
cookie = [(';'.join(['='.join(item) for item in response.cookies.items()]))][0]
# TODO 注意这里是登录成功后使用重新签发的 token 进行下面一系列的操作
try:
return cookie
finally:
if write_local:
FileManager(path=cookie_save_path).write(cookie)
class FileManager:
def __init__(self, path):
self.path = path
def read(self):
with open(self.path, 'rb') as f:
_txt = f.read().decode()
f.close()
return _txt
def write(self, s: str):
with open(self.path, 'wb') as f:
f.write(s.encode())
f.close()
def load_cookie_from_local():
return FileManager(path=cookie_save_path).read()
def valid_cookie(host_root_dir='http://10.27.106.240', url='/swagger-ui.html'):
if os.path.exists(cookie_save_path):
current_cookie = load_cookie_from_local()
headers = dict(default_header, **{"Cookie": load_cookie_from_local()})
response = requests.get(url=host_root_dir + url, allow_redirects=False, headers=headers)
if response.status_code != 200:
logging.warn('重新校验 - 失效')
return get_javacodesec_cookie()
logging.warn('校验通过- Cookie 有效')
return current_cookie
else:
logging.warn('校验 - 首次获取')
return get_javacodesec_cookie()
def get_cookie_headers(host_root_dir='http://10.27.106.240/'):
cookie = valid_cookie(host_root_dir=host_root_dir)
return dict(default_header, **{"Cookie": cookie})
if __name__ == '__main__':
valid_cookie()
应当是http://localhost:8080/sqli/jdbc/vuln?username=joychou
源代码:
/**
* Vuln Code.
* http://localhost:8080/sqli/jdbc/vul?username=joychou
*
* @param username username
*/
@RequestMapping("/jdbc/vuln")
目前只要带有callback的get请求都会进行Referer判断。
比如 http://localhost:8080/index?callback=123
加一层判断,判断请求是否返回真的Jsonp格式。
Please consider upgrading lombok from version 1.18.16 to version 1.18.20
I get a compiler error:
"Fatal error compiling: java.lang.IllegalAccessError: class lombok.javac.apt.LombokProcessor (in unnamed module @0x3816efab) cannot access class com.sun.tools.javac.processing.JavacProcessingEnvironment (in module jdk.compiler) because module jdk.compiler does not export com.sun.tools.javac.processing to unnamed module @0x3816efab"
/HttpURLConnection
访问:http://localhost:8080/ssrf/HttpURLConnection?url=file:///etc/passwd
会报异常:java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection cannot be cast to java.net.HttpURLConnection
修改添加代码:
URL u = new URL(null,url,new sun.net.www.protocol.file.Handler());
任然报错,请作者指点一二
单独在tomcat中使用存在@value获取值为null的情况。
Please consider using some account other than 'root', such as 'joychou'. I use MySQL to support a number of services.
The following are commands I use to create the environment to support running JavaSecCode. This list may not be complete.
-- Host: localhost Database: java_sec_code
-- Server version 5.7.31-0ubuntu0.18.04.1
USE mysql;
DROP USER IF EXISTS joychou
@localhost
;
CREATE USER 'joychou'@'localhost' IDENTIFIED BY 'woshishujukumima';
GRANT ALL PRIVILEGES ON . TO 'joychou'@'localhost' IDENTIFIED BY 'woshishujukumima';
DROP DATABASE IF EXISTS java_sec_code;
CREATE DATABASE java_sec_code;
USE java_sec_code;
users
DROP TABLE IF EXISTS java_sec_code.users
;
CREATE TABLE users
(
id
int(11) NOT NULL,
username
varchar(16) NOT NULL,
password
varchar(32) NOT NULL,
PRIMARY KEY (id
)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
users
LOCK TABLES users
WRITE;
INSERT INTO users
VALUES (1,'joychou','password');
UNLOCK TABLES;
Hi,there is a dependency **org.apache.httpcomponents:httpclient:4.5.12
** that calls the risk method.
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
org.joychou.util.HttpUtils: httpClient(java.lang.String)Ljava.lang.String; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;
Dependency tree--
[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] | | \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] | | +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] | | | \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] | +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | | \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] | +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] | +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] | | \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] | | +- ognl:ognl:jar:3.0.8:compile
[INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | | \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] | \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] | \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] | \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] | \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] | \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] | \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] | \- cglib:cglib:jar:2.2.2:compile
[INFO] | \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] | \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] | \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] | | | \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] | | \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] | | \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] | +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] | | +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] | | | \- stax:stax-api:jar:1.0.1:compile
[INFO] | | +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] | | | +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] | | | | +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] | | | | +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] | | | | +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] | | | | | +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] | | | | | \- antlr:antlr:jar:2.7.7:runtime
[INFO] | | | | \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] | | | \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] | | +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] | | +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] | | | \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] | | +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] | | +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] | | +- com.google.inject:guice:jar:4.0:runtime
[INFO] | | | \- javax.inject:javax.inject:jar:1:runtime
[INFO] | | \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] | +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] | | +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] | | | +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] | | | | +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] | | | | \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] | | | \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] | | \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] | | \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] | | +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] | | | +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] | | | | +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] | | | | \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] | | | +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] | | | \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] | | | \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] | | \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] | \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] | +- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] | +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] | \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] | | \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] | +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] | +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] | \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] | +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] | +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] | | \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] | \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] | +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] | | +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] | | | +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] | | | \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] | | \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] | \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] | +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] | +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] | +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] | | \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] | | \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] | +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] | +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] | +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] | +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] | +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] | \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
org.springframework.context.ApplicationContextException: Unable to start EmbeddedWebApplicationContext due to missing EmbeddedServletContainerFactory bean. 对于该错误,我尝试了多种方法都无效
可考虑使用Hook TCP,获取到IP后进行IP黑名单判断。todo
大佬你好,我想请问一下Cookies部分代码的意图是什么,左思右想也没有想到 = =,希望大佬能指点一二
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.