Skip to content

添加 controller #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cccfeng wants to merge 2 commits into
base: master
Choose a base branch
from
Open

添加 controller #9

cccfeng wants to merge 2 commits into from

Conversation

@cccfeng
Copy link
Owner

@cccfeng cccfeng commented Jun 30, 2025
edited
Loading

hello body??

cccfeng and others added 2 commits March 16, 2025 14:50
@cccfeng
feat: add /CommandInject2.java
adadb14
@cccfeng @coderabbitai
Update src/main/java/org/joychou/controller/CommandInject2.java
138578b 
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@coderabbitai
Copy link

coderabbitai bot commented Jun 30, 2025
edited
Loading

Summary by CodeRabbit

  • 新功能
    • 新增了三个REST接口,可根据用户输入或HTTP头执行shell命令,并返回命令输出结果。
    • 部分接口对输入参数进行了安全过滤或白名单校验。

Walkthrough

本次变更新增了一个名为 CommandInject 的 Spring Boot REST 控制器,包含三个 GET 接口,分别通过用户输入或 HTTP 头部参数执行 shell 命令,并返回命令输出。代码中涉及输入过滤、白名单校验及日志记录等安全措施。

Changes

文件/分组 变更摘要
src/main/java/org/joychou/controller/CommandInject2.java 新增 CommandInject 控制器类,包含三个执行 shell 命令的 GET 接口,涉及输入过滤、白名单校验和日志记录。

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant CommandInject
    participant SecurityUtil
    participant WebUtils
    participant Shell

    Client->>CommandInject: GET /codeinject?filepath=xxx
    CommandInject->>Shell: 执行 ls -la <filepath>
    Shell-->>CommandInject: 返回命令输出
    CommandInject->>WebUtils: convertStreamToString
    WebUtils-->>CommandInject: 返回字符串
    CommandInject-->>Client: 返回命令输出

    Client->>CommandInject: GET /codeinject/host (Host 头)
    CommandInject->>SecurityUtil: hostFilter(Host)
    SecurityUtil-->>CommandInject: 返回过滤结果
    alt Host 合法
        CommandInject->>Shell: 执行 curl <Host>
        Shell-->>CommandInject: 返回命令输出
        CommandInject->>WebUtils: convertStreamToString
        WebUtils-->>CommandInject: 返回字符串
        CommandInject-->>Client: 返回命令输出
    else Host 非法
        CommandInject-->>Client: 抛出异常
    end

    Client->>CommandInject: GET /codeinject/sec?filepath=xxx
    CommandInject->>SecurityUtil: cmdFilter(filepath)
    SecurityUtil-->>CommandInject: 返回过滤结果
    alt 过滤通过
        CommandInject->>Shell: 执行 ls -la <filteredFilePath>
        Shell-->>CommandInject: 返回命令输出
        CommandInject->>WebUtils: convertStreamToString
        WebUtils-->>CommandInject: 返回字符串
        CommandInject-->>Client: 返回命令输出
    else 过滤失败
        CommandInject-->>Client: 返回 "Bad boy. I got u."
    end
Loading

Poem

🐇
新增控制器,命令行跃,
输入需警惕,过滤不可少。
主机白名单,安全有保障,
输出如流水,日志记心上。
代码变更时,兔子也欢笑!

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jun 30, 2025

Quality Gate Failed Quality Gate failed

Failed conditions
69.6% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

coderabbitai[bot]
coderabbitai bot reviewed Jun 30, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
src/main/java/org/joychou/controller/CommandInject2.java (1)

13-68: 架构安全建议

此控制器的所有方法都执行系统命令,这种设计模式存在根本性的安全风险。基于方法名和注释,这似乎是用于演示命令注入漏洞的代码。

建议:

  1. 生产环境禁用:如果这是演示代码,确保不会部署到生产环境
  2. 使用 Java API:尽可能使用 Java 原生 API 替代系统命令
  3. 最小权限原则:如果必须执行命令,使用受限的用户权限运行应用
  4. 添加认证授权:为这些端点添加严格的访问控制
  5. 审计日志:记录所有命令执行请求的详细信息

如需在生产环境中实现类似功能,建议重新设计架构,避免直接执行系统命令。

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4711f4e and 138578b.

📒 Files selected for processing (1)
  • src/main/java/org/joychou/controller/CommandInject2.java (1 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
src/main/java/org/joychou/controller/CommandInject2.java (2)
src/main/java/org/joychou/security/SecurityUtil.java (1)
  • SecurityUtil (18-253)
src/main/java/org/joychou/util/WebUtils.java (1)
  • WebUtils (10-51)
🔇 Additional comments (1)
src/main/java/org/joychou/controller/CommandInject2.java (1)

39-54: 注意:未能定位 hostFilter 的具体实现,请手动确认其安全性

基于当前检查,codeInjectHost 方法仍存在安全隐患:

  • 请求头 Host 可被伪造,过滤逻辑是否完善尚无法验证
  • 直接拼接并执行 curl 命令存在 SSRF 风险及内部网络探测风险

建议:

  • 避免基于用户输入执行系统命令
  • 使用 Java 原生 HTTP 客户端(如 HttpClient)替代 curl
  • 明确定义并严格维护目标主机白名单
  • 手动审查 SecurityUtil.hostFilter 实现,确保只允许合法域名或 IP

src/main/java/org/joychou/controller/CommandInject2.java
Comment on lines +1 to +14
package org.joychou.controller;

import org.joychou.security.SecurityUtil;
import org.joychou.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

@RestController
public class CommandInject {
Copy link

@coderabbitai coderabbitai bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

文件名与类名不一致

文件名为 CommandInject2.java,但类名为 CommandInject。这会导致编译错误。

-public class CommandInject {
+public class CommandInject2 {
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
package org.joychou.controller;
import org.joychou.security.SecurityUtil;
import org.joychou.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@RestController
public class CommandInject {
package org.joychou.controller;
import org.joychou.security.SecurityUtil;
import org.joychou.util.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
@RestController
public class CommandInject2 {
🤖 Prompt for AI Agents 
In src/main/java/org/joychou/controller/CommandInject2.java at lines 1 to 14,
the class name CommandInject does not match the file name CommandInject2.java,
causing a compilation error. Rename the class to CommandInject2 to match the
file name exactly.

src/main/java/org/joychou/controller/CommandInject2.java
Comment on lines +56 to +67
@GetMapping("/codeinject/sec")
public String codeInjectSec(String filepath) throws IOException {
String filterFilePath = SecurityUtil.cmdFilter(filepath);
if (null == filterFilePath) {
return "Bad boy. I got u.";
}
String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
Copy link

@coderabbitai coderabbitai bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

相对安全但仍需改进

此方法使用了 SecurityUtil.cmdFilter 进行输入过滤,相比其他方法更安全。根据代码片段,过滤器只允许字母、数字、下划线、斜杠、点和连字符。

但仍建议:

  1. 避免使用 shell 模式,改用参数化命令
  2. 考虑使用 Java 原生 API 替代系统命令

改进方案:

 @GetMapping("/codeinject/sec")
 public String codeInjectSec(String filepath) throws IOException {
     String filterFilePath = SecurityUtil.cmdFilter(filepath);
     if (null == filterFilePath) {
         return "Bad boy. I got u.";
     }
-    String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
+    // 使用参数化命令,避免 shell 注入
+    String[] cmdList = new String[]{"ls", "-la", filterFilePath};
     ProcessBuilder builder = new ProcessBuilder(cmdList);
     builder.redirectErrorStream(true);
     Process process = builder.start();
     return WebUtils.convertStreamToString(process.getInputStream());
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@GetMapping("/codeinject/sec")
public String codeInjectSec(String filepath) throws IOException {
String filterFilePath = SecurityUtil.cmdFilter(filepath);
if (null == filterFilePath) {
return "Bad boy. I got u.";
}
String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
@GetMapping("/codeinject/sec")
public String codeInjectSec(String filepath) throws IOException {
String filterFilePath = SecurityUtil.cmdFilter(filepath);
if (null == filterFilePath) {
return "Bad boy. I got u.";
}
// 使用参数化命令,避免 shell 注入
String[] cmdList = new String[]{"ls", "-la", filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
🤖 Prompt for AI Agents 
In src/main/java/org/joychou/controller/CommandInject2.java lines 56 to 67, the
method uses a shell command with ProcessBuilder that concatenates user input,
which is risky despite input filtering. To fix this, avoid using the shell by
passing command and arguments as separate parameters to ProcessBuilder without
"sh -c". Alternatively, replace the system command with Java native APIs like
java.nio.file.Files to list directory contents, eliminating the need for
external commands and improving security.

src/main/java/org/joychou/controller/CommandInject2.java
Comment on lines +24 to +32
@GetMapping("/codeinject")
public String codeInject(String filepath) throws IOException {

String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
Copy link

@coderabbitai coderabbitai bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

严重安全漏洞:命令注入

此方法存在严重的命令注入漏洞。用户输入的 filepath 参数直接拼接到 shell 命令中,没有进行任何过滤或转义。攻击者可以通过注入特殊字符(如分号、管道符等)执行任意命令。

建议使用以下方式修复:

 @GetMapping("/codeinject")
 public String codeInject(String filepath) throws IOException {
-    String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
+    // 方案1:使用参数化命令,避免 shell 解析
+    String[] cmdList = new String[]{"ls", "-la", filepath};
+    
+    // 方案2:如果必须使用 shell,先进行严格过滤
+    // String filterFilePath = SecurityUtil.cmdFilter(filepath);
+    // if (filterFilePath == null) {
+    //     throw new IllegalArgumentException("非法的文件路径");
+    // }
+    // String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
+    
     ProcessBuilder builder = new ProcessBuilder(cmdList);
     builder.redirectErrorStream(true);
     Process process = builder.start();
     return WebUtils.convertStreamToString(process.getInputStream());
 }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@GetMapping("/codeinject")
public String codeInject(String filepath) throws IOException {
String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
@GetMapping("/codeinject")
public String codeInject(String filepath) throws IOException {
// 方案1:使用参数化命令,避免 shell 解析
String[] cmdList = new String[]{"ls", "-la", filepath};
// 方案2:如果必须使用 shell,先进行严格过滤
// String filterFilePath = SecurityUtil.cmdFilter(filepath);
// if (filterFilePath == null) {
// throw new IllegalArgumentException("非法的文件路径");
// }
// String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath};
ProcessBuilder builder = new ProcessBuilder(cmdList);
builder.redirectErrorStream(true);
Process process = builder.start();
return WebUtils.convertStreamToString(process.getInputStream());
}
🤖 Prompt for AI Agents 
In src/main/java/org/joychou/controller/CommandInject2.java around lines 24 to
32, the method directly concatenates the user input filepath into a shell
command, causing a critical command injection vulnerability. To fix this, avoid
using shell command strings with concatenated user input; instead, pass the
filepath as a separate argument to ProcessBuilder without invoking a shell, or
validate and sanitize the filepath input strictly before use. This prevents
execution of arbitrary commands injected via special characters.

cccfeng
cccfeng commented Jun 30, 2025
View reviewed changes
src/main/java/org/joychou/controller/CommandInject2.java
Comment on lines +1 to +2
package org.joychou.controller;

Copy link
Owner Author

@cccfeng cccfeng Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HELLO 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cccfeng