API误用 不安全的框架绑定

apply-net/src/main/java/com/winsun/controller/SingleBroadToIntegrateController.java

@@ -180,7 +180,23 @@ public class SingleBroadToIntegrateController {
      */
     @PostMapping("sendOrder")
     public ResponseData<Map<String, Object>> sendOrder(HttpServletRequest request,
-                                        ToIntegrateOrderParam toIntegrateOrderParam) {
+                                                       @RequestParam("name") String name,
+                                                       @RequestParam("netNumber") String netNumber,
+                                                       @RequestParam("idCard") String idCard,
+                                                       @RequestParam("businessNumber") String businessNumber,
+                                                       @RequestParam("contactPhone") String contactPhone,
+                                                       @RequestParam("rhTime") String rhTime,
+                                                       @RequestParam("hehuorenId") String hehuorenId,
+                                                       @RequestParam("imgUrl") String imgUrl) {
+        ToIntegrateOrderParam toIntegrateOrderParam = new ToIntegrateOrderParam();
+        toIntegrateOrderParam.setName(name);
+        toIntegrateOrderParam.setNetNumber(netNumber);
+        toIntegrateOrderParam.setIdCard(idCard);
+        toIntegrateOrderParam.setBusinessNumber(businessNumber);
+        toIntegrateOrderParam.setContactPhone(contactPhone);
+        toIntegrateOrderParam.setRhTime(rhTime);
+        toIntegrateOrderParam.setHehuorenId(hehuorenId);
+        toIntegrateOrderParam.setImgUrl(imgUrl);
         // 正常下单保存到数据库中
         log.info(JSONObject.toJSONString(toIntegrateOrderParam));
 

service-manager/src/main/java/com/winsun/controller/OrderController.java

@@ -825,6 +825,7 @@ public class OrderController extends BaseController {
             isYzk = true;
         }
         EntityWrapper<Order> wrapper = new EntityWrapper();
+        wrapper.notIn( "user_type", "3,5,9,10");
         wrapper.ge(StringUtils.isNotBlank(createTimeStart), "create_time", createTimeStart);
         wrapper.le(StringUtils.isNotBlank(createTimeEnd), "create_time", createTimeEnd);
         wrapper.ge(StringUtils.isNotBlank(successTimeStart), "success_time", successTimeStart);

service-manager/src/main/java/com/winsun/controller/RecordNumberController.java

@@ -17,9 +17,7 @@ import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.data.redis.core.RedisTemplate;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;
 
 import java.util.Date;
 
@@ -49,31 +47,39 @@ public class RecordNumberController extends BaseController {
 
     /**
      * 放号登记注册
-     * @param salesList
+     * @param orderPhone
+     * @param salesSubst
+     * @param salesSchool
      * @param code
      * @return
      */
     @RequestMapping(name = "放号登记注册", value = "register", method = RequestMethod.POST)
-    public ResponseData<String> register(SalesList salesList, String code) {
+    public ResponseData<String> register(@RequestParam("orderPhone") String orderPhone,
+                                         @RequestParam("salesSubst") String salesSubst,
+                                         @RequestParam("salesSchool") String salesSchool,
+                                         @RequestParam("code")String code) {
         try{
             ShiroUser shiroUser = ShiroKit.getUser();
-
+            SalesList salesList = new SalesList();
             // 登录用户校验
             if(shiroUser == null) {
                 return ResponseData.error("请先登录。");
             }
 
             // 参数校验
-            if (StringUtils.isBlank(salesList.getOrderPhone()) ||
-                    StringUtils.isBlank(salesList.getSalesSubst()) ||
-                    StringUtils.isBlank(salesList.getSalesSchool())) {
+            if (StringUtils.isBlank(orderPhone) ||
+                    StringUtils.isBlank(salesSubst) ||
+                    StringUtils.isBlank(salesSchool)) {
                 return ResponseData.error("请填写号码、销售县分、销售学校。");
             }
+            salesList.setOrderPhone(orderPhone);
+            salesList.setSalesSubst(salesSubst);
+            salesList.setSalesSchool(salesSchool);
 
             // 校验网点是否存在
             boolean isNotNetWork = false;
             Wrapper<NetworkInfo> wrapper = new EntityWrapper<>();
-            wrapper.eq("school_name", salesList.getSalesSchool());
+            wrapper.eq("school_name", salesSchool);
             Integer integer = networkInfoMapper.selectCount(wrapper);
 
             if(integer == null || integer == 0) {
@@ -81,8 +87,8 @@ public class RecordNumberController extends BaseController {
             }
 
             // 校验验证码
-            AuthCode authCode = authCodeMapper.selectById(salesList.getOrderPhone());
-            Object o = redisTemplate.opsForValue().get(salesList.getOrderPhone());
+            AuthCode authCode = authCodeMapper.selectById(orderPhone);
+            Object o = redisTemplate.opsForValue().get(orderPhone);
             if (o == null && authCode == null) {
                 return ResponseData.error("请先获取验证码");
             }

task/src/main/java/com/winsun/service/ExportService.java

@@ -109,6 +109,7 @@ public class ExportService extends BaseController {
 
 
         EntityWrapper<Order> wrapper = new EntityWrapper();
+        wrapper.notIn("user_type", "3,5,9,10");
         wrapper.ge(StringUtils.isNotBlank(createTimeStart), "create_time", createTimeStart);
         wrapper.le(StringUtils.isNotBlank(createTimeEnd), "create_time", createTimeEnd);
         wrapper.ge(StringUtils.isNotBlank(successTimeStart), "success_time", successTimeStart);