Loading...
Loading...
Compare original and translation side by side
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/admin/users")
public List<User> getUsers() {
return userService.findAll();
}@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/admin/users")
public List<User> getUsers() {
return userService.findAll();
}// 使用 BCrypt 加密密码
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hashedPassword = encoder.encode(rawPassword);// Use BCrypt to encrypt password
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String hashedPassword = encoder.encode(rawPassword);// ❌ 不安全
String query = "SELECT * FROM users WHERE username = '" + username + "'";
// ✓ 安全:使用参数化查询
String query = "SELECT * FROM users WHERE username = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, username);// ❌ Unsafe
String query = "SELECT * FROM users WHERE username = '" + username + "'";
// ✓ Safe: Use parameterized queries
String query = "SELECT * FROM users WHERE username = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setString(1, username);// ✓ 使用参数绑定
Query query = new Query(Criteria.where("username").is(username));// ✓ Use parameter binding
Query query = new Query(Criteria.where("username").is(username));// ❌ 不安全
Runtime.getRuntime().exec("ls " + userInput);
// ✓ 安全:验证和转义
if (userInput.matches("[a-zA-Z0-9]+")) {
ProcessBuilder pb = new ProcessBuilder("ls", userInput);
pb.start();
}// ❌ Unsafe
Runtime.getRuntime().exec("ls " + userInput);
// ✓ Safe: Validate and escape
if (userInput.matches("[a-zA-Z0-9]+")) {
ProcessBuilder pb = new ProcessBuilder("ls", userInput);
pb.start();
}undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined// Session 配置
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
return http.build();
}// Session configuration
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.maximumSessions(1)
.maxSessionsPreventsLogin(true);
return http.build();
}// ❌ 不安全的反序列化
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject();
// ✓ 使用 JSON 等安全格式
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(json, User.class);// ❌ Insecure deserialization
ObjectInputStream ois = new ObjectInputStream(inputStream);
Object obj = ois.readObject();
// ✓ Use secure formats like JSON
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(json, User.class);log.warn("Failed login attempt: user={}, ip={}",
username, request.getRemoteAddr());
log.info("Password changed: user={}, timestamp={}",
username, System.currentTimeMillis());log.warn("Failed login attempt: user={}, ip={}",
username, request.getRemoteAddr());
log.info("Password changed: user={}, timestamp={}",
username, System.currentTimeMillis());// ✓ URL 验证
private boolean isAllowedUrl(String url) {
try {
URL u = new URL(url);
String host = u.getHost();
return ALLOWED_HOSTS.contains(host);
} catch (MalformedURLException e) {
return false;
}
}// ✓ URL validation
private boolean isAllowedUrl(String url) {
try {
URL u = new URL(url);
String host = u.getHost();
return ALLOWED_HOSTS.contains(host);
} catch (MalformedURLException e) {
return false;
}
}// 输出转义
String safe = HtmlUtils.htmlEscape(userInput);
// Content Security Policy
response.setHeader("Content-Security-Policy",
"default-src 'self'; script-src 'self' 'unsafe-inline'");// Output escaping
String safe = HtmlUtils.htmlEscape(userInput);
// Content Security Policy
response.setHeader("Content-Security-Policy",
"default-src 'self'; script-src 'self' 'unsafe-inline'");// Spring Security 自动启用 CSRF
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());// Spring Security enables CSRF automatically
http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());// X-Frame-Options
response.setHeader("X-Frame-Options", "DENY");// X-Frame-Options
response.setHeader("X-Frame-Options", "DENY");X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'undefinedundefinedundefinedundefined