hongmaple / octopus

octopus高校教学综合平台,主要用于对教师,学生,管理的信息管理,课程管理,专业信息管理,班级管理,可以添加题库,可以上传下载教学资料,可以设置考试试卷,可以进行在线考试和自动评分。本系统基于若依框架,感谢若依的开源,RuoYi 是一个 Java EE 企业级快速开发平台,基于经典技术组合(Spring Boot、Apache Shiro、MyBatis、Thymeleaf、Bootstrap),内置模块如:部门管理、角色用户、菜单及按钮授权、数据权限、系统参数、日志管理、通知公告等。在线定时任务配置;支持集群,支持多数据源。 #主要特性 完全响应式布局(支持电脑、平板、手机等所有主流设备) 强大的一键生成功能(包括控制器、模型、视图、菜单等) 支持多数据源,简单配置即可实现切换。 支持按钮及数据权限,可自定义部门数据权限。 对常用js插件进行二次封装,使js代码变得简洁,更加易维护 完善的XSS防范及脚本过滤,彻底杜绝XSS攻击 Maven多项目依赖,模块及插件分项目,尽量松耦合,方便模块升级、增减模块。 国际化支持,服务端及客户端支持 完善的日志记录体系简单注解即可实现 #技术选型 1、系统环境 Java EE 8 Servlet 3.0 Apache Maven 3 2、主框架 Spring Boot 2.0 Spring Framework 5.0 Apache Shiro 1.4 3、持久层 Apache MyBatis 3.4 Hibernate Validation 6.0 Alibaba Druid 1.1 4、视图层 Bootstrap 3.3 Thymeleaf 3.0 #内置功能 用户管理:用户是系统操作者,该功能主要完成系统用户配置。 部门管理:配置系统组织机构(公司、部门、小组),树结构展现支持数据权限。 岗位管理:配置系统用户所属担任职务。 菜单管理:配置系统菜单,操作权限,按钮权限标识等。 角色管理:角色菜单权限分配、设置角色按机构进行数据范围权限划分。 字典管理:对系统中经常使用的一些较为固定的数据进行维护。 参数管理:对系统动态配置常用参数。 通知公告:系统通知公告信息发布维护。 操作日志:系统正常操作日志记录和查询;系统异常信息日志记录和查询。 登录日志:系统登录日志记录查询包含登录异常。 在线用户:当前系统中活跃用户状态监控。 定时任务:在线(添加、修改、删除)任务调度包含执行结果日志。 代码生成:前后端代码的生成(java、html、xml、sql)支持CRUD下载 。 系统接口:根据业务代码自动生成相关的api接口文档。 服务监控:监视当前系统CPU、内存、磁盘、堆栈等相关信息。 在线构建器:拖动表单元素生成相应的HTML代码。 连接池监视:监视当期系统数据库连接池状态,可进行分析SQL找出系统性能瓶颈。
MIT License
242 stars 78 forks source link

[SECURITY] Use HTTPS to resolve dependencies in Maven Build #5

Closed JLLeitschuh closed 2 months ago

JLLeitschuh commented 11 months ago

mitm_build


This is a security fix for a high severity vulnerability in your Apache Maven pom.xml file(s).

The build files indicate that this project is resolving dependencies over HTTP instead of HTTPS. This leaves your build vulnerable to allowing a Man in the Middle (MITM) attackers to execute arbitrary code on your or your computer or CI/CD system.

This vulnerability has a CVSS v3.0 Base Score of 8.1/10.

POC code has existed since 2014 to maliciously compromise a JAR file in-flight. MITM attacks against HTTP are increasingly common, for example Comcast is known to have done it to their own users.

Resources

This contribution was automatically generated with an OpenRewrite refactoring recipe, which was lovingly handcrafted :heart: to bring this security fix to your repository.

The source code that generated this PR can be found here: [UseHttpsForRepositories]()

Detecting this and Future Vulnerabilities

This vulnerability was automatically detected by GitHub's CodeQL using this CodeQL Query.

You can automatically detect future vulnerabilities, like this one, by enabling the free (for open-source) CodeQL: GitHub Action.

I'm not an employee of GitHub, I'm simply an open-source security researcher for the Open Source Security Foundation.

Opting Out

If you'd like to opt out of future automated security vulnerability fixes like this, please consider adding a file called .github/GH-ROBOTS.txt to your repository with the line:

User-agent: JLLeitschuh/security-research
Disallow: *

This bot will respect the ROBOTS.txt format for future contributions.

Alternatively, if this project is no longer actively maintained, consider archiving the repository.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

All contributed commits are already automatically signed off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin (see https://developercertificate.org/ for more information).

- Git Commit SignOff documentation

Sponsorship & Support

This work was originally sponsored by HUMAN Security Inc. and the new Dan Kaminsky Fellowship, a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.

This work was later sponsored by Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code – and get them fixed – to improve global software supply chain security.

This PR was generated with Moderne, a free-for-open source SaaS offering that uses format-preserving AST transformations to fix bugs, standardize code style, apply best practices, migrate library versions, and fix common security vulnerabilities at scale.

Tracking

All PR's generated as part of this fix are tracked here: https://github.com/JLLeitschuh/security-research/issues/8

Use this link to re-run the recipe: https://app.moderne.io/recipes/builder/IfHkrYfxx?organizationId=QWxsIEdpdEh1Yg%3D%3D