修复深圳三院渗透扫描发现的问题。

ibps-basis-root/modules/basis-zuul/src/main/java/com/lc/ibps/cloud/gateway/filter/SignFilter.java

@@ -70,6 +70,7 @@ public class SignFilter extends ZuulFilter {
     @Override
     public Object run() {
 
+
         // 获取到request
         RequestContext ctx = RequestContext.getCurrentContext();
         HttpServletRequest request = ctx.getRequest();
@@ -93,10 +94,35 @@ public class SignFilter extends ZuulFilter {
 
             // get方法和post、put方法处理方式不同
             if ("GET".equals(method)) {
-
+                boolean flag = false;
+                String ua= request.getHeader("device");
+                if ("mobile".equalsIgnoreCase(ua)) {
+                    flag = true;
+                }
+                Enumeration paramNames = request.getParameterNames();
+                if(flag  && paramNames != null ){
+                    while(paramNames.hasMoreElements()){
+                        String paramName = (String) paramNames.nextElement();
+                        if(!paramName.equals("_t") && !paramName.equals("_p")){
+                            ctx.setSendZuulResponse(false);
+                            ctx.setResponseStatusCode(401);
+
+                            APIResult<Void> result = new APIResult<Void>();
+                            result.setState(StateEnum.ILLEGAL_REQUEST.getCode());
+                            result.setCause("Illegal request parameter!");
+                            ctx.getResponse().setContentType(MediaType.APPLICATION_JSON_UTF8_VALUE);
+                            ctx.setResponseBody(result.toString());
+                            ctx.set("isSuccess", false);
+                            return null;
+                        }
+                    }
+                }
                 // 获取请求参数name
                 name = request.getParameter("_p");
 
+
+
+
                 if (name != null) {
                     // 关键步骤，一定要get一下,下面才能取到值requestQueryParams
                     request.getParameterMap();

ibps-provider-root/modules/provider-platform-default/src/main/java/com/lc/ibps/common/provider/NewsProvider.java

@@ -4,6 +4,7 @@ import java.util.List;
 
 import javax.annotation.Resource;
 
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -122,6 +123,16 @@ public class NewsProvider extends GenericProvider implements INewsService, INews
 			@RequestBody(required = true) NewsPo newsPo) {
 		APIResult<Void> result = new APIResult<>();
 		try {
+
+			if(StringUtils.isNotEmpty(newsPo.getId())){
+				APIResult<NewsPo> newsPoAPIResult = get(newsPo.getId());
+				NewsPo data = newsPoAPIResult.getData();
+				if(data != null){
+					if(!data.getUserId().equalsIgnoreCase(ContextUtil.getCurrentUserId())){
+						throw new Exception("不能修改其他人的公告！");
+					}
+				}
+			}
 			//构造领域对象和保存数据
 			News news = newsRepository.newInstance(newsPo);
 			news.save();