"CVE-2022-43183" SSRF漏洞修复。

9293c61c · xuxueli · 730c1066 · 9293c61c · 9293c61c · 9293c61c
--- a/doc/XXL-JOB官方文档.md
+++ b/doc/XXL-JOB官方文档.md
@@ -2304,7 +2304,8 @@ public void execute() {
 ### 7.33 版本 v2.4.0 Release Notes[规划中]
 - 1、【优化】执行器任务Bean扫描逻辑优化：解决懒加载注解失效问题。
 - 2、【优化】多个项目依赖升级至较新稳定版本，涉及netty、groovy、spring、springboot、mybatis等；
- 3、【修复】"CVE-2022-36157"授权漏洞修复。 
+- 3、【修复】"CVE-2022-36157" 授权漏洞修复。 
+- 4、【修复】"CVE-2022-43183" SSRF漏洞修复。
 ### 7.34 新版本规划 [规划中]

--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java
 package com.xxl.job.admin.controller;
-import com.xxl.job.admin.core.exception.XxlJobException;
 import com.xxl.job.admin.core.complete.XxlJobCompleter;
+import com.xxl.job.admin.core.exception.XxlJobException;
 import com.xxl.job.admin.core.model.XxlJobGroup;
 import com.xxl.job.admin.core.model.XxlJobInfo;
 import com.xxl.job.admin.core.model.XxlJobLog;
@@ -129,22 +129,26 @@ public class JobLogController {
        model.addAttribute("triggerCode", jobLog.getTriggerCode());
        model.addAttribute("handleCode", jobLog.getHandleCode());
-        model.addAttribute("executorAddress", jobLog.getExecutorAddress());
-        model.addAttribute("triggerTime", jobLog.getTriggerTime().getTime());
        model.addAttribute("logId", jobLog.getId());
 		return "joblog/joblog.detail";
 	}
 	@RequestMapping("/logDetailCat")
 	@ResponseBody
-	public ReturnT<LogResult> logDetailCat(String executorAddress, long triggerTime, long logId, int fromLineNum){
+	public ReturnT<LogResult> logDetailCat(long logId, int fromLineNum){
 		try {
-			ExecutorBiz executorBiz = XxlJobScheduler.getExecutorBiz(executorAddress);
+			// valid
-			ReturnT<LogResult> logResult = executorBiz.log(new LogParam(triggerTime, logId, fromLineNum));
+			XxlJobLog jobLog = xxlJobLogDao.load(logId);	// todo, need to improve performance
+			if (jobLog == null) {
+				return new ReturnT<LogResult>(ReturnT.FAIL_CODE, I18nUtil.getString("joblog_logid_unvalid"));
+			}
+			// log cat
+			ExecutorBiz executorBiz = XxlJobScheduler.getExecutorBiz(jobLog.getExecutorAddress());
+			ReturnT<LogResult> logResult = executorBiz.log(new LogParam(jobLog.getTriggerTime().getTime(), logId, fromLineNum));
 			// is end
            if (logResult.getContent()!=null && logResult.getContent().getFromLineNum() > logResult.getContent().getToLineNum()) {
-                XxlJobLog jobLog = xxlJobLogDao.load(logId);
                if (jobLog.getHandleCode() > 0) {
                    logResult.getContent().setEnd(true);
                }

--- a/xxl-job-admin/src/main/resources/static/js/joblog.detail.1.js
+++ b/xxl-job-admin/src/main/resources/static/js/joblog.detail.1.js
@@ -25,8 +25,6 @@ $(function() {
            async: false,   // sync, make log ordered
            url : base_url + '/joblog/logDetailCat',
            data : {
-                "executorAddress":executorAddress,
-                "triggerTime":triggerTime,
                "logId":logId,
                "fromLineNum":fromLineNum
            },

--- a/xxl-job-admin/src/main/resources/templates/joblog/joblog.detail.ftl
+++ b/xxl-job-admin/src/main/resources/templates/joblog/joblog.detail.ftl
@@ -62,8 +62,6 @@
    // 参数
    var triggerCode = '${triggerCode}';
    var handleCode = '${handleCode}';
-    var executorAddress = '${executorAddress!}';
-    var triggerTime = '${triggerTime?c}';
    var logId = '${logId}';
 </script>
 <script src="${request.contextPath}/static/js/joblog.detail.1.js"></script>