gz-yami / mall4cloud Goto Github PK
View Code? Open in Web Editor NEW⭐️⭐️⭐️微服务商城系统 springcloud微服务商城 小程序商城
Home Page: https://www.mall4j.com
License: GNU Affero General Public License v3.0
⭐️⭐️⭐️微服务商城系统 springcloud微服务商城 小程序商城
Home Page: https://www.mall4j.com
License: GNU Affero General Public License v3.0
请问启动项目的时候,报了这个错误怎么解决呀,我项目中使用了logback作为日志输出
RocketMQLog:WARN No appenders could be found for logger (io.netty.util.internal.InternalThreadLocalMap).
RocketMQLog:WARN Please initialize the logger system properly.
有没有考虑把canal做成两端,一端是docker部署的canal-service 监听数据库,然后再起到canal-client项目去连接canal-service,用线程池监听数据发送到Mq里面去,这样会不会好一点
Lack proper validation for uploaded image files in the backend.
While there is validation in the frontend component "img-box.vue," it is crucial to perform server-side validation as well. This vulnerability allows attackers to upload files of any type and size, potentially leading to XSS attacks or resource exhaustion, which can result in DDoS attacks.
It is recommended to implement server-side validation for uploaded image files, in ServerResponseEntity<OssVO> com.mall4j.cloud.biz.controller.OssController.uploadFile(@RequestParam(value="file") MultipartFile file) throws IOException
. This includes checking the file size and verifying that the file type is allowed (e.g., image/jpeg, image/png). By implementing these validations in the backend, you can prevent the upload of malicious files, mitigate the risk of XSS attacks, and prevent resource consumption that could lead to DDoS attacks.
Project home page
https://github.com/gz-yami/mall4cloud
This project is an open source project & supports commercial use
4k+ star on Github
All management interfaces (API) on the platform side and the merchant side have Incorrect Access Control vulnerability
Ordinary users can perform operations such as adding, deleting, and modifying background management data beyond their authority.
Proofs
Platform side
vul code link:
@RequestMapping("/admin/index_img")
All interfaces under this module have not verified user permissions
After logging in as an ordinary user, test the management interface, and find that the carousel information can be added, deleted, and modified without authorization.
Verification screenshot
query operation
There is no verification of user permissions:
Test verification screenshot
Ordinary users can add hot searches
Ordinary users delete hot searches
Merchant side
same as above
There is no user rights check.
Verification screenshot
Discovered by : lazyhac# # #gmail.com
环境:
windows11 22H2 i512600kf 32g ddr4 3600
Docker 20.10.22
Docker Compose v2.15.1
按照教程全局替换ip为我的win11宿主机ip后运行docker-compose up --build ,没有加 -d 是想看看容器日志输出
启动后会卡死,容器看不了日志,容器关闭不了也删除不了
很想学习一下这套架构,有能成功搭建起来的兄弟可以给个联系方式,请求付费协助!
docker-compose.yaml
,部署运行了nacos
容器http://192.168.1.46:8848/nacos
无法进入Nacos管理界面MySQL
、RocketMQ
等都正常启动。docker ps -a | grep nacos
命令查看nacos
状态,发现nacos
一直处于重启状态。命令结果如下[root@slave1 ~]# docker ps -a | grep nacos
90fb3b7bc783 nacos/nacos-server:v2.2.0-slim "bin/docker-startup.…" 2 hours ago Restarting (1) Less than a second ago mall4cloud-nacos
vim /root/docker/nacos/logs/nacos.log
查看日志发现,在nacos
中存在以下错误Unknown column 'encrypted_data_key' in 'field list'
.具体错误片段如下2023-03-02 17:32:43,237 INFO
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2023-03-02 17:32:43,257 ERROR Application run failed
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'memoryMonitor' defined in URL [jar:file:/home/nacos/target/nacos-server.jar!/BOOT-INF/lib/nacos-config-2.2.0.jar!/com/alibaba/nacos/config/server/monitor/MemoryMonitor.class]: Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'asyncNotifyService': Unsatisfied dependency expressed through field 'dumpService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'externalDumpService': Invocation of init method failed; nested exception is ErrCode:500, ErrMsg:Nacos Server did not start because dumpservice bean construction failure :
PreparedStatementCallback; bad SQL grammar [SELECT id,data_id,group_id,tenant_id,app_name,content,md5,gmt_modified,type,encrypted_data_key FROM config_info WHERE id > ? ORDER BY id ASC LIMIT 0,1000]; nested exception is java.sql.SQLSyntaxErrorException: Unknown column 'encrypted_data_key' in 'field list'
为保证用户敏感配置数据的安全,Nacos 提供了配置加密的新特性。降低了用户使用的风险,也不需要再对配置进行单独的加密处理。新版本的默认创建表的sql中已经添加该字段。
**而docker-compose.yml
执行时在导入MySQL
的mall4cloud_nacos
数据库与表结构并没有该字段。**导致nacos
容器无法正常启动。
数据库表 config_info、config_info_beta、his_config_info中需要新增字段 encrypted_data_key ,用来存储每一个配置项加密使用的秘钥。在mall4cloud_nacos
数据库下执行以下语句
ALTER TABLE config_info ADD COLUMN `encrypted_data_key` text NOT NULL COMMENT '秘钥';
ALTER TABLE config_info_beta ADD COLUMN `encrypted_data_key` text NOT NULL COMMENT '秘钥';
ALTER TABLE his_config_info ADD COLUMN `encrypted_data_key` text NOT NULL COMMENT '秘钥';
docker compose 构建出来的seata容器时区不对,再网上尝试很多方式,尝试在compose的environment加入TZ=Asia/Shanghai环境变量。但是又需要容器安装了tzdata,求解决方式
按照项目中的docker-compose.yaml,配置了中间件,seata正常启动没有报错,但是开启product项目,显示如下错误
2023-02-08 10:31:43.215 ERROR 69014 --- [eoutChecker_1_1] i.s.c.r.netty.NettyClientChannelManager : no available service found in cluster 'default', please make sure registry config correct and keep your seata server running
mall4cloud-seata:
image: seataio/seata-server:1.4.2
container_name: mall4cloud-seata
restart: always
depends_on:
- mall4cloud-mysql
- mall4cloud-nacos
ports:
- 8091:8091
environment:
- SEATA_IP=127.0.0.1
- SEATA_CONFIG_NAME=file:/root/seata-config/registry
volumes:
- ./seata:/root/seata-config
docker中查看挂载的文件是正确的
registry {
type = "nacos"
nacos {
application = "seata-server"
serverAddr = "127.0.0.1:8848"
group = "SEATA_GROUP"
namespace = "4b70485d-72dd-44df-a76a-7a3f578a3001"
cluster = "default"
username = "nacos"
password = "nacos"
}
}
config {
type = "nacos"
nacos {
serverAddr = "127.0.0.1:8848"
namespace = "4b70485d-72dd-44df-a76a-7a3f578a3001"
group = "SEATA_GROUP"
username = "nacos"
password = "nacos"
}
}
application-dev.yml中配置为
seata:
config:
type: nacos
nacos:
namespace: 4b70485d-72dd-44df-a76a-7a3f578a3001
server-addr: ${spring.cloud.nacos.discovery.server-addr}
password: ${spring.cloud.nacos.discovery.password}
username: ${spring.cloud.nacos.discovery.username}
registry:
type: nacos
nacos:
server-addr: ${spring.cloud.nacos.discovery.server-addr}
username: ${spring.cloud.nacos.discovery.username}
password: ${spring.cloud.nacos.discovery.password}
namespace: ${seata.config.nacos.namespace}
SpringBoot报错:
Description:
Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured.
Reason: Failed to determine a suitable driver class
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.