gz-yami / mall4cloud Goto Github PK

请问启动项目的时候，报了这个错误怎么解决呀，我项目中使用了logback作为日志输出
RocketMQLog:WARN No appenders could be found for logger (io.netty.util.internal.InternalThreadLocalMap).
RocketMQLog:WARN Please initialize the logger system properly.

有没有考虑把canal做成两端，一端是docker部署的canal-service 监听数据库，然后再起到canal-client项目去连接canal-service，用线程池监听数据发送到Mq里面去，这样会不会好一点

Lack proper validation for uploaded image files in the backend.
While there is validation in the frontend component "img-box.vue," it is crucial to perform server-side validation as well. This vulnerability allows attackers to upload files of any type and size, potentially leading to XSS attacks or resource exhaustion, which can result in DDoS attacks.

It is recommended to implement server-side validation for uploaded image files, in ServerResponseEntity<OssVO> com.mall4j.cloud.biz.controller.OssController.uploadFile(@RequestParam(value="file") MultipartFile file) throws IOException. This includes checking the file size and verifying that the file type is allowed (e.g., image/jpeg, image/png). By implementing these validations in the backend, you can prevent the upload of malicious files, mitigate the risk of XSS attacks, and prevent resource consumption that could lead to DDoS attacks.

Project home page

https://github.com/gz-yami/mall4cloud

This project is an open source project & supports commercial use

4k+ star on Github

All management interfaces (API) on the platform side and the merchant side have Incorrect Access Control vulnerability

Ordinary users can perform operations such as adding, deleting, and modifying background management data beyond their authority.

Proofs

Platform side

vul code link:

@RequestMapping("/admin/index_img")

All interfaces under this module have not verified user permissions

After logging in as an ordinary user, test the management interface, and find that the carousel information can be added, deleted, and modified without authorization.

Carousel management module

Verification screenshot

query operation

Hot search management module

vul code link:
https://github.com/gz-yami/mall4cloud/blob/master/mall4cloud-product/src/main/java/com/mall4j/cloud/product/controller/admin/SpuController.java

There is no verification of user permissions:

Test verification screenshot

Ordinary users can add hot searches

Ordinary users delete hot searches

Merchant side

same as above

There is no user rights check.

Verification screenshot

Discovered by : lazyhac# # #gmail.com

docker-compose 部署seata 配置SEATA_IP，域名解析无效，请问mall4cloud团队有无遇到过这个问题。

按照文档指导将中间件都正常搭建了

也能够正常访问，但是启动服务时报错

环境:
windows11 22H2 i512600kf 32g ddr4 3600
Docker 20.10.22
Docker Compose v2.15.1

按照教程全局替换ip为我的win11宿主机ip后运行docker-compose up --build ,没有加 -d 是想看看容器日志输出

启动后会卡死,容器看不了日志,容器关闭不了也删除不了

很想学习一下这套架构,有能成功搭建起来的兄弟可以给个联系方式,请求付费协助!

这个项目部署到我2核2g的服务器上，每次在安装中间件成功后都会卡死，服务器各个资源使用都拉满。

试了好几次都是这样，控制台都无法使用，想查原因都查不到。看阿里云的监控，可能和minio有关

环境

1. CentOS7.6
2. 使用最新docker-compose.yaml，部署运行了nacos容器

现象

1. 通过http://192.168.1.46:8848/nacos无法进入Nacos管理界面
2. 其他docker容器如MySQL、RocketMQ等都正常启动。
3. 使用docker ps -a | grep nacos 命令查看nacos状态，发现nacos一直处于重启状态。命令结果如下

[root@slave1 ~]# docker ps -a | grep nacos
90fb3b7bc783   nacos/nacos-server:v2.2.0-slim             "bin/docker-startup.…"   2 hours ago   Restarting (1) Less than a second ago                                                                                                                       mall4cloud-nacos

4. 使用vim /root/docker/nacos/logs/nacos.log查看日志发现，在nacos中存在以下错误Unknown column 'encrypted_data_key' in 'field list'.具体错误片段如下

2023-03-02 17:32:43,237 INFO

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.

2023-03-02 17:32:43,257 ERROR Application run failed

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'memoryMonitor' defined in URL [jar:file:/home/nacos/target/nacos-server.jar!/BOOT-INF/lib/nacos-config-2.2.0.jar!/com/alibaba/nacos/config/server/monitor/MemoryMonitor.class]: Unsatisfied dependency expressed through constructor parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'asyncNotifyService': Unsatisfied dependency expressed through field 'dumpService'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'externalDumpService': Invocation of init method failed; nested exception is ErrCode:500, ErrMsg:Nacos Server did not start because dumpservice bean construction failure :
PreparedStatementCallback; bad SQL grammar [SELECT id,data_id,group_id,tenant_id,app_name,content,md5,gmt_modified,type,encrypted_data_key FROM config_info WHERE id > ? ORDER BY id ASC LIMIT 0,1000]; nested exception is java.sql.SQLSyntaxErrorException: Unknown column 'encrypted_data_key' in 'field list'

原因

为保证用户敏感配置数据的安全，Nacos 提供了配置加密的新特性。降低了用户使用的风险，也不需要再对配置进行单独的加密处理。新版本的默认创建表的sql中已经添加该字段。

**而docker-compose.yml执行时在导入MySQL的mall4cloud_nacos数据库与表结构并没有该字段。**导致nacos容器无法正常启动。

解决

数据库表 config_info、config_info_beta、his_config_info中需要新增字段 encrypted_data_key ，用来存储每一个配置项加密使用的秘钥。在mall4cloud_nacos数据库下执行以下语句

ALTER TABLE config_info ADD COLUMN `encrypted_data_key` text NOT NULL COMMENT '秘钥';
ALTER TABLE config_info_beta ADD COLUMN `encrypted_data_key` text NOT NULL COMMENT '秘钥';
ALTER TABLE his_config_info ADD COLUMN `encrypted_data_key` text NOT NULL COMMENT '秘钥';

有五个服务启动时报：Initialization of bean failed; nested exception is java.lang.NoClassDefFoundError: com/google/common/eventbus/AsyncEventBus, 在报错的服务中添加guava依赖也一样报

NettyPool create channel to transactionRole:TMROLE,address:113.111.176.34:8091,msg:< RegisterTMRequest{applicationId='mall4cloud-biz', transactionServiceGroup='default_tx_group'} >

找不到哪里修改配置文件 修改ip及其端口，无法正常运行 ，麻烦大佬帮忙看一下。感谢了！

docker compose 构建出来的seata容器时区不对，再网上尝试很多方式，尝试在compose的environment加入TZ=Asia/Shanghai环境变量。但是又需要容器安装了tzdata，求解决方式

按照项目中的docker-compose.yaml，配置了中间件，seata正常启动没有报错，但是开启product项目，显示如下错误

2023-02-08 10:31:43.215 ERROR 69014 --- [eoutChecker_1_1] i.s.c.r.netty.NettyClientChannelManager  : no available service found in cluster 'default', please make sure registry config correct and keep your seata server running

mall4cloud-seata:
    image: seataio/seata-server:1.4.2
    container_name: mall4cloud-seata
    restart: always
    depends_on:
      - mall4cloud-mysql
      - mall4cloud-nacos
    ports:
      - 8091:8091
    environment:
      - SEATA_IP=127.0.0.1
      - SEATA_CONFIG_NAME=file:/root/seata-config/registry
    volumes:
      - ./seata:/root/seata-config

docker中查看挂载的文件是正确的

registry {
  type = "nacos"
  nacos {
    application = "seata-server"
    serverAddr = "127.0.0.1:8848"
    group = "SEATA_GROUP"
    namespace = "4b70485d-72dd-44df-a76a-7a3f578a3001"
    cluster = "default"
    username = "nacos"
    password = "nacos"
  }
}
config {
  type = "nacos"
  nacos {
    serverAddr = "127.0.0.1:8848"
    namespace = "4b70485d-72dd-44df-a76a-7a3f578a3001"
    group = "SEATA_GROUP"
    username = "nacos"
    password = "nacos"
  }
}

application-dev.yml中配置为

seata:
  config:
    type: nacos
    nacos:
      namespace: 4b70485d-72dd-44df-a76a-7a3f578a3001
      server-addr: ${spring.cloud.nacos.discovery.server-addr}
      password: ${spring.cloud.nacos.discovery.password}
      username: ${spring.cloud.nacos.discovery.username}
  registry:
    type: nacos
    nacos:
      server-addr: ${spring.cloud.nacos.discovery.server-addr}
      username: ${spring.cloud.nacos.discovery.username}
      password: ${spring.cloud.nacos.discovery.password}
      namespace: ${seata.config.nacos.namespace}

SpringBoot报错：
Description:
Failed to configure a DataSource: 'url' attribute is not specified and no embedded datasource could be configured.
Reason: Failed to determine a suitable driver class