1.5.2版本发布

- 【JwUserAPI】新增获取企业成员的userid与对应的部门ID列表接口 - 【#4499】钉钉H5微应用，AgentId值大于int类型的最大值导致转换失败 - freemaker漏洞
jeecgboot · Dec 15, 2023 · f292130 · f292130
1 parent df22495
commit f292130
Show file tree

Hide file tree

Showing 10 changed files with 128 additions and 37 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,10 @@
+## ide
+**/.idea
+*.iml
+
+## backend
+**/target
+**/logs
+
+## front
+**/*.lock
diff --git a/deploy.bat b/deploy.bat
@@ -0,0 +1 @@
+cmd /k mvn clean deploy -P release -Dmaven.test.skip=true
diff --git a/doc/api一览.txt → doc/api/api一览.txt b/doc/api一览.txt → doc/api/api一览.txt
diff --git a/doc/修改日志.log b/doc/修改日志.log
@@ -0,0 +1,24 @@
+-- author:scott ----date:20220524-------for:fastjson挖矿漏洞问题---
+pom.xml
+-- author:scott ----date:20220524-------for:fastjson挖矿漏洞问题---
+
+-- author:sunjianlei---date:20220819--for: 【JwMessageAPI】新增发送Markdown消息 ---
+pom.xml
+src/main/java/com/jeecg/qywx/api/message/JwMessageAPI.java
+src/main/java/com/jeecg/qywx/api/message/vo/Markdown.java (+)
+src/main/java/com/jeecg/qywx/api/message/vo/MarkdownEntity.java (+)
+-- author:sunjianlei---date:20220819--for: 【JwMessageAPI】新增发送Markdown消息 ---
+
+-- author:sunjianlei---date:20221102--for: 【JwUserAPI】新增获取企业成员的userid与对应的部门ID列表接口 ---
+src/main/java/com/jeecg/qywx/api/user/JwUserAPI.java
+-- author:sunjianlei---date:20221102--for: 【JwUserAPI】新增获取企业成员的userid与对应的部门ID列表接口 ---
+
+-- author:sunjianlei---date:20230208--for: 【#4499】钉钉H5微应用，AgentId值大于int类型的最大值导致转换失败 ---
+src/main/java/com/jeecg/dingtalk/api/message/vo/Message.java
+src/main/java/com/jeecg/dingtalk/api/message/JdtMessageAPI.java
+-- author:sunjianlei---date:20230208--for: 【#4499】钉钉H5微应用，AgentId值大于int类型的最大值导致转换失败 ---
+
+---author:scott---date:2023-08-15---for:升级版本号，freemaker漏洞---
+org\jeewx\api\core\common\util\FreemarkerUtil.java
+pom.xml
+---author:scott---date:2023-08-15---for:升级版本号，freemaker漏洞---
diff --git a/install.bat b/install.bat
@@ -0,0 +1 @@
+cmd /k mvn clean install -D skipTest
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.jeecgframework</groupId>
 	<artifactId>jeewx-api</artifactId>
-	<version>1.4.9</version>
+	<version>1.5.2</version>
 	<packaging>jar</packaging>
 
 	<name>jeewx-api</name>

diff --git a/src/main/java/com/jeecg/dingtalk/api/message/JdtMessageAPI.java b/src/main/java/com/jeecg/dingtalk/api/message/JdtMessageAPI.java
@@ -149,7 +149,7 @@ public static Response<String> sendActionCardMessage(Message<ActionCardMessage>
      * @param accessToken 有效的access_token
      * @return Response&lt;JSONObject&gt
      */
-    public static Response<JSONObject> recallMessage(int agent_id, String msg_task_id, String accessToken) {
+    public static Response<JSONObject> recallMessage(String agent_id, String msg_task_id, String accessToken) {
         String url = ApiUrls.get(ApiUrls.MSG_RECALL, accessToken);
         JSONObject body = new JSONObject();
         body.put("agent_id", agent_id);

diff --git a/src/main/java/com/jeecg/dingtalk/api/message/vo/Message.java b/src/main/java/com/jeecg/dingtalk/api/message/vo/Message.java
@@ -13,7 +13,7 @@ public class Message<T extends SuperMessage> {
     /**
      * 发送消息时使用的微应用的AgentID。
      */
-    private Integer agent_id;
+    private String agent_id;
     /**
      * 接收者的userid列表，最大用户列表长度100。
      */
@@ -33,11 +33,16 @@ public class Message<T extends SuperMessage> {
     private T msg;
 
     public Message(Integer agent_id, T msg) {
+        this.agent_id = String.valueOf(agent_id);
+        this.msg = msg;
+    }
+
+    public Message(String agent_id, T msg) {
         this.agent_id = agent_id;
         this.msg = msg;
     }
 
-    public Integer getAgent_id() {
+    public String getAgent_id() {
         return agent_id;
     }
 

diff --git a/src/main/java/com/jeecg/qywx/api/user/JwUserAPI.java b/src/main/java/com/jeecg/qywx/api/user/JwUserAPI.java
@@ -1,12 +1,5 @@
 package com.jeecg.qywx.api.user;
 
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import com.alibaba.fastjson.JSON;
 import com.alibaba.fastjson.JSONArray;
 import com.alibaba.fastjson.JSONObject;
@@ -15,6 +8,13 @@
 import com.jeecg.qywx.api.core.common.AccessToken;
 import com.jeecg.qywx.api.core.util.HttpUtil;
 import com.jeecg.qywx.api.user.vo.User;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 /**
  * 企业微信--yqj
@@ -43,6 +43,8 @@ public class JwUserAPI {
 	private static String user_get_userid = "https://qyapi.weixin.qq.com/cgi-bin/user/getuserid?access_token=ACCESS_TOKEN";
 	//9 根据网页授权登录获取到的code来获取用户详情
 	private static String user_get_userinfo = "https://qyapi.weixin.qq.com/cgi-bin/user/getuserinfo?code=CODE&access_token=ACCESS_TOKEN";
+	// 获取企业成员的userid与对应的部门ID列表
+	private static String user_get_id_list = "https://qyapi.weixin.qq.com/cgi-bin/user/list_id?access_token=ACCESS_TOKEN";
 
 	//1创建成员
 	/**
@@ -65,15 +67,15 @@ public class JwUserAPI {
 	 */
 	public static int createUser(User user, String accessToken){
 		int result = 0;  
-		logger.info("[CREATEUSER]", "createUser param:user:{},accessToken:{}", new Object[]{user,accessToken});
+		logger.info("[CREATEUSER] createUser param:user:{},accessToken:{}", user,accessToken);
 		// 拼装获取成员列表的url  
 	    String url = user_create_url.replace("ACCESS_TOKEN", accessToken);  
 	    // 将成员对象转换成json字符串  
 	    String jsonUser = JSONObject.toJSONString(user);  
-	    logger.info("[CREATEUSER]", "createUser param:jsonUser:{}", new Object[]{jsonUser});
+	    logger.info("[CREATEUSER] createUser param:jsonUser:{}", jsonUser);
 	    // 调用接口创建用户 
 	    JSONObject jsonObject = HttpUtil.sendPost(url, jsonUser);
-	    logger.info("[CREATEUSER]", "createUser response:{}", new Object[]{jsonObject.toJSONString()});
+	    logger.info("[CREATEUSER] createUser response:{}", jsonObject.toJSONString());
 	    // 调用接口创建用户  
 	    if (null != jsonObject) {  
 	    	int errcode = jsonObject.getIntValue("errcode");
@@ -91,15 +93,15 @@ public static int createUser(User user, String accessToken){
 	 */
 	public static int updateUser(User user, String accessToken){
 		int result=0;
-		logger.info("[UPDATEUSER]", "updateUser param:user:{},accessToken:{}", new Object[]{user,accessToken});
+		logger.info("[UPDATEUSER] updateUser param:user:{},accessToken:{}", user,accessToken);
 		// 拼装更新成员列表的url  
 	    String url = user_update_url.replace("ACCESS_TOKEN", accessToken);  
 	    // 将成员对象转换成json字符串  
 	    String jsonUser = JSONObject.toJSONString(user);  
-	    logger.info("[UPDATEUSER]", "updateUser param:jsonUser:{}", new Object[]{jsonUser});
+	    logger.info("[UPDATEUSER] updateUser param:jsonUser:{}", jsonUser);
 	    // 调用接口更新用户 
 	    JSONObject jsonObject = HttpUtil.sendPost(url, jsonUser);  
-	    logger.info("[UPDATEUSER]", "updateUser response:{}", new Object[]{jsonObject.toJSONString()});
+	    logger.info("[UPDATEUSER] updateUser response:{}", jsonObject.toJSONString());
 	    // 调用接口更新成员  
 	    if (null != jsonObject) {  
 	    	int errcode = jsonObject.getIntValue("errcode");
@@ -117,14 +119,14 @@ public static int updateUser(User user, String accessToken){
 	 */
 	public static int deleteUser(String userid, String accessToken){
 		int result=0;
-		logger.info("[DELETEUSER]", "deleteUser param:userid:{},accessToken:{}", new Object[]{userid,accessToken});
+		logger.info("[DELETEUSER] deleteUser param:userid:{},accessToken:{}", userid,accessToken);
 		// 拼装删除成员列表的url  
 	    String url = user_delete_url.replace("ACCESS_TOKEN", accessToken).replace("USERID", userid);  
 	    // 将成员对象转换成json字符串  
-	    logger.info("[DELETEUSER]", "deleteUser param:userid:{}", new Object[]{userid});
+	    logger.info("[DELETEUSER] deleteUser param:userid:{}", userid);
 	    // 调用接口删除用户 
 	    JSONObject jsonObject = HttpUtil.sendPost(url);  
-	    logger.info("[DELETEUSER]", "deleteUser response:{}", new Object[]{jsonObject.toJSONString()});
+	    logger.info("[DELETEUSER] deleteUser response:{}", jsonObject.toJSONString());
 	    // 调用接口删除成员  
 	    if (null != jsonObject) {  
 	    	int errcode = jsonObject.getIntValue("errcode");
@@ -142,17 +144,17 @@ public static int deleteUser(String userid, String accessToken){
 	 */
 	public static int batchDeleteUsers(String[] useridlist, String accessToken){
 		int result=0;
-		logger.info("[BATCHDELETEUSERS]", "batchDeleteUsers param:useridlist:{},accessToken:{}", new Object[]{useridlist,accessToken});
+		logger.info("[BATCHDELETEUSERS] batchDeleteUsers param:useridlist:{},accessToken:{}", useridlist,accessToken);
 		// 拼装批量删除成员列表的url  
 	    String url = user_delete_all_url.replace("ACCESS_TOKEN", accessToken);  
 	    // 将成员对象转换成json字符串  
 	    Map<String, String[]> paramtermap=new HashMap<String, String[]>();
 	    paramtermap.put("useridlist", useridlist);
 	    String jsonUserids = JSONObject.toJSONString(paramtermap); 
-	    logger.info("[BATCHDELETEUSERS]", "batchDeleteUsers param:useridlist:{}", new Object[]{paramtermap});
+	    logger.info("[BATCHDELETEUSERS] batchDeleteUsers param:useridlist:{}", paramtermap);
 	    // 调用接口批量删除
 	    JSONObject jsonObject = HttpUtil.sendPost(url,jsonUserids);  
-	    logger.info("[BATCHDELETEUSERS]", "batchDeleteUsers response:{}", new Object[]{jsonObject.toJSONString()});
+	    logger.info("[BATCHDELETEUSERS] batchDeleteUsers response:{}", jsonObject.toJSONString());
 	    // 调用接口批量删除
 	    if (null != jsonObject) {  
 	    	int errcode = jsonObject.getIntValue("errcode");
@@ -163,12 +165,12 @@ public static int batchDeleteUsers(String[] useridlist, String accessToken){
 
 	//5获取成员
 	public static User getUserByUserid(String userid, String accessToken){
-		logger.info("[GETUSERBYUSERID]", "getUserByUserid param:userid:{},accessToken:{}", new Object[]{userid,accessToken});
+		logger.info("[GETUSERBYUSERID] getUserByUserid param:userid:{},accessToken:{}", userid,accessToken);
 		// 拼装获取成员的url  
 	    String url = user_get_url_byuserid.replace("ACCESS_TOKEN", accessToken).replace("USERID", userid);  
 	    // 调用接口获取成员
 	    JSONObject jsonObject = HttpUtil.sendPost(url); 
-	    logger.info("[GETUSERBYUSERID]", "getUserByUserid response:{}", new Object[]{jsonObject.toJSONString()});
+	    logger.info("[GETUSERBYUSERID] getUserByUserid response:{}", jsonObject.toJSONString());
 	    //把对象转换成user
 	    if (null != jsonObject) {  
 	    	int errcode = jsonObject.getIntValue("errcode");
@@ -182,7 +184,7 @@ public static User getUserByUserid(String userid, String accessToken){
 
 	//6获取部门成员
 	public static List<User> getUsersByDepartid(String department_id,String fetch_child,String status , String accessToken){
-		logger.info("[GETUSERSBYDEPARTID]", "getUsersByDepartid param:department_id:{},fetch_child:{},status:{},accessToken:{}", new Object[]{department_id,fetch_child,status,accessToken});
+		logger.info("[GETUSERSBYDEPARTID] getUsersByDepartid param:department_id:{},fetch_child:{},status:{},accessToken:{}", department_id,fetch_child,status,accessToken);
 		// 拼装获取部门成员的列表的url  
 	    String url = user_get_dep_all_url.replace("ACCESS_TOKEN", accessToken).replace("DEPARTMENT_ID", department_id);
 	    if(fetch_child!=null){
@@ -193,7 +195,7 @@ public static List<User> getUsersByDepartid(String department_id,String fetch_ch
 	    }
 	    // 调用接口获取部门成员
 	    JSONObject jsonObject = HttpUtil.sendPost(url);  
-	    logger.info("[GETUSERSBYDEPARTID]", "getUsersByDepartid response:{}", new Object[]{jsonObject.toJSONString()});
+	    logger.info("[GETUSERSBYDEPARTID] getUsersByDepartid response:{}", jsonObject.toJSONString());
 	    if (null != jsonObject) {  
 	    	int errcode = jsonObject.getIntValue("errcode");
 	        if(errcode==0){
@@ -207,6 +209,7 @@ public static List<User> getUsersByDepartid(String department_id,String fetch_ch
 	}
 
 	//7 获取部门成员(详情)
+	@Deprecated
 	public static List<User> getDetailUsersByDepartid(String department_id,String fetch_child,String status , String accessToken){
 		if(null==fetch_child){
 //			fetch_child="";
@@ -216,13 +219,13 @@ public static List<User> getDetailUsersByDepartid(String department_id,String fe
 //			status="";
 			status="0";
 		}
-		logger.info("[GETDETAILUSERSBYDEPARTID]", "getDetailUsersByDepartid param:department_id:{},fetch_child:{},status:{},accessToken:{}", new Object[]{department_id,fetch_child,status,accessToken});
+		logger.info("[GETDETAILUSERSBYDEPARTID] getDetailUsersByDepartid param:department_id:{},fetch_child:{},status:{},accessToken:{}", department_id,fetch_child,status,accessToken);
 		// 拼装获取部门成员(详情)的列表的url  
 	    String url = user_get_url.replace("ACCESS_TOKEN", accessToken).replace("DEPARTMENT_ID", department_id).replace("FETCH_CHILD", fetch_child).replace("STATUS", status);  
 	    // 调用接口获取部门成员(详情)
 	    JSONObject jsonObject = HttpUtil.sendPost(url);  
 //	    System.out.println("jsonObject="+jsonObject);
-	    logger.info("[GETDETAILUSERSBYDEPARTID]", "getDetailUsersByDepartid response:{}", new Object[]{jsonObject.toJSONString()});
+	    logger.info("[GETDETAILUSERSBYDEPARTID] getDetailUsersByDepartid response:{}", jsonObject.toJSONString());
 	    if (null != jsonObject) {  
 	    	int errcode = jsonObject.getIntValue("errcode");
 	        if(errcode==0){
@@ -237,7 +240,7 @@ public static List<User> getDetailUsersByDepartid(String department_id,String fe
 
 	//8 手机号获取userid
 	public static String getUserIdByPhone(String phone, String accessToken) {
-		logger.info("[GETUSERIDBYPHONE] getUserIdByPhone param:phone:{},accessToken:{}", new Object[]{phone, accessToken});
+		logger.info("[GETUSERIDBYPHONE] getUserIdByPhone param:phone:{},accessToken:{}", phone, accessToken);
 		JSONObject params = new JSONObject();
 		params.put("mobile", phone);
 		String url = user_get_userid.replace("ACCESS_TOKEN", accessToken);
@@ -259,12 +262,43 @@ public static String getUserIdByPhone(String phone, String accessToken) {
 	 * @return
 	 */
 	public static JSONObject getUserInfoByCode(String code, String accessToken) {
-		logger.info("[GETUSERINFOBYCODE] getUserInfoByCode param:code:{},accessToken:{}", new Object[]{code, accessToken});
+		logger.info("[GETUSERINFOBYCODE] getUserInfoByCode param:code:{},accessToken:{}", code, accessToken);
 		String url = user_get_userinfo.replace("CODE", code).replace("ACCESS_TOKEN", accessToken);
 		// errcode
 		return HttpUtil.sendGet(url);
 	}
 
+	/**
+	 * 10 获取企业成员的userid与对应的部门ID列表
+	 *
+	 * @param accessToken 调用接口凭证
+	 */
+	public static List<User> getUserIdList(String accessToken) {
+		logger.info("[GETUSERIDLIST] getUserIdList params:accessToken:{}", accessToken);
+		String url = user_get_id_list.replace("ACCESS_TOKEN", accessToken);
+		JSONObject response = HttpUtil.sendPost(url);
+		if (response != null) {
+			logger.info("[GETUSERIDLIST] getUserIdList response:{}", response.toJSONString());
+			int errcode = response.getIntValue("errcode");
+			if (errcode == 0) {
+				JSONArray deptUser = response.getJSONArray("dept_user");
+				List<User> users = new ArrayList<>();
+				for (int i = 0; i < deptUser.size(); i++) {
+					JSONObject user = deptUser.getJSONObject(i);
+					User u = new User();
+					u.setUserid(user.getString("userid"));
+					int department = user.getIntValue("department");
+					u.setDepartment(new Integer[]{department});
+					users.add(u);
+				}
+				return users;
+			}
+		} else {
+			logger.info("[GETUSERIDLIST] getUserIdList response: null");
+		}
+		return null;
+	}
+
 	public static void main(String[] args) {
 		AccessToken accessToken = JwAccessTokenAPI.getAccessToken(JwParamesAPI.corpId,JwParamesAPI.secret);
 		/*JSONObject js = getUsersByDepartid("5", null,null,accessToken.getAccesstoken());
@@ -310,8 +344,8 @@ public static void main(String[] args) {
 		/**
 		 * 5:getUserByUserid
 		 */
-		User user = getUserByUserid("yangqj", accessToken.getAccesstoken());
-		System.out.println(JSONObject.toJSON(user));
+//		User user = getUserByUserid("yangqj", accessToken.getAccesstoken());
+//		System.out.println(JSONObject.toJSON(user));
 
 		/**
 		 *6 getUsersByDepartid
@@ -326,5 +360,11 @@ public static void main(String[] args) {
 		 */
 		/*List<User> users=getDetailUsersByDepartid("5", null, null, accessToken.getAccesstoken());
 		System.out.println(JSONObject.toJSON(users));*/
+		/*
+		 * 7 获取成员id
+		 */
+		List<User> users = JwUserAPI.getUserIdList(accessToken.getAccesstoken());
+		System.out.println(JSON.toJSONString(users));
+
 	}
 }
diff --git a/src/main/java/org/jeewx/api/core/common/util/FreemarkerUtil.java b/src/main/java/org/jeewx/api/core/common/util/FreemarkerUtil.java
@@ -8,6 +8,7 @@
 import java.io.Writer;
 import java.util.Map;
 
+import freemarker.core.TemplateClassResolver;
 import freemarker.template.Configuration;
 import freemarker.template.Template;
 import org.jeewx.api.core.common.util.StringTemplateLoader
@@ -23,7 +24,7 @@
  * @version V1.0
  */
 public class FreemarkerUtil {
-	private static Configuration _tplConfig = new Configuration();
+	private static Configuration _tplConfig = new Configuration(Configuration.DEFAULT_INCOMPATIBLE_IMPROVEMENTS);
 
 	public FreemarkerUtil(){
 
@@ -33,6 +34,9 @@ public FreemarkerUtil(String dir) {
 			_tplConfig.setDirectoryForTemplateLoading(new File(dir));
 			//必须freemarker字段为空，报错
 			_tplConfig.setClassicCompatible(true);
+			//update-begin-author:scott date:2023-8-15 for: freemarker模板注入问题 禁止解析ObjectConstructor，Execute和freemarker.template.utility.JythonRuntime。
+			_tplConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+			//update-end-author:scott date:2023-8-15 for: freemarker模板注入问题 禁止解析ObjectConstructor，Execute和freemarker.template.utility.JythonRuntime。
 		} catch (IOException e) {
 			// TODO Auto-generated catch block
 			e.printStackTrace();
@@ -100,7 +104,10 @@ public String parseTemplate(String tplName, Map<String, Object> paras) {
 	 */
 	public String parseTemplateContent(String tplContent,
 			Map<String, Object> paras, String encoding) {
-		Configuration cfg = new Configuration();    
+		Configuration cfg = new Configuration(Configuration.DEFAULT_INCOMPATIBLE_IMPROVEMENTS);
+		//update-begin-author:scott date:2023-8-15 for: freemarker模板注入问题 禁止解析ObjectConstructor，Execute和freemarker.template.utility.JythonRuntime。
+		cfg.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+		//update-end-author:scott date:2023-8-15 for: freemarker模板注入问题 禁止解析ObjectConstructor，Execute和freemarker.template.utility.JythonRuntime。
 	    StringWriter writer = new StringWriter(); 
         cfg.setTemplateLoader(new StringTemplateLoader(tplContent));  
         encoding = encoding==null?"UTF-8":encoding;
@@ -124,9 +131,12 @@ public String parseTemplateContent(String tplContent,
 	 * @return String 模板解析后内容
 	 */
 	public static String parseTemplateContent(String tplContent,Map<String, Object> paras) {
-		Configuration cfg = new Configuration();    
+		Configuration cfg = new Configuration(Configuration.DEFAULT_INCOMPATIBLE_IMPROVEMENTS);    
 	    StringWriter writer = new StringWriter(); 
-        cfg.setTemplateLoader(new StringTemplateLoader(tplContent));  
+        cfg.setTemplateLoader(new StringTemplateLoader(tplContent));
+		//update-begin-author:scott date:2023-8-15 for: freemarker模板注入问题 禁止解析ObjectConstructor，Execute和freemarker.template.utility.JythonRuntime。
+		cfg.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+		//update-end-author:scott date:2023-8-15 for: freemarker模板注入问题 禁止解析ObjectConstructor，Execute和freemarker.template.utility.JythonRuntime。
         cfg.setDefaultEncoding("UTF-8");    
 
         Template template;