修复个别安全隐患

src/com/ejweb/core/utils/excel/ImportExcel.java

@@ -3,36 +3,26 @@
  */
 package com.ejweb.core.utils.excel;
 
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.lang.reflect.Field;
-import java.lang.reflect.Method;
-import java.text.SimpleDateFormat;
-import java.util.Collections;
-import java.util.Comparator;
-import java.util.Date;
-import java.util.List;
-
+import com.ejweb.core.utils.excel.annotation.ExcelField;
+import com.google.common.collect.Lists;
 import org.apache.commons.lang3.StringUtils;
-import org.apache.poi.hssf.usermodel.HSSFCell;
-import org.apache.poi.hssf.usermodel.HSSFDataFormat;
 import org.apache.poi.hssf.usermodel.HSSFDateUtil;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
-import org.apache.poi.ss.usermodel.Cell;
-import org.apache.poi.ss.usermodel.DateUtil;
-import org.apache.poi.ss.usermodel.Row;
-import org.apache.poi.ss.usermodel.Sheet;
-import org.apache.poi.ss.usermodel.Workbook;
+import org.apache.poi.ss.usermodel.*;
 import org.apache.poi.xssf.usermodel.XSSFWorkbook;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.web.multipart.MultipartFile;
 
-import com.ejweb.core.utils.excel.annotation.ExcelField;
-import com.google.common.collect.Lists;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.text.SimpleDateFormat;
+import java.util.*;
 
 /**
  * 导入Excel文件（支持“XLS”和“XLSX”格式）
@@ -136,9 +126,9 @@ public class ImportExcel {
             throws InvalidFormatException, IOException {
         if (StringUtils.isBlank(fileName)) {
             throw new RuntimeException("导入文档为空!");
-        } else if (fileName.toLowerCase().endsWith("xls")) {
+        } else if (fileName.toLowerCase(Locale.ENGLISH).endsWith("xls")) {
             this.wb = new HSSFWorkbook(is);
-        } else if (fileName.toLowerCase().endsWith("xlsx")) {
+        } else if (fileName.toLowerCase(Locale.ENGLISH).endsWith("xlsx")) {
             this.wb = new XSSFWorkbook(is);
         } else {
             throw new RuntimeException("文档格式不正确!");
@@ -203,11 +193,7 @@ public class ImportExcel {
                 if (cell.getCellType() == Cell.CELL_TYPE_NUMERIC) {
                     // 处理日期格式、时间格式
                     if (HSSFDateUtil.isCellDateFormatted(cell)) {
-                        SimpleDateFormat sdf = null;
-                        if (cell.getCellStyle().getDataFormat() == HSSFDataFormat
-                                .getBuiltinFormat("h:mm")) {
-                            sdf = new SimpleDateFormat("HH:mm");
-                        }
+                        SimpleDateFormat sdf = new SimpleDateFormat("HH:mm");
                         Date date = cell.getDateCellValue();
                         val = sdf.format(date);
                     } else {
@@ -379,19 +365,4 @@ public class ImportExcel {
         }
         return dataList;
     }
-
-    /**
-     * 导入测试
-     */
-    public static void main(String[] args) throws Throwable {
-        ImportExcel ei = new ImportExcel("C:\\Users\\yiping\\Desktop\\任务跟踪表－车库网2016-8-24.xlsx", 1);
-        for (int i = ei.getDataRowNum(); i < ei.getLastDataRowNum(); i++) {
-            Row row = ei.getRow(i);
-            for (int j = 0; j < ei.getLastCellNum(); j++) {
-                Object val = ei.getCellValue(row, j);
-                System.out.print(val + ", ");
-            }
-            System.out.print("\n");
-        }
-    }
 }

src/com/ejweb/modules/contact/entity/StationUserListEntity.java

@@ -43,7 +43,7 @@ public class StationUserListEntity extends BaseEntity {
     private String dutyName; // 职务
     private String huaweiNum;
     private String huaweiAccount; //华为账号
-    private String huaweiPassword; //华为密码
+    private transient String huaweiPassword; //华为密码
     
     private int huaweiStatus;// 华为绑定状态： 0 位绑定 1 已绑定
     private int jiewenStatus;// 捷文绑定状态： 0 位绑定 1 已绑定

src/com/ejweb/modules/crew/scores/api/MainController.java

@@ -6,6 +6,7 @@ import java.math.BigDecimal;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
+import java.util.Locale;
 
 import javax.servlet.http.HttpServletRequest;
 
@@ -117,7 +118,7 @@ public class MainController{
         }
         return responseBean;
     }
-   
+
     @ResponseBody
     @RequestMapping(value = "upload")
     public ResponseBean  upload(HttpServletRequest request,
@@ -145,10 +146,10 @@ public class MainController{
             int length = 0;
                 
                 try {
-                    if(originalFilename.toLowerCase().endsWith("xls")){
+                    if (originalFilename.toLowerCase(Locale.ENGLISH).endsWith("xls")) {
                         HSSFWorkbook hwb = new HSSFWorkbook(file.getInputStream());
                         length = hwb.getNumberOfSheets();//判断有几张活动的sheet表  
-                    }else if(originalFilename.toLowerCase().endsWith("xlsx")){
+                    } else if (originalFilename.toLowerCase(Locale.ENGLISH).endsWith("xlsx")) {
                         XSSFWorkbook hwb = new XSSFWorkbook(file.getInputStream());
                         length = hwb.getNumberOfSheets();//判断有几张活动的sheet表  
                     }

src/com/ejweb/modules/im/api/ImSearchController.java

@@ -36,6 +36,7 @@ import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
+import java.util.Locale;
 
 /**
  * app端搜索
@@ -266,8 +267,8 @@ public class ImSearchController {
         if (message == null) { // 通过参数校验
             bean.setKeyWords(bean.getKeyWords().trim());
             ImBigSearchEntityV2 bigSearchEntity = new ImBigSearchEntityV2();
-            
-            if (StringUtils.isBlank(bean.getType()) || "USER".equals(bean.getType().toUpperCase())) {// 类型为空或者人员，查询人员相关信息
+
+            if (StringUtils.isBlank(bean.getType()) || "USER".equals(bean.getType().toUpperCase(Locale.ENGLISH))) {// 类型为空或者人员，查询人员相关信息
                 //人员信息
                 UserSeatListBean userSeatListBean = new UserSeatListBean();
                 userSeatListBean.setKeywords(bean.getKeyWords());
@@ -342,7 +343,7 @@ public class ImSearchController {
                 bigSearchEntity.setUserList(userSeatEntityPage);
             }
 
-            if (StringUtils.isBlank(bean.getType()) || "FLIGHT".equals(bean.getType().toUpperCase())) {// 航班信息
+            if (StringUtils.isBlank(bean.getType()) || "FLIGHT".equals(bean.getType().toUpperCase(Locale.ENGLISH))) {// 航班信息
                 FlightListBean flightListBean = new FlightListBean();
                 flightListBean.setKeywords(bean.getKeyWords());
                 flightListBean.setPageNo(bean.getFlightPageNo());

src/com/ejweb/modules/im/entity/UcAccountEntity.java

@@ -11,23 +11,23 @@ import com.ejweb.core.base.BaseEntity;
  */
 public class UcAccountEntity extends BaseEntity {
 
-	private static final long serialVersionUID = 1L;
-	
-	private String bindId;  //绑定ID 用户ID或者席位ID
-	private String bindType = "USER"; //类型 USER 个人账号 SEAT 席位账号
-	private String bindStatus = "FAILD"; //绑定状态 FAILD 绑定失败 SUCCESS 绑定成功 UNBIND 已解绑
-	private String huaweiNum; //华为SIP号
-	private String huaweiId; //华为UC账号ID
-	private String huaweiPassword; //登录华为密码
-	private String updateBy; //最后一次者
-	private Date updateDate; //最后一次时间
-	private String syncMessage; //同步过程描述
+    private static final long serialVersionUID = 1L;
+
+    private String bindId;  //绑定ID 用户ID或者席位ID
+    private String bindType = "USER"; //类型 USER 个人账号 SEAT 席位账号
+    private String bindStatus = "FAILD"; //绑定状态 FAILD 绑定失败 SUCCESS 绑定成功 UNBIND 已解绑
+    private String huaweiNum; //华为SIP号
+    private String huaweiId; //华为UC账号ID
+    private transient String huaweiPassword; //登录华为密码
+    private String updateBy; //最后一次者
+    private Date updateDate; //最后一次时间
+    private String syncMessage; //同步过程描述
 
-	//同步到录音系统的状态
-	private String recordingStatus = "FAILD";
+    //同步到录音系统的状态
+    private String recordingStatus = "FAILD";
 
-	//同步到录音系统的URL
-	private String recordingUrl;
+    //同步到录音系统的URL
+    private String recordingUrl;
 	
 	public UcAccountEntity() {
 	}

src/com/ejweb/modules/im/service/HuaweiUCSyncService.java

@@ -94,8 +94,8 @@ public class HuaweiUCSyncService {
     @Transactional(readOnly = false)
     public String sync(HuaweiUCSyncBean bean) {
         StringBuffer sb = new StringBuffer();
-        List<UserProfileEntity> userProfileEntities = null;
-        List<SeatEntity> seatEntities = null;
+        List<UserProfileEntity> userProfileEntities = new ArrayList<>();
+        List<SeatEntity> seatEntities = new ArrayList<>();
         if (bean.isAll()) {
             userProfileEntities = huaweiUCSyncDao.findAllUserList(bean);
             seatEntities = huaweiUCSyncDao.findAllSeatList(bean);
@@ -1534,11 +1534,11 @@ public class HuaweiUCSyncService {
      */
     public String addAccountToUc(HuaweiUCAddAccountBean bean) {
         StringBuffer sb = new StringBuffer();
-        List<UserProfileEntity> userProfileEntities = null;
-        List<SeatEntity> seatEntities = null;
+        List<UserProfileEntity> userProfileEntities = new ArrayList<>();
+        List<SeatEntity> seatEntities = new ArrayList<>();
         if (bean.isAll()) {
             userProfileEntities = huaweiUCSyncDao.findUserListAll(bean);
-            seatEntities        = huaweiUCSyncDao.findAllSeatList(bean);
+            seatEntities = huaweiUCSyncDao.findAllSeatList(bean);
         } else {
             if (isNotEmptyList(bean.getUserIds())) {
                 userProfileEntities = huaweiUCSyncDao.findUserList(bean);

src/com/ejweb/modules/mail/entity/MailEntity.java

@@ -18,7 +18,7 @@ public class MailEntity  extends BaseEntity {
 
     private static final long serialVersionUID = 1L;
     private String mailAddress;
-    private String password;
+    private transient String password;
     public String getMailAddress() {
         return mailAddress;
     }

src/com/ejweb/modules/user/entity/LoginUserEntity.java

@@ -16,11 +16,11 @@ public class LoginUserEntity extends BaseEntity {
     private String verify;
     private String officeName; // 归属部门
     private String officeFullName; // 归属部门
-    @JSONField(serialize=false)
+    @JSONField(serialize = false)
     private String loginName;// 登录名
-    @JSONField(serialize=false)
-    private String password;// 密码
-    @JSONField(serialize=false)
+    @JSONField(serialize = false)
+    private transient String password;// 密码
+    @JSONField(serialize = false)
     private String no; // 工号
     @JSONField(name="username")
     private String name; // 姓名
@@ -35,7 +35,7 @@ public class LoginUserEntity extends BaseEntity {
     private String photo; // 头像
     private String dutyName;// 职务名称
     private String huaweiUCAccount;
-    private String huaweiUCPassword;
+    private transient String huaweiUCPassword;
     private int huaweiStatus;// 华为绑定状态： 0 位绑定 1 已绑定
     private int jiewenStatus;// 捷文绑定状态： 0 位绑定 1 已绑定
     private String sex;

src/com/ejweb/modules/user/entity/User.java

@@ -9,15 +9,14 @@ import com.ejweb.core.base.BaseEntity;
 
 /**
  * @author HH
- *
  */
-public class User extends BaseEntity{
+public class User extends BaseEntity {
 	private static final long serialVersionUID = 1L;
 	private String userCode;
 	private Office company; // 归属公司
 	private Office office; // 归属部门
 	private String loginName;// 登录名
-	private String password;// 密码
+	private transient String password;// 密码
 	private String no; // 工号
 	private String name; // 姓名
 	private String email; // 邮箱

src/com/ejweb/modules/user/entity/UserEntity.java

@@ -24,8 +24,8 @@ public class UserEntity extends BaseEntity{
     private String nickname;
     
     // 指定字段不序列化
-    @JSONField(serialize=false)
-    private String password;
+    @JSONField(serialize = false)
+    private transient String password;
     
     // 日期格式化注解
     @JSONField(name="create_date",format="yyyy-MM-dd HH:mm:ss")

src/com/ejweb/modules/user/entity/UserExport.java

@@ -18,7 +18,7 @@ public class UserExport extends BaseEntity {
     private String company;    // 归属公司
     private String office;    // 归属部门
     private String loginName;// 登录名
-    private String password;// 密码
+    private transient String password;// 密码
 
     private String no;        // 工号
     private String name;    // 姓名
@@ -33,7 +33,7 @@ public class UserExport extends BaseEntity {
     private String photo;    // 头像
 
     private String oldLoginName;// 原登录名
-    private String newPassword;    // 新密码
+    private transient String newPassword;    // 新密码
 
     public static long getSerialVersionUID() {
         return serialVersionUID;

src/com/ejweb/modules/user/entity/UserProfileEntity.java

@@ -17,7 +17,7 @@ public class UserProfileEntity extends BaseEntity {
     private Office company;    // 归属公司
     private Office office;    // 归属部门
     private String loginName;// 登录名
-    private String password;// 密码
+    private transient String password;// 密码
     private String no;        // 工号
     private String name;    // 姓名
     private String email;    // 邮箱
@@ -25,19 +25,19 @@ public class UserProfileEntity extends BaseEntity {
     private String mobile;    // 手机
     private String userType;// 用户类型
     private String loginIp;    // 最后登陆IP
-    private Date   loginDate;    // 最后登陆日期
+    private Date loginDate;    // 最后登陆日期
     private String loginFlag;    // 是否允许登陆
     private String photo;    // 头像
     private String departId; //论证部门id
-    private String oldLoginName;// 原登录名
-    private String newPassword;    // 新密码
-    
+    private transient String oldLoginName;// 原登录名
+    private transient String newPassword;    // 新密码
+
     private Date createDate;
     private String remarks; // 备注
-    
+
     private String oldLoginIp;    // 上次登陆IP
     private Date oldLoginDate;    // 上次登陆日期
-    
+
     public UserProfileEntity() {
         super();
         this.loginFlag = GConstants.YES;

src/com/ejweb/modules/user/entity/UserSeatEntity.java

@@ -21,7 +21,7 @@ public class UserSeatEntity extends BaseEntity {
     private String seatHuaweiNum;
     private String stationName;// 席位场站名称
     private String huaweiUCAccount;
-    private String huaweiUCPassword;
+    private transient String huaweiUCPassword;
     private String photo; // 头像
     
     @JSONField(name="userCode")

src/com/ejweb/modules/verify/api/AirlineVerifyController.java

@@ -9,6 +9,7 @@ import java.sql.SQLException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 
 import javax.servlet.http.HttpServletRequest;
@@ -210,7 +211,7 @@ public class AirlineVerifyController {
                     responseBean.setStatus(ErrorCode.STATUS_CODE_4001);
                     return responseBean;
 
-                } else if (!bean.getVerifyFile().get(0).getFileName().toLowerCase().endsWith("xls") && !bean.getVerifyFile().get(0).getFileName().toLowerCase().endsWith("xlsx")) {
+                } else if (!bean.getVerifyFile().get(0).getFileName().toLowerCase(Locale.ENGLISH).endsWith("xls") && !bean.getVerifyFile().get(0).getFileName().toLowerCase().endsWith("xlsx")) {
                     responseBean.setMessage("编排航班计划只支持xls,xlsx");
                     responseBean.setStatus(ErrorCode.STATUS_CODE_4001);
                     return responseBean;

src/com/ejweb/modules/verify/api/VerifyDocumentController.java

@@ -10,14 +10,12 @@ import com.ejweb.modules.verify.bean.DocumentDownloadBean;
 import com.ejweb.modules.verify.bean.VerifyDocumentListBean;
 import com.ejweb.modules.verify.entity.VerifyDocumentListEntity;
 import com.ejweb.modules.verify.service.VerifyDocumentService;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import javax.servlet.http.HttpServletResponse;
-
 import java.io.*;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -64,7 +62,7 @@ public class VerifyDocumentController {
     }
 
     @RequestMapping("downloadFiles")
-    public ResponseBean getVerifyFiles (RequestBean requestBean,  HttpServletResponse response) {
+    public ResponseBean getVerifyFiles(RequestBean requestBean, HttpServletResponse response) {
         ResponseBean responseBean = new ResponseBean();
         DocumentDownloadBean bean = requestBean.getObjectBean(DocumentDownloadBean.class);
         if (bean == null || bean.getIds() == null || bean.getIds().size() == 0) {
@@ -78,12 +76,12 @@ public class VerifyDocumentController {
         ZipOutputStream zos = null;
         String fileName = "批量下载" + new SimpleDateFormat("yyyyMMddHHmmss").format(new Date()) + ".zip";
         try {
-            response.addHeader("Content-Disposition","attachment; filename=" + new String(fileName.getBytes("gbk"), "ISO8859-1"));
+            response.addHeader("Content-Disposition", "attachment; filename=" + new String(fileName.getBytes("gbk"), "ISO8859-1"));
             zos = new ZipOutputStream(new BufferedOutputStream(response.getOutputStream()));
         } catch (IOException e) {
             e.printStackTrace();
         }
-        byte[] bufs = new byte[1024*10];
+        byte[] bufs = new byte[1024 * 10];
         for (VerifyDocumentListEntity entityTmp : documentListEntities) {
             try {
                 File fTmp = new File(FileManipulation.validateFile(GConstants.FILE_UPLOAD_DIR + entityTmp.getFilePath()));
@@ -93,12 +91,14 @@ public class VerifyDocumentController {
                     break;
                 }
                 ZipEntry zipEntry = new ZipEntry(entityTmp.getFileName());
-                zos.putNextEntry(zipEntry);
+                if (zos != null) {
+                    zos.putNextEntry(zipEntry);
+                }
                 fis = new FileInputStream(fTmp);
-                bis = new BufferedInputStream(fis, 1024*10);
+                bis = new BufferedInputStream(fis, 1024 * 10);
                 int read = 0;
-                while((read=bis.read(bufs, 0, 1024*10)) != -1){
-                    zos.write(bufs,0,read);
+                while ((read = bis.read(bufs, 0, 1024 * 10)) != -1) {
+                    zos.write(bufs, 0, read);
                 }
             } catch (IOException e) {
                 e.printStackTrace();
@@ -106,9 +106,15 @@ public class VerifyDocumentController {
         }
 
         try {
-            if (fis != null) {fis.close();}
-            if (bis != null) {bis.close();}
-            if (zos != null) {zos.close();}
+            if (fis != null) {
+                fis.close();
+            }
+            if (bis != null) {
+                bis.close();
+            }
+            if (zos != null) {
+                zos.close();
+            }
         } catch (IOException e) {
             e.printStackTrace();
         }

src/org/apache/ibatis/thread/MybatisRunnable.java

@@ -5,6 +5,7 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Locale;
 
 import org.apache.ibatis.builder.xml.XMLMapperBuilder;
 import org.apache.ibatis.executor.ErrorContext;
@@ -177,7 +178,7 @@ public class MybatisRunnable implements java.lang.Runnable {
             File file = files[i];
             if (file.isDirectory()) {
                 refreshs.addAll(this.getRefreshFile(file, beforeTime));
-            } else if (file.isFile() && file.getName().toLowerCase().endsWith(".xml")) {
+            } else if (file.isFile() && file.getName().toLowerCase(Locale.ENGLISH).endsWith(".xml")) {
                 if (this.check(file, beforeTime)) {
                     refreshs.add(file);
                 }