From 7cb5392c64ad03152718ce39f9ecf1b88ffd81cd Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: Mon, 1 Nov 2021 15:10:50 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BB=BB=E5=8A=A1=E5=B1=8F=E8=94=BD=E8=BF=9D?=
 =?UTF-8?q?=E8=A7=84=E5=AD=97=E7=AC=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/main/java/com/ruoyi/common/constant/Constants.java    | 6 ++++++
 .../project/monitor/controller/SysJobController.java      | 8 ++++++++
 2 files changed, 14 insertions(+)

diff --git a/src/main/java/com/ruoyi/common/constant/Constants.java b/src/main/java/com/ruoyi/common/constant/Constants.java
index 9f55771..98aeebc 100644
--- a/src/main/java/com/ruoyi/common/constant/Constants.java
+++ b/src/main/java/com/ruoyi/common/constant/Constants.java
@@ -148,4 +148,10 @@ public class Constants
      * LDAP 远程方法调用
      */
     public static final String LOOKUP_LDAP = "ldap://";
+
+    /**
+     * 定时任务违规的字符
+     */
+    public static final String[] JOB_ERROR_STR = { "java.net.URL", "javax.naming.InitialContext", "org.yaml.snakeyaml",
+            "org.springframework.jndi" };
 }
diff --git a/src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java b/src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java
index db45659..918f4ac 100644
--- a/src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java
+++ b/src/main/java/com/ruoyi/project/monitor/controller/SysJobController.java
@@ -96,6 +96,10 @@ public class SysJobController extends BaseController
         {
             return error("新增任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)//'调用");
         }
+        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
+        {
+            return error("新增任务'" + job.getJobName() + "'失败，目标字符串存在违规");
+        }
         job.setCreateBy(getUsername());
         return toAjax(jobService.insertJob(job));
     }
@@ -124,6 +128,10 @@ public class SysJobController extends BaseController
         {
             return error("修改任务'" + job.getJobName() + "'失败，目标字符串不允许'http(s)//'调用");
         }
+        else if (StringUtils.containsAnyIgnoreCase(job.getInvokeTarget(), Constants.JOB_ERROR_STR))
+        {
+            return error("修改任务'" + job.getJobName() + "'失败，目标字符串存在违规");
+        }
         job.setUpdateBy(getUsername());
         return toAjax(jobService.updateJob(job));
     }