发布最新正式版4.3.0#2582
Conversation
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| * 文件输入流上传. | ||
| * | ||
| * @author meiqin.zhou91@gmail.com | ||
| * @date 2022/02/15 |
There was a problem hiding this comment.
InvalidBlockTag: Tag name date is unknown. If this is a commonly-used custom tag, please click 'not useful' and file a bug. (details)
(at-me in a reply with help or ignore)
| * com.tencent.wework.Finance | ||
| * | ||
| * @author Wang_Wong | ||
| * @date 2022-01-14 |
There was a problem hiding this comment.
InvalidBlockTag: Tag name date is unknown. If this is a commonly-used custom tag, please click 'not useful' and file a bug. (details)
(at-me in a reply with help or ignore)
| /** | ||
| * @author eYoung | ||
| * @description: | ||
| * @date create at 2021/12/3 16:34 |
There was a problem hiding this comment.
InvalidBlockTag: Tag name date is unknown. If this is a commonly-used custom tag, please click 'not useful' and file a bug. (details)
(at-me in a reply with help or ignore)
|
|
||
| /** | ||
| * @author eYoung | ||
| * @description: |
There was a problem hiding this comment.
InvalidBlockTag: Tag name description: is unknown. If this is a commonly-used custom tag, please click 'not useful' and file a bug. (details)
(at-me in a reply with help or ignore)
| * 二级标题+文本列表,该字段可为空数组,但有数据的话需确认对应字段是否必填,列表长度不超过6 | ||
| * | ||
| * @author yzts | ||
| * @date 2021/9/22 |
There was a problem hiding this comment.
InvalidBlockTag: Tag name date is unknown. If this is a commonly-used custom tag, please click 'not useful' and file a bug. (details)
(at-me in a reply with help or ignore)
| * WxMaSubscribeMsgEvent class | ||
| * 客户端订阅,服务端收到的通知 | ||
| * @author dany | ||
| * @date 2021/12/31 |
There was a problem hiding this comment.
InvalidBlockTag: Tag name date is unknown. If this is a commonly-used custom tag, please click 'not useful' and file a bug. (details)
(at-me in a reply with help or ignore)
| * | ||
| * @author Luo | ||
| * @version 1.0 | ||
| * @date 2021-10-14 10:49 |
There was a problem hiding this comment.
InvalidBlockTag: Tag name date is unknown. If this is a commonly-used custom tag, please click 'not useful' and file a bug. (details)
(at-me in a reply with help or ignore)
| public static class SubscribeMsgChangeEvent implements Serializable { | ||
| private static final long serialVersionUID = 7705686111539437751L; | ||
| @XStreamImplicit(itemFieldName = "List") | ||
| private List<ChangeEvent> list = new LinkedList<>(); |
There was a problem hiding this comment.
JdkObsolete: It is very rare for LinkedList to out-perform ArrayList or ArrayDeque. Avoid it unless you're willing to invest a lot of time into benchmarking. Caveat: LinkedList supports null elements, but ArrayDeque does not. (details)
| private List<ChangeEvent> list = new LinkedList<>(); | |
| private List<ChangeEvent> list = new ArrayList<>(); |
(at-me in a reply with help or ignore)
| public static class SubscribeMsgPopupEvent implements Serializable { | ||
| private static final long serialVersionUID = 6319723189257161326L; | ||
| @XStreamImplicit(itemFieldName = "List") | ||
| private List<PopupEvent> list = new LinkedList<>(); |
There was a problem hiding this comment.
JdkObsolete: It is very rare for LinkedList to out-perform ArrayList or ArrayDeque. Avoid it unless you're willing to invest a lot of time into benchmarking. Caveat: LinkedList supports null elements, but ArrayDeque does not. (details)
| private List<PopupEvent> list = new LinkedList<>(); | |
| private List<PopupEvent> list = new ArrayList<>(); |
(at-me in a reply with help or ignore)
|
|
||
| /** | ||
| * @author 曹祖鹏 & yuanqixun | ||
| * @author 曹祖鹏 & yuanqixun & Mr.Pan & Wang_Wong |
There was a problem hiding this comment.
MissingSummary: A summary line is required on public/protected Javadocs. (details)
(at-me in a reply with help or ignore)
|
|
||
| /** | ||
| * | ||
| * @author zhangq <zhangq002@gmail.com> |
There was a problem hiding this comment.
MissingSummary: A summary line is required on public/protected Javadocs. (details)
(at-me in a reply with help or ignore)
| import me.chanjar.weixin.cp.bean.message.WxCpXmlOutEventMessage; | ||
|
|
||
| /** | ||
| * @author eYoung |
There was a problem hiding this comment.
MissingSummary: A summary line is required on public/protected Javadocs. (details)
(at-me in a reply with help or ignore)
| import static cn.binarywang.wx.miniapp.constant.WxMaApiUrlConstants.InstantDelivery.SafetyRiskControl.GET_USER_RISK_RANK; | ||
|
|
||
| /** | ||
| * @author azouever |
There was a problem hiding this comment.
MissingSummary: A summary line is required on public/protected Javadocs. (details)
(at-me in a reply with help or ignore)
| @@ -16,13 +16,15 @@ | |||
| import me.chanjar.weixin.mp.bean.subscribe.WxMpSubscribeMessage; | |||
| import me.chanjar.weixin.mp.bean.template.WxMpTemplateIndustry; | |||
| import me.chanjar.weixin.mp.bean.template.WxMpTemplateMessage; | |||
| import java.util.Objects; | |||
|
|
|||
| /** | |||
| * @author someone | |||
There was a problem hiding this comment.
MissingSummary: A summary line is required on public/protected Javadocs. (details)
(at-me in a reply with help or ignore)
| * 2、若该文件未拉取完整,sdk的IsMediaDataFinish接口会返回0,同时通过GetOutIndexBuf接口返回下次拉取需要传入GetMediaData的indexbuf。 | ||
| * 3、indexbuf一般格式如右侧所示,”Range:bytes=524288-1048575“:表示这次拉取的是从524288到1048575的分片。单个文件首次拉取填写的indexbuf为空字符串,拉取后续分片时直接填入上次返回的indexbuf即可。 | ||
| */ | ||
| File targetFile = new File(targetFilePath); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/io/File.(Ljava/lang/String;)V) reads a file whose location might be specified by user input (details)
(at-me in a reply with help or ignore)
| * 解压gzip文件 | ||
| */ | ||
| public static File unGzip(final File file) throws IOException { | ||
| File resultFile = new File(FilenameUtils.removeExtension(file.getAbsolutePath())); |
There was a problem hiding this comment.
PATH_TRAVERSAL_IN: This API (java/io/File.(Ljava/lang/String;)V) reads a file whose location might be specified by user input (details)
(at-me in a reply with help or ignore)
| InputStream inputStream = null; | ||
| try { | ||
| URL remote = new URL(url); | ||
| conn = (HttpURLConnection) remote.openConnection(); |
There was a problem hiding this comment.
URLCONNECTION_SSRF_FD: This web server request could be used by an attacker to expose internal services and filesystem. (details)
(at-me in a reply with help or ignore)
| str = str.concat(getShopOrderId()); | ||
| } | ||
| str = str.concat(getAppSecret()); | ||
| return DigestUtils.sha1Hex(str); |
There was a problem hiding this comment.
WEAK_MESSAGE_DIGEST_SHA1: This API SHA1 (SHA-1) is not a recommended cryptographic hash function (details)
(at-me in a reply with help or ignore)
| WxRedisOps redisOps = new JedisWxRedisOps(jedisPool); | ||
| WxMpRedisConfigImpl wxMpRedisConfig = new WxMpRedisConfigImpl(redisOps, | ||
| wxMpProperties.getConfigStorage().getKeyPrefix()); | ||
| wxMpProperties.getConfigStorage().getKeyPrefix()); |
There was a problem hiding this comment.
NULL_DEREFERENCE: object returned by WxMpStorageAutoConfiguration.wxMpProperties.getConfigStorage() could be null and is dereferenced at line 86.
(at-me in a reply with help or ignore)
| Request request = new Request.Builder().url(uri).post(body).build(); | ||
|
|
||
| Response response = requestHttp.getRequestHttpClient().newCall(request).execute(); | ||
| String responseContent = response.body().string(); |
There was a problem hiding this comment.
NULL_DEREFERENCE: object returned by response.body() could be null and is dereferenced at line 37.
(at-me in a reply with help or ignore)
| if (departJson.get(EN_NAME) != null && !departJson.get(EN_NAME).isJsonNull()) { | ||
| depart.setEnName(GsonHelper.getAsString(departJson.get(EN_NAME))); | ||
| } | ||
| if (departJson.getAsJsonArray(DEPARTMENT_LEADER) != null && !departJson.get(DEPARTMENT_LEADER).isJsonNull()) { |
There was a problem hiding this comment.
NULL_DEREFERENCE: object returned by departJson.get("department_leader") could be null and is dereferenced at line 72.
(at-me in a reply with help or ignore)
|
|
||
| Request request = new Request.Builder().url(uri).method(getHttpMethod(), body).build(); | ||
| Response response = client.newCall(request).execute(); | ||
| return response.body().string(); |
There was a problem hiding this comment.
NULL_DEREFERENCE: object returned by response.body() could be null and is dereferenced at line 160.
(at-me in a reply with help or ignore)
| public PartnerTransferResult batchTransfer(PartnerTransferRequest request) throws WxPayException { | ||
| request.getTransferDetailList().stream().forEach(p -> { | ||
| try { | ||
| String userName = RsaCryptoUtil.encryptOAEP(p.getUserName(), this.payService.getConfig().getVerifier().getValidCertificate()); |
There was a problem hiding this comment.
NULL_DEREFERENCE: object returned by PartnerTransferServiceImpl.payService.getConfig().getVerifier() could be null and is dereferenced at line 48.
(at-me in a reply with help or ignore)
| public PreOrderWithAuthResult payrollCardPreOrderWithAuth(PreOrderWithAuthRequest request) throws WxPayException { | ||
| String url = String.format("%s/v3/payroll-card/authentications/pre-order-with-auth", payService.getPayBaseUrl()); | ||
| try { | ||
| String userName = RsaCryptoUtil.encryptOAEP(request.getUserName(), payService.getConfig().getVerifier().getValidCertificate()); |
There was a problem hiding this comment.
NULL_DEREFERENCE: object returned by PayrollServiceImpl.payService.getConfig().getVerifier() could be null and is dereferenced at line 158.
(at-me in a reply with help or ignore)
| public TokensResult payrollCardTokens(TokensRequest request) throws WxPayException { | ||
| String url = String.format("%s/v3/payroll-card/tokens", payService.getPayBaseUrl()); | ||
| try { | ||
| String userName = RsaCryptoUtil.encryptOAEP(request.getUserName(), payService.getConfig().getVerifier().getValidCertificate()); |
There was a problem hiding this comment.
NULL_DEREFERENCE: object returned by PayrollServiceImpl.payService.getConfig().getVerifier() could be null and is dereferenced at line 44.
(at-me in a reply with help or ignore)
| FileOutputStream outputStream = new FileOutputStream(new File(targetFilePath), true); | ||
| outputStream.write(Finance.GetData(mediaData)); | ||
| outputStream.close(); | ||
| } catch (Exception e) { |
There was a problem hiding this comment.
RESOURCE_LEAK: resource of type java.io.FileOutputStream acquired to outputStream by call to FileOutputStream(...) at line 148 is not released after line 151.
Note: potential exception at line 149
(at-me in a reply with help or ignore)
| resultFile.createNewFile(); | ||
|
|
||
| try (FileOutputStream fos = new FileOutputStream(resultFile); | ||
| GZIPInputStream gzis = new GZIPInputStream(new FileInputStream(file));) { |
There was a problem hiding this comment.
RESOURCE_LEAK: resource of type java.io.FileInputStream acquired by call to FileInputStream(...) at line 27 is not released after line 27.
(at-me in a reply with help or ignore)
|
|
||
| @Override | ||
| public ComplaintNotifyResult parseComplaintNotifyResult(String notifyData, SignatureHeader header) throws WxPayException { | ||
| if (Objects.nonNull(header) && !this.verifyNotifySign(header, notifyData)) { |
There was a problem hiding this comment.
THREAD_SAFETY_VIOLATION: Read/Write race. Non-private method BaseWxPayServiceImpl.parseComplaintNotifyResult(...) indirectly reads without synchronization from this.configMap. Potentially races with write in method BaseWxPayServiceImpl.addConfig(...).
Reporting because another access to the same memory occurs on a background thread, although this access may not.
(at-me in a reply with help or ignore)
| <description>微信企业号开发的 Spring Boot Starter</description> | ||
|
|
||
| <dependencies> | ||
| <dependency> |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:maven/com.github.binarywang/weixin-java-cp@4.3.0
1 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 3 dependencies
Components
pkg:maven/commons-codec/commons-codec@1.10
SEVERE Vulnerabilities (1)
[sonatype-2012-0050] CWE-20: Improper Input Validation
commons-codec - Base32 would decode some invalid Base32 encoded string into arbitrary value
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-20
pkg:maven/com.google.code.gson/gson@2.8.0
CRITICAL Vulnerabilities (1)
[sonatype-2021-1694] CWE-502: Deserialization of Untrusted Data
gson - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-502
pkg:maven/com.google.guava/guava@30.0-jre
SEVERE Vulnerabilities (1)
[sonatype-2020-0926] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
guava - Creation of Temporary File in Directory with Insecure Permissions [CVE-2020-8908]
The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
CVSS Score: 6.2
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-379
(at-me in a reply with help or ignore)
| @@ -84,6 +84,11 @@ | |||
| <groupId>org.redisson</groupId> | |||
| <artifactId>redisson</artifactId> | |||
| </dependency> | |||
| <dependency> | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:maven/com.fasterxml.jackson.dataformat/jackson-dataformat-xml@2.13.0
2 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.13.0
CRITICAL Vulnerabilities (2)
CVE-2020-36518
[CVE-2020-36518] CWE-787: Out-of-bounds Write
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
sonatype-2021-4682
[sonatype-2021-4682] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
jackson-databind - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help or ignore)
20 participants
No description provided.