漏洞修复

src/main/java/com/bowintek/smartsearch/config/CorsConfig.java

@@ -8,10 +8,10 @@ import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 
-@Configuration
+//@Configuration
 public class CorsConfig implements WebMvcConfigurer {
 
-    @Autowired
+   /* @Autowired
     private PageNoCacheInterceptor pageNoCacheInterceptor;
 
     @Override
@@ -33,5 +33,5 @@ public class CorsConfig implements WebMvcConfigurer {
                 .allowCredentials(true)
                 .allowedMethods("GET", "POST")
                 .maxAge(3600);
-    }
+    }*/
 }

src/main/java/com/bowintek/smartsearch/config/WebConfiguration.java

@@ -1,5 +1,6 @@
 package com.bowintek.smartsearch.config;
 
+import com.bowintek.smartsearch.filter.HostHeaderInterceptor;
 import com.bowintek.smartsearch.filter.TokenInterceptor;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
@@ -19,6 +20,9 @@ public class WebConfiguration implements WebMvcConfigurer {
     @Autowired
     private TokenInterceptor tokenInterceptor;
 
+    @Autowired
+    private HostHeaderInterceptor hostHeaderInterceptor;
+
     /**
      * 解决跨域请求
      * @param registry
@@ -26,11 +30,11 @@ public class WebConfiguration implements WebMvcConfigurer {
     @Override
     public void addCorsMappings(CorsRegistry registry) {
         registry.addMapping("/**")
-                .allowedHeaders("*")
-                .allowedMethods("*")
-//                .allowedOrigins("*")
-                .allowedOriginPatterns("*")
-                .allowCredentials(true);
+                .allowedOrigins("http://localhost:8077","http://10.73.178.222:8077/")
+                .allowedMethods("GET", "POST") // 允许的 HTTP 方法
+                .allowedHeaders("Content-Type", "Authorization") // 允许的请求头
+                .allowCredentials(true) // 允许携带凭据（如 cookies）
+                .maxAge(3600); // 预检请求的缓存时间
     }
 
     /**
@@ -70,7 +74,9 @@ public class WebConfiguration implements WebMvcConfigurer {
         registry.addInterceptor(tokenInterceptor)
                 .addPathPatterns("/**")
                 .excludePathPatterns(excludePath);
-        WebMvcConfigurer.super.addInterceptors(registry);
 
+        registry.addInterceptor(hostHeaderInterceptor)
+                .addPathPatterns("/**");
+        WebMvcConfigurer.super.addInterceptors(registry);
     }
 }

src/main/java/com/bowintek/smartsearch/controller/AccountController.java

@@ -45,6 +45,11 @@ public class AccountController {
     @GetMapping("/captcha")
     public BaseResponse<Map<String, Object>> captcha() {
 
+        try {
+            Thread.sleep(30000);
+        } catch (InterruptedException e) {
+            throw new RuntimeException(e);
+        }
         Map<String, Object> item = new HashMap<>();
         String img = "";
         item.put("img", img);

src/main/java/com/bowintek/smartsearch/filter/HostHeaderInterceptor.java

@@ -0,0 +1,32 @@
+package com.bowintek.smartsearch.filter;
+
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.HandlerInterceptor;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.util.Arrays;
+import java.util.List;
+
+@Component
+public class HostHeaderInterceptor implements HandlerInterceptor {
+
+    private static final List<String> ALLOWED_HOSTS = Arrays.asList(
+            "10.73.178.222:8077",
+            "localhost:8077",
+            "192.168.0.102:8077"
+    );
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+        String host = request.getHeader("Host");
+
+        if (host == null || !ALLOWED_HOSTS.contains(host)) {
+            response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+            response.getWriter().write("Invalid Host header");
+            return false; // 阻止请求继续处理
+        }
+
+        return true; // 允许请求继续处理
+    }
+}

src/main/resources/application.yml

@@ -1,12 +1,17 @@
 server:
   port: 8077
   tomcat:
-    max-connections: 100000
+    threads:
+      max: 200
+      min-spare: 30
+    accept-count: 100
+    connection-timeout: 20s
+    max-connections: 500
     max-http-form-post-size: 102400000
 spring:
   web:
     resources:
-      static-locations: file:D:/Work/Project/smartsearch/src/main/resources/static/
+      static-locations: file:D:/我的文件/博颖项目/华北油田AI检索/smartsearch/src/main/resources/static/
   datasource:
     name: practice_db
     type: com.alibaba.druid.pool.DruidDataSource

target/classes/application.yml

@@ -1,12 +1,17 @@
 server:
   port: 8077
   tomcat:
-    max-connections: 100000
+    threads:
+      max: 200
+      min-spare: 30
+    accept-count: 100
+    connection-timeout: 20s
+    max-connections: 500
     max-http-form-post-size: 102400000
 spring:
   web:
     resources:
-      static-locations: file:D:/Work/Project/smartsearch/src/main/resources/static/
+      static-locations: file:D:/我的文件/博颖项目/华北油田AI检索/smartsearch/src/main/resources/static/
   datasource:
     name: practice_db
     type: com.alibaba.druid.pool.DruidDataSource