bug233 短信注册受到攻击问题处理

sql/v2.4/20250205hhy.sql

+INSERT INTO `jiedao`.`system_dict_type`(`name`, `type`, `status`, `remark`, `creator`, `create_time`, `updater`, `update_time`, `deleted`) VALUES ('短信限流', 'system_sms_limit', 0, NULL, '1', '2024-10-31 10:08:50', '1', '2024-10-31 10:08:50', b'0');
+INSERT INTO `jiedao`.`system_dict_data`(`sort`, `label`, `value`, `dict_type`, `status`, `color_type`, `css_class`, `remark`, `creator`, `create_time`, `updater`, `update_time`, `deleted`, `label_en`,`label_fr`) VALUES (1, '限流时间', '10,1', 'system_sms_limit', 0, 'default', '', '例：10,1（每天请求十次）', '2740', '2024-11-05 14:22:53', '2740', '2024-11-05 14:24:33', b'0', 'Current limiting time','Temps de limitation actuelle');

yudao-framework/yudao-common/src/main/java/cn/iocoder/yudao/framework/security/core/util/RsaUtils.java

+package cn.iocoder.yudao.framework.security.core.util;
+
+import org.apache.commons.codec.binary.Base64;
+import javax.crypto.Cipher;
+import java.security.*;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+
+/**
+ * RSA加密解密
+ *
+ * @author jayden
+ **/
+public class RsaUtils
+{
+    // Rsa 私钥
+    public static String privateKey = "MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEA4TgukNwXxZ16sdy26bXMlCLLZMz4PlVYEQjGf2S/P0YvkDqSLxxaTTFpy83ZGizimYebnvfLtMmLzG/9gemVuwIDAQABAkA7X3E/NRZ7PTnEO9hookmtX8LY7wQegqc1zmdt3CRizGJRB7/9LzDqvnOIvqqm+EoiZLjUUNKVkOom0FI2u32hAiEA8UtmegwiMaqmE4xrjqocLRAR0aVWV7i4fSTcSvLVCcsCIQDu8fvGY9wfVKEGgyfcJHuORowDAbYYXOulxC6sEW7l0QIgE1J2Yk+WbWO86NPVyRbWKsWep6sVvvCL1XmeKmJHrQECIQDGAEmVbTyDzdodjmNiXezwye7NswZVC/LNi1LtjQircQIhAIpF1rvPvxXkE7KvWTePrCWeU/+c6e1ylG7sPYumc1cx";
+
+    /**
+     * 私钥解密
+     *
+     * @param text 待解密的文本
+     * @return 解密后的文本
+     */
+    public static String decryptByPrivateKey(String text) throws Exception
+    {
+        return decryptByPrivateKey(privateKey, text);
+    }
+
+    /**
+     * 公钥解密
+     *
+     * @param publicKeyString 公钥
+     * @param text 待解密的信息
+     * @return 解密后的文本
+     */
+    public static String decryptByPublicKey(String publicKeyString, String text) throws Exception
+    {
+        X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(Base64.decodeBase64(publicKeyString));
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        PublicKey publicKey = keyFactory.generatePublic(x509EncodedKeySpec);
+        Cipher cipher = Cipher.getInstance("RSA");
+        cipher.init(Cipher.DECRYPT_MODE, publicKey);
+        byte[] result = cipher.doFinal(Base64.decodeBase64(text));
+        return new String(result);
+    }
+
+    /**
+     * 私钥加密
+     *
+     * @param privateKeyString 私钥
+     * @param text 待加密的信息
+     * @return 加密后的文本
+     */
+    public static String encryptByPrivateKey(String privateKeyString, String text) throws Exception
+    {
+        PKCS8EncodedKeySpec pkcs8EncodedKeySpec = new PKCS8EncodedKeySpec(Base64.decodeBase64(privateKeyString));
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        PrivateKey privateKey = keyFactory.generatePrivate(pkcs8EncodedKeySpec);
+        Cipher cipher = Cipher.getInstance("RSA");
+        cipher.init(Cipher.ENCRYPT_MODE, privateKey);
+        byte[] result = cipher.doFinal(text.getBytes());
+        return Base64.encodeBase64String(result);
+    }
+
+    /**
+     * 私钥解密
+     *
+     * @param privateKeyString 私钥
+     * @param text 待解密的文本
+     * @return 解密后的文本
+     */
+    public static String decryptByPrivateKey(String privateKeyString, String text) throws Exception
+    {
+        PKCS8EncodedKeySpec pkcs8EncodedKeySpec5 = new PKCS8EncodedKeySpec(Base64.decodeBase64(privateKeyString));
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        PrivateKey privateKey = keyFactory.generatePrivate(pkcs8EncodedKeySpec5);
+        Cipher cipher = Cipher.getInstance("RSA");
+        cipher.init(Cipher.DECRYPT_MODE, privateKey);
+        byte[] result = cipher.doFinal(Base64.decodeBase64(text));
+        return new String(result);
+    }
+
+    /**
+     * 公钥加密
+     *
+     * @param publicKeyString 公钥
+     * @param text 待加密的文本
+     * @return 加密后的文本
+     */
+    public static String encryptByPublicKey(String publicKeyString, String text) throws Exception
+    {
+        X509EncodedKeySpec x509EncodedKeySpec2 = new X509EncodedKeySpec(Base64.decodeBase64(publicKeyString));
+        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
+        PublicKey publicKey = keyFactory.generatePublic(x509EncodedKeySpec2);
+        Cipher cipher = Cipher.getInstance("RSA");
+        cipher.init(Cipher.ENCRYPT_MODE, publicKey);
+        byte[] result = cipher.doFinal(text.getBytes());
+        return Base64.encodeBase64String(result);
+    }
+
+    /**
+     * 构建RSA密钥对
+     *
+     * @return 生成后的公私钥信息
+     */
+    public static RsaKeyPair generateKeyPair() throws NoSuchAlgorithmException
+    {
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        keyPairGenerator.initialize(512);
+        KeyPair keyPair = keyPairGenerator.generateKeyPair();
+        RSAPublicKey rsaPublicKey = (RSAPublicKey) keyPair.getPublic();
+        RSAPrivateKey rsaPrivateKey = (RSAPrivateKey) keyPair.getPrivate();
+        String publicKeyString = Base64.encodeBase64String(rsaPublicKey.getEncoded());
+        String privateKeyString = Base64.encodeBase64String(rsaPrivateKey.getEncoded());
+        return new RsaKeyPair(publicKeyString, privateKeyString);
+    }
+
+    /**
+     * RSA密钥对对象
+     */
+    public static class RsaKeyPair
+    {
+        private final String publicKey;
+        private final String privateKey;
+
+        public RsaKeyPair(String publicKey, String privateKey)
+        {
+            this.publicKey = publicKey;
+            this.privateKey = privateKey;
+        }
+
+        public String getPublicKey()
+        {
+            return publicKey;
+        }
+
+        public String getPrivateKey()
+        {
+            return privateKey;
+        }
+    }
+}

yudao-module-member/yudao-module-member-impl/src/main/java/cn/iocoder/yudao/module/member/controller/app/auth/AppAuthController.java

 package cn.iocoder.yudao.module.member.controller.app.auth;
 
 import cn.hutool.core.util.StrUtil;
+import cn.iocoder.yudao.framework.common.exception.ServiceException;
 import cn.iocoder.yudao.framework.common.pojo.CommonResult;
-import cn.iocoder.yudao.framework.common.util.validation.PhoneUtil;
+import cn.iocoder.yudao.framework.common.util.ip.IPHelper;
+import cn.iocoder.yudao.framework.dict.core.dto.DictDataRespDTO;
 import cn.iocoder.yudao.framework.idempotent.core.annotation.Idempotent;
 import cn.iocoder.yudao.framework.operatelog.core.annotations.OperateLog;
+import cn.iocoder.yudao.framework.redis.helper.RedisHelper;
 import cn.iocoder.yudao.framework.security.core.annotations.PreAuthenticated;
+import cn.iocoder.yudao.framework.security.core.util.RsaUtils;
 import cn.iocoder.yudao.module.ecw.api.paramValid.ParamValidatorApi;
-import cn.iocoder.yudao.module.ecw.service.paramValid.ParamValidatorService;
 import cn.iocoder.yudao.module.member.controller.app.auth.vo.*;
 import cn.iocoder.yudao.module.member.service.auth.MemberAuthService;
+import cn.iocoder.yudao.module.system.api.dict.DictDataApi;
+import cn.iocoder.yudao.module.system.enums.sms.SmsNodeEnum;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.lang3.StringUtils;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
 import javax.validation.Valid;
+import java.security.NoSuchAlgorithmException;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
 
 import static cn.iocoder.yudao.framework.common.pojo.CommonResult.success;
 import static cn.iocoder.yudao.framework.common.util.servlet.ServletUtils.getClientIP;
@@ -38,6 +45,10 @@ public class AppAuthController {
     private MemberAuthService authService;
     @Resource
     private ParamValidatorApi paramValidatorApi;
+    @Resource
+    private RedisHelper redisHelper;
+    @Resource
+    private DictDataApi dictDataApi;
 
     @PostMapping("/reg")
     @ApiOperation("使用手机注册")
@@ -98,11 +109,87 @@ public class AppAuthController {
     @ApiOperation(value = "发送手机验证码")
     @OperateLog(enable = false) // 避免 Post 请求被记录操作日志
     @Idempotent(timeout = 5)
-    public CommonResult<Boolean> sendSmsCode(@RequestBody @Valid AppAuthSendSmsReqVO reqVO) {
+    public CommonResult<Boolean> sendSmsCode(@RequestBody @Valid AppAuthSendSmsReqVO reqVO) throws NoSuchAlgorithmException {
+
+        processSmsRequest(reqVO);
         authService.sendSmsCode(getLoginUserId(), reqVO);
         return success(true);
     }
 
+    /**
+     * 短信限流
+     * @param reqVO
+     */
+    public void processSmsRequest(AppAuthSendSmsReqVO reqVO) {
+        String nodeValue = reqVO.getNodeValue();
+        if (SmsNodeEnum.MEMBER_REG.getNodeValue().equals(nodeValue)) {
+            char[] specialChars = {'!', '@', '#', '$', '%', '^', '&', '*'};
+            // 生成随机索引
+            int randomIndex = (int) (reqVO.getP2()[1] % specialChars.length);
+
+            // 选择特殊字符
+            char specialChar = specialChars[randomIndex];
+
+            /*
+             *  1:手机号+节点+秘钥
+             * 	2:手机号+国家号+秘钥
+             * 	3:手机号+国家号+节点+秘钥
+             */
+            String key = "gzjd8888";
+            String str = "";
+
+            if (reqVO.getP2()[0] == 1) {
+                str = reqVO.getMobile() + reqVO.getNodeValue() + key + specialChar;
+            } else if (reqVO.getP2()[0] == 2) {
+                str = reqVO.getMobile() + reqVO.getAreaCode() + key + specialChar;
+            } else {
+                str = reqVO.getMobile() + reqVO.getAreaCode() + reqVO.getNodeValue() + key + specialChar;
+            }
+            if (str.isEmpty()) {
+                throw new ServiceException(500, "Unlawful request");
+            } else {
+                try {
+                    if (!str.equals(RsaUtils.decryptByPrivateKey(reqVO.getP1()))) {
+                        throw new ServiceException(500, "Unlawful request");
+                    }
+                } catch (Exception e) {
+                    throw new ServiceException(500, "Unlawful request");
+                }
+            }
+            // 获取客户端IP地址
+            String clientIp = IPHelper.getIpAddr();
+
+            // 定义IP风控的阈值和时间窗口
+            List<DictDataRespDTO> listPack =
+                    dictDataApi.getDictDatas("system_sms_limit");
+            int maxAttempts = 1;
+            int timeWindowSeconds = 1;
+            if (!listPack.isEmpty()) {
+                String[] split = listPack.get(0).getValue().split(",");
+                maxAttempts = Integer.parseInt(split[0]);
+                timeWindowSeconds = Integer.parseInt(split[1]);
+            }
+
+            // 构建Redis键
+            String redisKey = "ip:sms:limit:" + clientIp;
+
+            // 检查当前IP地址的请求次数
+            String attempts = redisHelper.get(redisKey);
+            if (attempts == null) {
+                // 如果是第一次请求，设置过期时间
+                redisHelper.set(redisKey, String.valueOf(1), timeWindowSeconds, TimeUnit.DAYS);
+            } else {
+                int attemptsInt = Integer.parseInt(attempts) + 1;
+                if (attemptsInt > maxAttempts) {
+                    // 如果超过阈值，返回错误信息
+                    throw new ServiceException(500, "The IP address cannot send short messages");
+                } else {
+                    redisHelper.set(redisKey, String.valueOf(attemptsInt), timeWindowSeconds, TimeUnit.DAYS);
+                }
+            }
+        }
+    }
+
     @PostMapping("/send-email-code")
     @ApiOperation(value = "发送邮箱验证码")
     @OperateLog(enable = false) // 避免 Post 请求被记录操作日志
@@ -153,12 +240,8 @@ public class AppAuthController {
 
     @GetMapping("/social-auth-redirect")
     @ApiOperation("社交授权的跳转")
-    @ApiImplicitParams({
-            @ApiImplicitParam(name = "type", value = "社交类型", required = true, dataTypeClass = Integer.class),
-            @ApiImplicitParam(name = "redirectUri", value = "回调路径", dataTypeClass = String.class)
-    })
-    public CommonResult<String> socialAuthRedirect(@RequestParam("type") Integer type,
-                                                   @RequestParam("redirectUri") String redirectUri) {
+    @ApiImplicitParams({@ApiImplicitParam(name = "type", value = "社交类型", required = true, dataTypeClass = Integer.class), @ApiImplicitParam(name = "redirectUri", value = "回调路径", dataTypeClass = String.class)})
+    public CommonResult<String> socialAuthRedirect(@RequestParam("type") Integer type, @RequestParam("redirectUri") String redirectUri) {
         return CommonResult.success(authService.getSocialAuthorizeUrl(type, redirectUri));
     }
 

yudao-module-member/yudao-module-member-impl/src/main/java/cn/iocoder/yudao/module/member/controller/app/auth/vo/AppAuthSendSmsReqVO.java

@@ -48,4 +48,14 @@ public class AppAuthSendSmsReqVO {
 
     // 登录遗留处理：scene = 1
     private Integer scene;
+
+    /**
+     * 加密参数
+     */
+    private String p1;
+
+    /**
+     * 加密规则
+     */
+    private Long[] p2;
 }