升级fastjson到最新版2.0.39

pom.xml

@@ -23,7 +23,7 @@
         <swagger.version>3.0.0</swagger.version>
         <kaptcha.version>2.3.3</kaptcha.version>
         <pagehelper.boot.version>1.4.6</pagehelper.boot.version>
-        <fastjson.version>2.0.34</fastjson.version>
+        <fastjson.version>2.0.39</fastjson.version>
         <oshi.version>6.4.4</oshi.version>
         <commons.io.version>2.13.0</commons.io.version>
         <commons.collections.version>3.2.2</commons.collections.version>

ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java

@@ -129,6 +129,11 @@ public class Constants
      */
     public static final String LOOKUP_LDAPS = "ldaps:";
 
+    /**
+     * 自动识别json对象白名单配置（仅允许解析的包名，范围越小越安全）
+     */
+    public static final String[] JSON_WHITELIST_STR = { "org.springframework", "com.ruoyi" };
+
     /**
      * 定时任务白名单配置（仅允许访问的包名，如其他需要可以自行添加）
      */

ruoyi-framework/src/main/java/com/ruoyi/framework/config/FastJson2JsonRedisSerializer.java

@@ -6,6 +6,8 @@ import org.springframework.data.redis.serializer.SerializationException;
 import com.alibaba.fastjson2.JSON;
 import com.alibaba.fastjson2.JSONReader;
 import com.alibaba.fastjson2.JSONWriter;
+import com.alibaba.fastjson2.filter.Filter;
+import com.ruoyi.common.constant.Constants;
 
 /**
  * Redis使用FastJson序列化
@@ -16,6 +18,8 @@ public class FastJson2JsonRedisSerializer<T> implements RedisSerializer<T>
 {
     public static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");
 
+    static final Filter AUTO_TYPE_FILTER = JSONReader.autoTypeFilter(Constants.JSON_WHITELIST_STR);
+
     private Class<T> clazz;
 
     public FastJson2JsonRedisSerializer(Class<T> clazz)
@@ -43,6 +47,6 @@ public class FastJson2JsonRedisSerializer<T> implements RedisSerializer<T>
         }
         String str = new String(bytes, DEFAULT_CHARSET);
 
-        return JSON.parseObject(str, clazz, JSONReader.Feature.SupportAutoType);
+        return JSON.parseObject(str, clazz, AUTO_TYPE_FILTER);
     }
 }

ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java

@@ -4,6 +4,8 @@ import java.util.HashMap;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 import javax.servlet.http.HttpServletRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
@@ -29,6 +31,8 @@ import io.jsonwebtoken.SignatureAlgorithm;
 @Component
 public class TokenService
 {
+    private static final Logger log = LoggerFactory.getLogger(TokenService.class);
+
     // 令牌自定义标识
     @Value("${token.header}")
     private String header;
@@ -72,6 +76,7 @@ public class TokenService
             }
             catch (Exception e)
             {
+                log.error("获取用户信息异常'{}'", e.getMessage());
             }
         }
         return null;