[ISSUE #8979] Merge #8787、#8156 and #7364 into the v1.x (#8980)

Close #8979
alibaba · Aug 17, 2022 · d062fca · d062fca
1 parent 027bef9
commit d062fca
Show file tree

Hide file tree

Showing 18 changed files with 226 additions and 155 deletions.
diff --git a/console-ui/build/copyFile.js b/console-ui/build/copyFile.js
@@ -27,7 +27,7 @@ const mkdir = dir => {
  }
  };
 
-const copyList = ['js/main.js', 'css/main.css'];
+const copyList = ['js/main.js', 'css/main.css', 'index.html'];
 
 copyList.forEach(_fileName => {
  const srcFileName = path.join(srcDir, _fileName);

diff --git a/console-ui/build/webpack.base.conf.js b/console-ui/build/webpack.base.conf.js
@@ -51,7 +51,14 @@ module.exports = {
  rules: [
  {
  test: /\.(css|scss)$/,
- use: [isDev ? 'style-loader' : MiniCssExtractPlugin.loader, 'css-loader', 'sass-loader'],
+ use: [isDev ? 'style-loader' : MiniCssExtractPlugin.loader, {
+ loader: 'css-loader',
+ options:{
+ url: (url) => {
+ return isDev || !url.includes("console-ui");
+ }
+ }
+ }, 'sass-loader'],
  },
  {
  test: /\.(js|jsx)$/,
@@ -88,7 +95,11 @@ module.exports = {
  plugins: [
  new HtmlWebpackPlugin({
  filename: 'index.html',
- template: './public/index.html',
+ template: './public/index.ejs',
+ templateParameters: {
+ contextPath: isDev ? './' : 'console-ui/public/'
+ },
+ hash: true,
  minify: !isDev,
  }),
  new CopyWebpackPlugin([

diff --git a/console-ui/build/webpack.prod.conf.js b/console-ui/build/webpack.prod.conf.js
@@ -26,8 +26,8 @@ cssLoader.use.push({
  loader: '@alifd/next-theme-loader',
  options: {
  modifyVars: {
- '$icon-font-path': '"/nacos/console-ui/public/icons/icon-font"',
- '$font-custom-path': '"/nacos/console-ui/public/fonts/"'
+ '$icon-font-path': '"../console-ui/public/icons/icon-font"',
+ '$font-custom-path': '"../console-ui/public/fonts/"'
  }
  }
 })

diff --git a/console-ui/public/index.ejs b/console-ui/public/index.ejs
@@ -0,0 +1,61 @@
+<!--
+ ~ Copyright 1999-2018 Alibaba Group Holding Ltd.
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<!DOCTYPE html>
+
+<html lang="en">
+
+<head>
+ <meta charset="UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <meta http-equiv="X-UA-Compatible" content="ie=edge">
+ <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
+ <meta http-equiv="Pragma" content="no-cache" />
+ <meta http-equiv="Expires" content="0" />
+ <title>Nacos</title>
+ <link rel="shortcut icon" href="<%= contextPath %>img/nacos-logo.png" type="image/x-icon" />
+ <link rel="stylesheet" type="text/css" href="<%= contextPath %>css/bootstrap.css">
+ <link rel="stylesheet" type="text/css" href="<%= contextPath %>css/console1412.css">
+ <!-- 第三方css开始 -->
+ <link rel="stylesheet" type="text/css" href="<%= contextPath %>css/codemirror.css">
+ <link rel="stylesheet" type="text/css" href="<%= contextPath %>css/merge.css">
+ <link rel="stylesheet" type="text/css" href="<%= contextPath %>css/icon.css">
+ <link rel="stylesheet" type="text/css" href="<%= contextPath %>css/font-awesome.css">
+ <!-- 第三方css结束 -->
+</head>
+
+<body>
+ <div id="root" style="overflow:hidden"></div>
+ <div id="app"></div>
+ <div id="other"></div>
+
+ <!-- 第三方js开始 -->
+ <script src="<%= contextPath %>js/jquery.js"></script>
+ <script src="<%= contextPath %>js/codemirror.js"></script>
+ <script src="<%= contextPath %>js/javascript.js"></script>
+ <script src="<%= contextPath %>js/xml.js"></script>
+ <script src="<%= contextPath %>js/codemirror.addone.fullscreen.js"></script>
+ <script src="<%= contextPath %>js/codemirror.addone.lint.js"></script>
+ <script src="<%= contextPath %>js/codemirror.lib.json-lint.js"></script>
+ <script src="<%= contextPath %>js/codemirror.addone.json-lint.js"></script>
+ <script src="<%= contextPath %>js/codemirror.lib.clike-lint.js"></script>
+ <script src="<%= contextPath %>js/diff_match_patch.js"></script>
+ <script src="<%= contextPath %>js/merge.js"></script>
+ <script src="<%= contextPath %>js/loader.js"></script>
+ <!-- 第三方js结束 -->
+</body>
+
+</html>
diff --git a/console-ui/public/index.html b/console-ui/public/index.html
diff --git a/console-ui/src/globalLib.js b/console-ui/src/globalLib.js
@@ -502,8 +502,9 @@ const request = (function(_global) {
  }
  const { accessToken = '' } = token;
  const [url, paramsStr = ''] = config.url.split('?');
- const params = paramsStr.split('&');
+ const params = paramsStr ? paramsStr.split('&') : [];
  params.push(`accessToken=${accessToken}`);
+ params.push('message=true');
 
  return $.ajax(
  Object.assign({}, config, {

diff --git a/console-ui/src/lib.js b/console-ui/src/lib.js
@@ -15,8 +15,6 @@
  */
 import { getParams, request, aliwareIntl } from './globalLib';
 
-let hasAlert = false;
-
 window.edasprefix = 'acm'; // 固定的edas网关需要的项目名
 
 export const isParentEdas = () =>
@@ -48,55 +46,6 @@ request.middleWare((_config = {}) => {
  }
  }
 
- const preSucess = config.success;
- const preErorr = config.error;
-
- config.success = function(res) {
- if (res.code === 'ConsoleNeedLogin' && window.location.host.indexOf('acm') !== -1) {
- window.location.reload();
- }
- if (res.code === 403 && !hasAlert) {
- hasAlert = true;
- window.Dialog.alert({
- style: { width: 400 },
- content: res.message,
- onOk: () => {
- hasAlert = false;
- },
- onCancel: () => {
- hasAlert = false;
- },
- onClose: () => {
- hasAlert = false;
- },
- });
- } else {
- typeof preSucess === 'function' && preSucess(res);
- }
- };
-
- config.error = function(res) {
- if (res.status === 403 && !hasAlert) {
- hasAlert = true;
-
- window.Dialog.alert({
- style: { width: 400 },
- content: aliwareIntl.get('com.alibaba.nacos.pubshow'), // '子账号没有权限，请联系主账号负责人RAM上授权',
- onOk: () => {
- hasAlert = false;
- },
- onCancel: () => {
- hasAlert = false;
- },
- onClose: () => {
- hasAlert = false;
- },
- });
- } else {
- typeof preErorr === 'function' && preErorr(res);
- }
- };
-
  return config;
 });
 

diff --git a/console-ui/src/utils/request.js b/console-ui/src/utils/request.js
@@ -39,6 +39,7 @@ const request = () => {
  if (!params) {
  config.params = {};
  }
+ config.params.message = true;
  if (!url.includes('auth/users/login')) {
  let token = {};
  try {

diff --git a/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java b/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java
@@ -16,6 +16,7 @@
 
 package com.alibaba.nacos.console.config;
 
+import com.alibaba.nacos.console.filter.XssFilter;
 import com.alibaba.nacos.core.code.ControllerMethodsCache;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer;
@@ -60,7 +61,7 @@ public void init() {
  public CorsFilter corsFilter() {
  CorsConfiguration config = new CorsConfiguration();
  config.setAllowCredentials(true);
- config.addAllowedOrigin("*");
+ config.addAllowedOriginPattern("*");
  config.addAllowedHeader("*");
  config.setMaxAge(18000L);
  config.addAllowedMethod("*");
@@ -69,6 +70,11 @@ public CorsFilter corsFilter() {
  return new CorsFilter(source);
  }
 
+ @Bean
+ public XssFilter xssFilter() {
+ return new XssFilter();
+ }
+
  @Bean
  public Jackson2ObjectMapperBuilderCustomizer jacksonObjectMapperCustomization() {
  return jacksonObjectMapperBuilder -> jacksonObjectMapperBuilder.timeZone(ZoneId.systemDefault().toString());

diff --git a/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java b/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 1999-2022 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.filter;
+
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * XSS filter.
+ * @author onewe
+ */
+public class XssFilter extends OncePerRequestFilter {
+
+ private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
+
+ private static final String CONTENT_SECURITY_POLICY = "script-src 'self'";
+
+ @Override
+ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+ throws ServletException, IOException {
+ response.setHeader(CONTENT_SECURITY_POLICY_HEADER, CONTENT_SECURITY_POLICY);
+ filterChain.doFilter(request, response);
+ }
+}
diff --git a/console/src/main/resources/application.properties b/console/src/main/resources/application.properties
@@ -103,6 +103,8 @@ server.tomcat.accesslog.pattern=%h %l %u %t "%r" %s %b %D %{User-Agent}i %{Reque
 ### The directory of access log:
 server.tomcat.basedir=file:.
 
+server.error.include-message=ON_PARAM
+
 
 #*************** Access Control Related Configurations ***************#
 ### If enable spring security, this option is deprecated in 1.2.0:

diff --git a/console/src/main/resources/static/css/main.css b/console/src/main/resources/static/css/main.css