fix: arbitrary password modification vulnerability #99

powerjob-server/src/main/java/com/github/kfcfans/powerjob/server/web/controller/AppInfoController.java

@@ -1,5 +1,6 @@
 package com.github.kfcfans.powerjob.server.web.controller;
 
+import com.github.kfcfans.powerjob.common.PowerJobException;
 import com.github.kfcfans.powerjob.common.response.ResultDTO;
 import com.github.kfcfans.powerjob.server.persistence.core.model.AppInfoDO;
 import com.github.kfcfans.powerjob.server.persistence.core.repository.AppInfoRepository;
@@ -18,6 +19,7 @@ import org.springframework.web.bind.annotation.*;
 import javax.annotation.Resource;
 import java.util.Date;
 import java.util.List;
+import java.util.Objects;
 import java.util.stream.Collectors;
 
 /**
@@ -50,6 +52,11 @@ public class AppInfoController {
             appInfoDO.setGmtCreate(new Date());
         }else {
             appInfoDO = appInfoRepository.findById(id).orElseThrow(() -> new IllegalArgumentException("can't find appInfo by id:" + id));
+
+            // 对比密码
+            if (!Objects.equals(req.getOldPassword(), appInfoDO.getPassword())) {
+                throw new PowerJobException("The password is incorrect.");
+            }
         }
         BeanUtils.copyProperties(req, appInfoDO);
         appInfoDO.setGmtModified(new Date());

powerjob-server/src/main/java/com/github/kfcfans/powerjob/server/web/request/ModifyAppInfoRequest.java

@@ -15,6 +15,7 @@ import org.apache.commons.lang3.StringUtils;
 public class ModifyAppInfoRequest {
 
     private Long id;
+    private String oldPassword;
     private String appName;
     private String password;