Pre Merge pull request !46 from 阿斌/N/A

java.text.ParseException: [C@2f1fec26
ID expected
        at gov.nist.core.LexerCore.match(LexerCore.java:229)
        at gov.nist.javax.sdp.parser.OriginFieldParser.originField(OriginFieldParser.java:90)
        at gov.nist.javax.sdp.parser.OriginFieldParser.parse(OriginFieldParser.java:108)
        at gov.nist.javax.sdp.parser.SDPAnnounceParser.parse(SDPAnnounceParser.java:113)
        at javax.sdp.SdpFactory.createSessionDescription(SdpFactory.java:129)
        at com.genersoft.iot.vmp.gb28181.utils.SipUtils.parseSDP(SipUtils.java:229)
        at com.genersoft.iot.vmp.gb28181.transmit.event.request.impl.InviteRequestProcessor.decode(InviteRequestProcessor.java:275)
        at com.genersoft.iot.vmp.gb28181.transmit.event.request.impl.InviteRequestProcessor.process(InviteRequestProcessor.java:125)
        at com.genersoft.iot.vmp.gb28181.transmit.SIPProcessorObserver.processRequest(SIPProcessorObserver.java:71)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:359)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
        at org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:114)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
        at java.base/java.lang.Thread.run(Thread.java:1583)
java.text.ParseException: o=- ' OR 'a'='a'; -- 1 IN IP4 179.43.150.26
        at gov.nist.javax.sdp.parser.OriginFieldParser.originField(OriginFieldParser.java:103)
        at gov.nist.javax.sdp.parser.OriginFieldParser.parse(OriginFieldParser.java:108)
        at gov.nist.javax.sdp.parser.SDPAnnounceParser.parse(SDPAnnounceParser.java:113)
        at javax.sdp.SdpFactory.createSessionDescription(SdpFactory.java:129)
        at com.genersoft.iot.vmp.gb28181.utils.SipUtils.parseSDP(SipUtils.java:229)
        at com.genersoft.iot.vmp.gb28181.transmit.event.request.impl.InviteRequestProcessor.decode(InviteRequestProcessor.java:275)
        at com.genersoft.iot.vmp.gb28181.transmit.event.request.impl.InviteRequestProcessor.process(InviteRequestProcessor.java:125)
        at com.genersoft.iot.vmp.gb28181.transmit.SIPProcessorObserver.processRequest(SIPProcessorObserver.java:71)
        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
        at java.base/java.lang.reflect.Method.invoke(Method.java:580)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:359)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
        at org.springframework.aop.interceptor.AsyncExecutionInterceptor.lambda$invoke$0(AsyncExecutionInterceptor.java:114)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
        at java.base/java.lang.Thread.run(Thread.java:1583)


Signed-off-by: 阿斌 <38912748@qq.com>

pom.xml

@@ -178,24 +178,6 @@
         </dependency>
 
 		<!-- kingbase人大金仓 -->
-		<!-- 手动下载驱动后安装 -->
-		<!-- mvn install:install-file -Dfile=/home/lin/soft/kingbase/jdbc-aarch/kingbase8-8.6.0.jar -DgroupId=com.kingbase -DartifactId=kingbase8 -Dversion=8.6.0 -Dpackaging=jar
- -->
-<!--		<dependency>-->
-<!--			<groupId>com.kingbase</groupId>-->
-<!--			<artifactId>kingbase8</artifactId>-->
-<!--			<version>8.6.0</version>-->
-<!--			<scope>system</scope>-->
-<!--			<systemPath>${basedir}/libs/jdbc-aarch/kingbase8-8.6.0.jar</systemPath>-->
-<!--		</dependency>-->
-<!--		<dependency>-->
-<!--			<groupId>com.kingbase</groupId>-->
-<!--			<artifactId>kingbase8</artifactId>-->
-<!--			<version>8.6.0</version>-->
-<!--			<scope>system</scope>-->
-<!--			<systemPath>${basedir}/libs/jdbc-x86/kingbase8-8.6.0.jar</systemPath>-->
-<!--		</dependency>-->
-
         <dependency>
             <groupId>cn.com.kingbase</groupId>
             <artifactId>kingbase8</artifactId>

src/main/java/com/genersoft/iot/vmp/gb28181/bean/InviteDecodeException.java

@@ -1,8 +1,11 @@
 package com.genersoft.iot.vmp.gb28181.bean;
 
 import lombok.Data;
+import lombok.Getter;
+import lombok.Setter;
 
-@Data
+@Getter
+@Setter
 public class InviteDecodeException extends RuntimeException{
     private int code;
     private String msg;

src/main/java/com/genersoft/iot/vmp/gb28181/bean/PlayException.java

@@ -1,8 +1,10 @@
 package com.genersoft.iot.vmp.gb28181.bean;
 
-import lombok.Data;
+import lombok.Getter;
+import lombok.Setter;
 
-@Data
+@Getter
+@Setter
 public class PlayException extends RuntimeException{
     private int code;
     private String msg;

src/main/java/com/genersoft/iot/vmp/gb28181/service/impl/DeviceServiceImpl.java

@@ -233,7 +233,13 @@ public class DeviceServiceImpl implements IDeviceService, CommandLineRunner {
             log.info("[更新多个离线设备信息] 参数为空");
             return;
         }
-        deviceMapper.offlineByList(offlineDevices);
+        int limitCount = 400;
+        for (int i = 0; i < offlineDevices.size(); i += limitCount) {
+            int end = Math.min(i + limitCount, offlineDevices.size());
+            List<Device> batchList = offlineDevices.subList(i, end);
+            deviceMapper.offlineByList(batchList);
+        }
+
         for (Device device : offlineDevices) {
             device.setOnLine(false);
             redisCatchStorage.updateDevice(device);

src/main/java/com/genersoft/iot/vmp/gb28181/utils/SipUtils.java

@@ -204,6 +204,21 @@ public class SipUtils {
     }
 
     public static Gb28181Sdp parseSDP(String sdpStr) throws SdpParseException {
+        
+        // 校验：拦截空内容与注入攻击特征
+        if (sdpStr == null || sdpStr.trim().isEmpty()) {
+            throw new SdpParseException(0, 0, "SDP内容为空");
+        }
+        // 标准SDP每行格式固定为 "x=value"，不存在SQL关键字；出现则视为注入攻击
+        String sdpUpper = sdpStr.toUpperCase();
+        if (sdpUpper.contains("' OR '") || sdpUpper.contains("' OR 1") || sdpUpper.contains(" OR 1=1")
+                || sdpUpper.contains("--") || sdpUpper.contains("/*") || sdpUpper.contains("*/")
+                || sdpUpper.contains("DROP ") || sdpUpper.contains("INSERT ") || sdpUpper.contains("UPDATE ")
+                || sdpUpper.contains("DELETE ") || sdpUpper.contains("UNION ") || sdpUpper.contains("SELECT ")) {
+            log.error("[SDP注入攻击] 检测到非法SDP内容，已拒绝解析，内容长度: {}", sdpStr.length());
+            throw new SdpParseException(0, 0, "非法SDP内容");
+        }
+        //校验结束
 
         // jainSip不支持y= f=字段， 移除以解析。
         int ssrcIndex = sdpStr.indexOf("y=");

src/main/java/com/genersoft/iot/vmp/media/event/hook/Hook.java

@@ -1,12 +1,14 @@
 package com.genersoft.iot.vmp.media.event.hook;
 
-import lombok.Data;
+import lombok.Getter;
+import lombok.Setter;
 
 /**
  * zlm hook事件的参数
  * @author lin
  */
-@Data
+@Getter
+@Setter
 public class Hook {
 
     private HookType hookType;

src/main/java/com/genersoft/iot/vmp/vmanager/cloudRecord/CloudRecordController.java

@@ -29,6 +29,7 @@ import jakarta.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.ObjectUtils;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.context.request.async.DeferredResult;
 
@@ -361,11 +362,12 @@ public class CloudRecordController {
     @ResponseBody
     @GetMapping("/download/zip")
     public void downloadZipFileFromUrl(HttpServletResponse response, Integer[] ids) {
-        log.info("[下载指定录像文件的压缩包] 查询 ids->{}", ids);
+        String idsStr = StringUtils.arrayToCommaDelimitedString(ids);
+        log.info("[下载指定录像文件的压缩包] 查询 ids->{}", idsStr);
         List<Integer> arrayList = new ArrayList<>(List.of(ids));
         List<CloudRecordUrl> cloudRecordItemList = cloudRecordService.getUrlListByIds(arrayList);
         if (ObjectUtils.isEmpty(cloudRecordItemList)) {
-            log.warn("[下载指定录像文件的压缩包] 未找到录像文件，ids->{}", ids);
+            log.warn("[下载指定录像文件的压缩包] 未找到录像文件，ids->{}", idsStr);
             return;
         }