OrderController.java:paySuccess中修改订单id为支付成功前未确认订单所属用户为当前用户 #53
Description
问题描述
OrderController.java:paySuccess的作用是将支付类型为1或2的订单的状态设定为success,输入参数为paytype(支付类型)和orderno(订单编号),其调用的service层函数为NewBeeMallOrderServiceImpl.java:paySuccess,该函数实现具体的将订单状态设置为支付成功的逻辑,从代码来看,两个函数直接对输入的orderno对应的订单进行操作,NewBeeMallOrderServiceImpl.java:paySuccess将相应订单(确认为待支付类型订单)修改为支付成功,整个调用链中没有确认该订单是否属于当前用户,是否可能存在直接调用api导致越权修改其他用户的订单为paysuccess的情况,如当前用户支付10元订单,只要函数的参数输入为其他用户的待支付订单(可能是100元订单且处于待支付并未支付的状态),则可以将其他用户的订单修改为支付成功
OrderController.java:paySuccess:
@PostMapping("/paySuccess") @ResponseBody public Result paySuccess(Integer payType, String orderNo, HttpServletRequest request) throws AlipayApiException { log.info("支付宝paySuccess通知数据记录:request.getParameterMap() is {}", JSON.toJSONString(request.getParameterMap())); if (payType == 1 && alipayConfig.getSigntype().equals(request.getParameter("sign_type")) && "trade_status_sync".equals(request.getParameter("notify_type")) && alipayConfig.getAppId().equals(request.getParameter("app_id")) && this.verifySign(request)) { String payResult = newBeeMallOrderService.paySuccess(orderNo, payType); if (ServiceResultEnum.SUCCESS.getResult().equals(payResult)) { return ResultGenerator.genSuccessResult(); } else { return ResultGenerator.genFailResult(payResult); } } else if (payType == 2) { String payResult = newBeeMallOrderService.paySuccess(orderNo, payType); if (ServiceResultEnum.SUCCESS.getResult().equals(payResult)) { return ResultGenerator.genSuccessResult(); } else { return ResultGenerator.genFailResult(payResult); } } else { return ResultGenerator.genFailResult("支付类型错误"); } }
NewBeeMallOrderServiceImpl.java:paySuccess:
@Override public String paySuccess(String orderNo, int payType) { NewBeeMallOrder newBeeMallOrder = newBeeMallOrderMapper.selectByOrderNo(orderNo); if (newBeeMallOrder == null) { return ServiceResultEnum.ORDER_NOT_EXIST_ERROR.getResult(); } // 订单状态判断 非待支付状态下不进行修改操作 if (newBeeMallOrder.getOrderStatus().intValue() != NewBeeMallOrderStatusEnum.ORDER_PRE_PAY.getOrderStatus()) { return ServiceResultEnum.ORDER_STATUS_ERROR.getResult(); } newBeeMallOrder.setOrderStatus((byte) NewBeeMallOrderStatusEnum.ORDER_PAID.getOrderStatus()); newBeeMallOrder.setPayType((byte) payType); newBeeMallOrder.setPayStatus((byte) PayStatusEnum.PAY_SUCCESS.getPayStatus()); newBeeMallOrder.setPayTime(new Date()); newBeeMallOrder.setUpdateTime(new Date()); if (newBeeMallOrderMapper.updateByPrimaryKeySelective(newBeeMallOrder) <= 0) { return ServiceResultEnum.DB_ERROR.getResult(); } taskService.removeTask(new OrderUnPaidTask(newBeeMallOrder.getOrderId())); return ServiceResultEnum.SUCCESS.getResult(); }
建议添加检查:
if (!userId.equals(newBeeMallOrder.getUserId())) {
return ServiceResultEnum.NO_PERMISSION_ERROR.getResult();
}