Commit 5b4098c8 authored by ma's avatar ma

优化XSS处理

parent 39d50ddd
......@@ -17,7 +17,7 @@ public class GlobalExceptionHandler {
@ExceptionHandler(Exception.class)
@ResponseBody //为了返回数据
public BaseResult error(Exception e){
log.error("出现自定义异常,{}" + e.getMessage());
log.error("出现自定义异常", e);
return BaseResult.serverException();
}
......
package iot.sixiang.license.xss;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject;
import iot.sixiang.license.consts.ResultCode;
import iot.sixiang.license.handler.IotLicenseException;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.owasp.esapi.ESAPI;
import org.springframework.util.StringUtils;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import javax.servlet.ReadListener;
......@@ -15,6 +15,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.regex.Pattern;
import static java.util.regex.Pattern.*;
......@@ -41,6 +42,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static String badStrReg =
"\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) throws IOException {
super(servletRequest);
......@@ -65,7 +67,8 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
} catch (IOException e) {
throw e;
}
return sb.toString();
String res = sb.toString();
return res;
}
/**
......@@ -79,10 +82,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
// 非文件上传进行过滤
if (!fileUpload) {
// 获取body中的请求参数
JSONObject json = JSONObject.parseObject(new String(body, StandardCharsets.UTF_8));
// 校验并过滤xss攻击和sql注入
for (String k : json.keySet()) {
cleanSQLInject(cleanXSS(json.getString(k)));
String requestString = new String(body, StandardCharsets.UTF_8);
if(requestString.startsWith("[")) {
List<String> strings = JSONArray.parseArray(requestString, String.class);
for (String string : strings) {
checkSqlAndXss(string);
}
} else {
checkSqlAndXss(new String(body, StandardCharsets.UTF_8));
}
}
// 将请求体参数流转 -- 流读取一次就会消失,所以我们事先读取之后就存在byte数组里边方便流转
......@@ -111,6 +118,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
};
}
public void checkSqlAndXss(String str) {
JSONObject json = JSONObject.parseObject(str);
// 校验并过滤xss攻击和sql注入
for (String k : json.keySet()) {
cleanSQLInject(cleanXSS(json.getString(k)));
}
}
/**
* 过滤sql注入 -- 需要增加通配,过滤大小写组合
*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment