优化XSS处理

5b4098c8 · ma · 39d50ddd · 5b4098c8 · 5b4098c8
Commit 5b4098c8 authored Dec 05, 2022 by ma
Showing with 22 additions and 7 deletions

GlobalExceptionHandler.java ...a/iot/sixiang/license/handler/GlobalExceptionHandler.java +1 -1

XssHttpServletRequestWrapper.java ...iot/sixiang/license/xss/XssHttpServletRequestWrapper.java +21 -6

No files found.
--- a/license/src/main/java/iot/sixiang/license/handler/GlobalExceptionHandler.java
+++ b/license/src/main/java/iot/sixiang/license/handler/GlobalExceptionHandler.java
@@ -17,7 +17,7 @@ public class GlobalExceptionHandler {
    @ExceptionHandler(Exception.class)
    @ResponseBody    //为了返回数据
    public BaseResult error(Exception e){
-        log.error("出现自定义异常,{}" + e.getMessage());
+        log.error("出现自定义异常", e);
        return BaseResult.serverException();
    }

--- a/license/src/main/java/iot/sixiang/license/xss/XssHttpServletRequestWrapper.java
+++ b/license/src/main/java/iot/sixiang/license/xss/XssHttpServletRequestWrapper.java
 package iot.sixiang.license.xss;
+import com.alibaba.fastjson.JSONArray;
 import com.alibaba.fastjson.JSONObject;
 import iot.sixiang.license.consts.ResultCode;
 import iot.sixiang.license.handler.IotLicenseException;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.fileupload.servlet.ServletFileUpload;
 import org.owasp.esapi.ESAPI;
-import org.springframework.util.StringUtils;
 import org.springframework.web.multipart.commons.CommonsMultipartResolver;
 import javax.servlet.ReadListener;
@@ -15,6 +15,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 import java.io.*;
 import java.nio.charset.StandardCharsets;
+import java.util.List;
 import java.util.regex.Pattern;
 import static java.util.regex.Pattern.*;
@@ -41,6 +42,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private static String badStrReg =
            "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) throws IOException {
        super(servletRequest);
@@ -65,7 +67,8 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
        } catch (IOException e) {
            throw e;
        }
-        return sb.toString();
+        String res = sb.toString();
+        return res;
    }
    /**
@@ -79,10 +82,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
        // 非文件上传进行过滤
        if (!fileUpload) {
            // 获取body中的请求参数
-            JSONObject json = JSONObject.parseObject(new String(body, StandardCharsets.UTF_8));
+            String requestString = new String(body, StandardCharsets.UTF_8);
-            // 校验并过滤xss攻击和sql注入
+            if(requestString.startsWith("[")) {
-            for (String k : json.keySet()) {
+                List<String> strings = JSONArray.parseArray(requestString, String.class);
-                cleanSQLInject(cleanXSS(json.getString(k)));
+                for (String string : strings) {
+                    checkSqlAndXss(string);
+                }
+            } else {
+                checkSqlAndXss(new String(body, StandardCharsets.UTF_8));
            }
        }
        // 将请求体参数流转 -- 流读取一次就会消失,所以我们事先读取之后就存在byte数组里边方便流转
@@ -111,6 +118,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
        };
    }
+    public void checkSqlAndXss(String str) {
+        JSONObject json = JSONObject.parseObject(str);
+        // 校验并过滤xss攻击和sql注入
+        for (String k : json.keySet()) {
+            cleanSQLInject(cleanXSS(json.getString(k)));
+        }
+    }
    /**
     * 过滤sql注入 -- 需要增加通配，过滤大小写组合
     *