Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
I
ioc_sixiang_license
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
zengtianlai3
ioc_sixiang_license
Commits
5b4098c8
Commit
5b4098c8
authored
Dec 05, 2022
by
ma
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
优化XSS处理
parent
39d50ddd
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
22 additions
and
7 deletions
+22
-7
GlobalExceptionHandler.java
...a/iot/sixiang/license/handler/GlobalExceptionHandler.java
+1
-1
XssHttpServletRequestWrapper.java
...iot/sixiang/license/xss/XssHttpServletRequestWrapper.java
+21
-6
No files found.
license/src/main/java/iot/sixiang/license/handler/GlobalExceptionHandler.java
View file @
5b4098c8
...
@@ -17,7 +17,7 @@ public class GlobalExceptionHandler {
...
@@ -17,7 +17,7 @@ public class GlobalExceptionHandler {
@ExceptionHandler
(
Exception
.
class
)
@ExceptionHandler
(
Exception
.
class
)
@ResponseBody
//为了返回数据
@ResponseBody
//为了返回数据
public
BaseResult
error
(
Exception
e
){
public
BaseResult
error
(
Exception
e
){
log
.
error
(
"出现自定义异常
,{}"
+
e
.
getMessage
()
);
log
.
error
(
"出现自定义异常
"
,
e
);
return
BaseResult
.
serverException
();
return
BaseResult
.
serverException
();
}
}
...
...
license/src/main/java/iot/sixiang/license/xss/XssHttpServletRequestWrapper.java
View file @
5b4098c8
package
iot
.
sixiang
.
license
.
xss
;
package
iot
.
sixiang
.
license
.
xss
;
import
com.alibaba.fastjson.JSONArray
;
import
com.alibaba.fastjson.JSONObject
;
import
com.alibaba.fastjson.JSONObject
;
import
iot.sixiang.license.consts.ResultCode
;
import
iot.sixiang.license.consts.ResultCode
;
import
iot.sixiang.license.handler.IotLicenseException
;
import
iot.sixiang.license.handler.IotLicenseException
;
import
lombok.extern.slf4j.Slf4j
;
import
lombok.extern.slf4j.Slf4j
;
import
org.apache.commons.fileupload.servlet.ServletFileUpload
;
import
org.apache.commons.fileupload.servlet.ServletFileUpload
;
import
org.owasp.esapi.ESAPI
;
import
org.owasp.esapi.ESAPI
;
import
org.springframework.util.StringUtils
;
import
org.springframework.web.multipart.commons.CommonsMultipartResolver
;
import
org.springframework.web.multipart.commons.CommonsMultipartResolver
;
import
javax.servlet.ReadListener
;
import
javax.servlet.ReadListener
;
...
@@ -15,6 +15,7 @@ import javax.servlet.http.HttpServletRequest;
...
@@ -15,6 +15,7 @@ import javax.servlet.http.HttpServletRequest;
import
javax.servlet.http.HttpServletRequestWrapper
;
import
javax.servlet.http.HttpServletRequestWrapper
;
import
java.io.*
;
import
java.io.*
;
import
java.nio.charset.StandardCharsets
;
import
java.nio.charset.StandardCharsets
;
import
java.util.List
;
import
java.util.regex.Pattern
;
import
java.util.regex.Pattern
;
import
static
java
.
util
.
regex
.
Pattern
.*;
import
static
java
.
util
.
regex
.
Pattern
.*;
...
@@ -41,6 +42,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
...
@@ -41,6 +42,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private
static
String
badStrReg
=
private
static
String
badStrReg
=
"\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"
;
"\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"
;
public
XssHttpServletRequestWrapper
(
HttpServletRequest
servletRequest
)
throws
IOException
{
public
XssHttpServletRequestWrapper
(
HttpServletRequest
servletRequest
)
throws
IOException
{
super
(
servletRequest
);
super
(
servletRequest
);
...
@@ -65,7 +67,8 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
...
@@ -65,7 +67,8 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
}
catch
(
IOException
e
)
{
}
catch
(
IOException
e
)
{
throw
e
;
throw
e
;
}
}
return
sb
.
toString
();
String
res
=
sb
.
toString
();
return
res
;
}
}
/**
/**
...
@@ -79,10 +82,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
...
@@ -79,10 +82,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
// 非文件上传进行过滤
// 非文件上传进行过滤
if
(!
fileUpload
)
{
if
(!
fileUpload
)
{
// 获取body中的请求参数
// 获取body中的请求参数
JSONObject
json
=
JSONObject
.
parseObject
(
new
String
(
body
,
StandardCharsets
.
UTF_8
));
String
requestString
=
new
String
(
body
,
StandardCharsets
.
UTF_8
);
// 校验并过滤xss攻击和sql注入
if
(
requestString
.
startsWith
(
"["
))
{
for
(
String
k
:
json
.
keySet
())
{
List
<
String
>
strings
=
JSONArray
.
parseArray
(
requestString
,
String
.
class
);
cleanSQLInject
(
cleanXSS
(
json
.
getString
(
k
)));
for
(
String
string
:
strings
)
{
checkSqlAndXss
(
string
);
}
}
else
{
checkSqlAndXss
(
new
String
(
body
,
StandardCharsets
.
UTF_8
));
}
}
}
}
// 将请求体参数流转 -- 流读取一次就会消失,所以我们事先读取之后就存在byte数组里边方便流转
// 将请求体参数流转 -- 流读取一次就会消失,所以我们事先读取之后就存在byte数组里边方便流转
...
@@ -111,6 +118,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
...
@@ -111,6 +118,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
};
};
}
}
public
void
checkSqlAndXss
(
String
str
)
{
JSONObject
json
=
JSONObject
.
parseObject
(
str
);
// 校验并过滤xss攻击和sql注入
for
(
String
k
:
json
.
keySet
())
{
cleanSQLInject
(
cleanXSS
(
json
.
getString
(
k
)));
}
}
/**
/**
* 过滤sql注入 -- 需要增加通配,过滤大小写组合
* 过滤sql注入 -- 需要增加通配,过滤大小写组合
*
*
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment