Commit 5b4098c8 authored by ma's avatar ma

优化XSS处理

parent 39d50ddd
...@@ -17,7 +17,7 @@ public class GlobalExceptionHandler { ...@@ -17,7 +17,7 @@ public class GlobalExceptionHandler {
@ExceptionHandler(Exception.class) @ExceptionHandler(Exception.class)
@ResponseBody //为了返回数据 @ResponseBody //为了返回数据
public BaseResult error(Exception e){ public BaseResult error(Exception e){
log.error("出现自定义异常,{}" + e.getMessage()); log.error("出现自定义异常", e);
return BaseResult.serverException(); return BaseResult.serverException();
} }
......
package iot.sixiang.license.xss; package iot.sixiang.license.xss;
import com.alibaba.fastjson.JSONArray;
import com.alibaba.fastjson.JSONObject; import com.alibaba.fastjson.JSONObject;
import iot.sixiang.license.consts.ResultCode; import iot.sixiang.license.consts.ResultCode;
import iot.sixiang.license.handler.IotLicenseException; import iot.sixiang.license.handler.IotLicenseException;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.apache.commons.fileupload.servlet.ServletFileUpload; import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.owasp.esapi.ESAPI; import org.owasp.esapi.ESAPI;
import org.springframework.util.StringUtils;
import org.springframework.web.multipart.commons.CommonsMultipartResolver; import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import javax.servlet.ReadListener; import javax.servlet.ReadListener;
...@@ -15,6 +15,7 @@ import javax.servlet.http.HttpServletRequest; ...@@ -15,6 +15,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper; import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*; import java.io.*;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import static java.util.regex.Pattern.*; import static java.util.regex.Pattern.*;
...@@ -41,6 +42,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { ...@@ -41,6 +42,7 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private static String badStrReg = private static String badStrReg =
"\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) throws IOException { public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) throws IOException {
super(servletRequest); super(servletRequest);
...@@ -65,7 +67,8 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { ...@@ -65,7 +67,8 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
} catch (IOException e) { } catch (IOException e) {
throw e; throw e;
} }
return sb.toString(); String res = sb.toString();
return res;
} }
/** /**
...@@ -79,10 +82,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { ...@@ -79,10 +82,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
// 非文件上传进行过滤 // 非文件上传进行过滤
if (!fileUpload) { if (!fileUpload) {
// 获取body中的请求参数 // 获取body中的请求参数
JSONObject json = JSONObject.parseObject(new String(body, StandardCharsets.UTF_8)); String requestString = new String(body, StandardCharsets.UTF_8);
// 校验并过滤xss攻击和sql注入 if(requestString.startsWith("[")) {
for (String k : json.keySet()) { List<String> strings = JSONArray.parseArray(requestString, String.class);
cleanSQLInject(cleanXSS(json.getString(k))); for (String string : strings) {
checkSqlAndXss(string);
}
} else {
checkSqlAndXss(new String(body, StandardCharsets.UTF_8));
} }
} }
// 将请求体参数流转 -- 流读取一次就会消失,所以我们事先读取之后就存在byte数组里边方便流转 // 将请求体参数流转 -- 流读取一次就会消失,所以我们事先读取之后就存在byte数组里边方便流转
...@@ -111,6 +118,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { ...@@ -111,6 +118,14 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
}; };
} }
public void checkSqlAndXss(String str) {
JSONObject json = JSONObject.parseObject(str);
// 校验并过滤xss攻击和sql注入
for (String k : json.keySet()) {
cleanSQLInject(cleanXSS(json.getString(k)));
}
}
/** /**
* 过滤sql注入 -- 需要增加通配,过滤大小写组合 * 过滤sql注入 -- 需要增加通配,过滤大小写组合
* *
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment