!108 优化xss过滤，使用owasp的预设规则过滤。优化代码

Merge pull request !108 from OceansDeep/feature/pg
2022-01-07 09:48:07 +00:00 · 2022-01-07 09:48:07 +00:00 · 3fa3991cfa
commit 3fa3991cfa
parent e23d3a48cc 9a6102e887
5 changed files with 27 additions and 23 deletions
--- a/consumer/src/main/java/cn/lili/listener/GoodsMessageListener.java
+++ b/consumer/src/main/java/cn/lili/listener/GoodsMessageListener.java
@ -133,6 +133,7 @@ public class GoodsMessageListener implements RocketMQListener<MessageExt> {
            case GENERATOR_GOODS_INDEX:
                try {
                    String goodsId = new String(messageExt.getBody());
+                    log.info("生成索引: {}", goodsId);
                    Goods goods = this.goodsService.getById(goodsId);
                    updateGoodsIndex(goods);
                } catch (Exception e) {
--- a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
@ -2,6 +2,7 @@ package cn.lili.common.security.filter;


 import cn.hutool.core.text.CharSequenceUtil;
+import cn.hutool.http.HtmlUtil;
 import cn.hutool.json.JSONUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.owasp.html.Sanitizers;
@ -17,7 +18,6 @@ import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
-import java.util.Locale;
 import java.util.Map;

 /**
@ -257,9 +257,16 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

    private String cleanXSS(String value) {
        if (value != null) {
-            value = Sanitizers.FORMATTING.and(Sanitizers.LINKS).sanitize(value);
+            // basic prepackaged policies for links, tables, integers, images, styles, blocks
+            value = Sanitizers.FORMATTING
+                    .and(Sanitizers.STYLES)
+                    .and(Sanitizers.IMAGES)
+                    .and(Sanitizers.LINKS)
+                    .and(Sanitizers.BLOCKS)
+                    .and(Sanitizers.TABLES)
+                    .sanitize(value);
        }
-        return value;
+        return HtmlUtil.unescape(value);
    }

    /**
@ -270,12 +277,13 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
     * @return 参数值
     */
    private String filterXss(String name, String value) {
-        if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), IGNORE_FIELD)) {
-            // 忽略的处理，（过滤敏感字符）
-            return value;
-        } else {
+//        if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), IGNORE_FIELD)) {
+//            // 忽略的处理，（过滤敏感字符）
+//            return value;
+//        } else {
+//            return cleanXSS(value);
+//        }
        return cleanXSS(value);
    }
-    }

 }
--- a/framework/src/main/java/cn/lili/modules/distribution/entity/dto/DistributionGoodsSearchParams.java
+++ b/framework/src/main/java/cn/lili/modules/distribution/entity/dto/DistributionGoodsSearchParams.java
@ -2,13 +2,14 @@ package cn.lili.modules.distribution.entity.dto;

 import cn.hutool.core.text.CharSequenceUtil;
 import cn.lili.common.security.context.UserContext;
-import cn.lili.common.utils.StringUtils;
 import cn.lili.common.vo.PageVO;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.Data;
 import lombok.EqualsAndHashCode;

+import java.util.Objects;
+
 /**
 * 分销员商品查询条件
 *
@ -37,13 +38,13 @@ public class DistributionGoodsSearchParams extends PageVO {

    public <T> QueryWrapper<T> storeQueryWrapper() {
        QueryWrapper<T> queryWrapper = this.distributionQueryWrapper();
-        queryWrapper.eq("dg.store_id", UserContext.getCurrentUser().getStoreId());
+        queryWrapper.eq("dg.store_id", Objects.requireNonNull(UserContext.getCurrentUser()).getStoreId());
        return queryWrapper;
    }

    public <T> QueryWrapper<T> distributionQueryWrapper() {
        QueryWrapper<T> queryWrapper = new QueryWrapper<>();
-        queryWrapper.like(StringUtils.isNotEmpty(goodsName), "dg.goods_name", goodsName);
+        queryWrapper.like(CharSequenceUtil.isNotEmpty(goodsName), "dg.goods_name", goodsName);
        return queryWrapper;
    }

--- a/framework/src/main/java/cn/lili/modules/distribution/service/DistributionSelectedGoodsService.java
+++ b/framework/src/main/java/cn/lili/modules/distribution/service/DistributionSelectedGoodsService.java
@ -13,21 +13,21 @@ public interface DistributionSelectedGoodsService extends IService<DistributionS
    /**
     * 分销员添加分销商品
     * @param distributionGoodsId 分销商品ID
-     * @return
+     * @return 是否添加成功
     */
    boolean add(String distributionGoodsId);

    /**
-     * 分销员添加分销商品
+     * 分销员删除分销商品
     * @param distributionGoodsId 分销商品ID
-     * @return
+     * @return 是否删除成功
     */
    boolean delete(String distributionGoodsId);

    /**
-     * 分销员添加分销商品
+     * 分销员删除分销商品（管理员操作）
     * @param distributionGoodsId 分销商品ID
-     * @return
+     * @return 是否删除成功
     */
    boolean deleteByDistributionGoodsId(String distributionGoodsId);
 }
--- a/framework/src/main/java/cn/lili/modules/distribution/serviceimpl/DistributionSelectedGoodsServiceImpl.java
+++ b/framework/src/main/java/cn/lili/modules/distribution/serviceimpl/DistributionSelectedGoodsServiceImpl.java
@ -47,12 +47,6 @@ public class DistributionSelectedGoodsServiceImpl extends ServiceImpl<Distributi
                .eq(DistributionSelectedGoods::getDistributionId, distributionId));
    }

-    /**
-     * 分销员添加分销商品
-     *
-     * @param distributionGoodsId 商品ID
-     * @return
-     */
    @Override
    public boolean deleteByDistributionGoodsId(String distributionGoodsId) {
        return this.remove(new LambdaQueryWrapper<DistributionSelectedGoods>()