diff --git a/framework/src/main/java/cn/lili/base/mybatisplus/MyMetaObjectHandler.java b/framework/src/main/java/cn/lili/base/mybatisplus/MyMetaObjectHandler.java index fd966853..e7a2e74f 100644 --- a/framework/src/main/java/cn/lili/base/mybatisplus/MyMetaObjectHandler.java +++ b/framework/src/main/java/cn/lili/base/mybatisplus/MyMetaObjectHandler.java @@ -29,7 +29,10 @@ public class MyMetaObjectHandler implements MetaObjectHandler { this.setFieldValByName("deleteFlag", false, metaObject); } if (metaObject.hasGetter("id")) { - this.setFieldValByName("id", String.valueOf(SnowFlake.getId()), metaObject); + //如果已经配置id,则不再写入 + if (metaObject.getValue("id") == null) { + this.setFieldValByName("id", String.valueOf(SnowFlake.getId()), metaObject); + } } } diff --git a/framework/src/main/java/cn/lili/base/mybatisplus/MybatisPlusConfig.java b/framework/src/main/java/cn/lili/base/mybatisplus/MybatisPlusConfig.java index 106b0668..1e077800 100644 --- a/framework/src/main/java/cn/lili/base/mybatisplus/MybatisPlusConfig.java +++ b/framework/src/main/java/cn/lili/base/mybatisplus/MybatisPlusConfig.java @@ -1,32 +1,31 @@ package cn.lili.base.mybatisplus; -import com.baomidou.mybatisplus.core.parser.ISqlParser; -import com.baomidou.mybatisplus.extension.parsers.BlockAttackSqlParser; import com.baomidou.mybatisplus.extension.plugins.PaginationInterceptor; import org.mybatis.spring.annotation.MapperScan; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import java.util.ArrayList; -import java.util.List; - /** * @author Chopper */ @Configuration -@MapperScan({"cn.lili.modules.*.*.mapper","cn.lili.modules.*.mapper"}) +@MapperScan({"cn.lili.modules.*.*.mapper", "cn.lili.modules.*.mapper"}) public class MybatisPlusConfig { /** * 分页插件,自动识别数据库类型 */ @Bean public PaginationInterceptor paginationInterceptor() { - PaginationInterceptor paginationInterceptor = new PaginationInterceptor(); - List sqlParserList = new ArrayList<>(); - // 攻击 SQL 阻断解析器、加入解析链 - sqlParserList.add(new BlockAttackSqlParser()); - paginationInterceptor.setSqlParserList(sqlParserList); - return paginationInterceptor; + return new PaginationInterceptor(); + + //阻断解析器,测试环境使用 +// PaginationInterceptor paginationInterceptor = new PaginationInterceptor(); +// +// List sqlParserList = new ArrayList<>(); +// // 攻击 SQL 阻断解析器、加入解析链 +// sqlParserList.add(new BlockAttackSqlParser()); +// paginationInterceptor.setSqlParserList(sqlParserList); +// return paginationInterceptor; } } diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java b/framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java deleted file mode 100644 index 37e96de8..00000000 --- a/framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java +++ /dev/null @@ -1,46 +0,0 @@ -package cn.lili.common.security.filter; - - -import org.apache.commons.lang3.StringUtils; -import org.apache.commons.text.StringEscapeUtils; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; - -/** - * 防止Xss sql注入 - * - * @author Chopper - * @version v1.0 - * 2021-06-04 10:39 - */ -public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper { - private HttpServletRequest request; - - public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) { - super(request); - this.request = request; - } - - @Override - public String getParameter(String name) { - String value = request.getParameter(name); - if (!StringUtils.isEmpty(value)) { - value = StringEscapeUtils.escapeHtml4(value); - } - return value; - } - - @Override - public String[] getParameterValues(String name) { - String[] parameterValues = super.getParameterValues(name); - if (parameterValues == null) { - return null; - } - for (int i = 0; i < parameterValues.length; i++) { - String value = parameterValues[i]; - parameterValues[i] = StringEscapeUtils.escapeHtml4(value); - } - return parameterValues; - } -} diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java b/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java index 97433044..ead0a2b1 100644 --- a/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java +++ b/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java @@ -1,11 +1,6 @@ package cn.lili.common.security.filter; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.fasterxml.jackson.databind.module.SimpleModule; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Primary; -import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder; import org.springframework.stereotype.Component; import javax.servlet.*; @@ -23,38 +18,22 @@ import java.io.IOException; @WebFilter @Component public class XssFilter implements Filter { + FilterConfig filterConfig = null; + @Override public void init(FilterConfig filterConfig) throws ServletException { + this.filterConfig = filterConfig; } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - HttpServletRequest req = (HttpServletRequest) request; - XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req); - chain.doFilter(xssRequestWrapper, response); + //对请求进行拦截,防xss处理 + chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response); } @Override public void destroy() { - } - - /** - * 过滤json类型的 - * - * @param builder - * @return - */ - @Bean - @Primary - public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) { - //解析器 - ObjectMapper objectMapper = builder.createXmlMapper(false).build(); - //注册xss解析器 - SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer"); - xssModule.addSerializer(new XssStringJsonSerializer()); - objectMapper.registerModule(xssModule); - //返回 - return objectMapper; + this.filterConfig = null; } } diff --git a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java new file mode 100644 index 00000000..70c2df5b --- /dev/null +++ b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java @@ -0,0 +1,136 @@ +package cn.lili.common.security.filter; + + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; +import java.util.regex.Pattern; + +/** + * 防止Xss sql注入 + * + * @author Chopper + * @version v1.0 + * 2021-06-04 10:39 + */ +public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { + private HttpServletRequest request; + + public XssHttpServletRequestWrapper(HttpServletRequest request) { + super(request); + this.request = request; + } + + /** + * 对数组参数进行特殊字符过滤 + */ + @Override + public String[] getParameterValues(String name) { + String[] values = super.getParameterValues(name); + if (values == null) { + return null; + } + int count = values.length; + String[] encodedValues = new String[count]; + for (int i = 0; i < count; i++) { + encodedValues[i] = cleanXSS(values[i]); + } + return encodedValues; + } + + /** + * 对参数中特殊字符进行过滤 + */ + @Override + public String getParameter(String name) { + String value = super.getParameter(name); + if (value == null) { + return null; + } + return cleanXSS(value); + } + + /** + * 获取attribute,特殊字符过滤 + */ + @Override + public Object getAttribute(String name) { + Object value = super.getAttribute(name); + if (value != null && value instanceof String) { + cleanXSS((String) value); + } + return value; + } + + /** + * 对请求头部进行特殊字符过滤 + */ + @Override + public String getHeader(String name) { + String value = super.getHeader(name); + if (value == null) { + return null; + } + return cleanXSS(value); + } + + /** + * 转义字符,使用该方法存在一定的弊端 + * + * @param value + * @return + */ + private String cleanXSS2(String value) { + // 移除特殊标签 + value = value.replaceAll("<", "<").replaceAll(">", ">"); + value = value.replaceAll("\\(", "(").replaceAll("\\)", ")"); + value = value.replaceAll("'", "'"); + value = value.replaceAll("eval\\((.*)\\)", ""); + value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); + value = value.replaceAll("script", ""); + return value; + } + + private String cleanXSS(String value) { + if (value != null) { + //推荐使用ESAPI库来避免脚本攻击,value = ESAPI.encoder().canonicalize(value); + // 避免空字符串 + value = value.replaceAll(" ", ""); + // 避免script 标签 + Pattern scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE); + value = scriptPattern.matcher(value).replaceAll(""); + // 避免src形式的表达式 + scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); + value = scriptPattern.matcher(value).replaceAll(""); + scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", + Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); + value = scriptPattern.matcher(value).replaceAll(""); + // 删除单个的 标签 + scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE); + value = scriptPattern.matcher(value).replaceAll(""); + // 删除单个的