caojiahao/dev_caojiahao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into Bulbasaur

Browse Source
This commit is contained in:
lifenlong 2021-06-07 15:08:36 +08:00
commit 86360cf5f8
7 changed files with 159 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
framework/src/main/java/cn/lili/base/mybatisplus/MyMetaObjectHandler.java
View File

@ -29,9 +29,12 @@ public class MyMetaObjectHandler implements MetaObjectHandler {
this.setFieldValByName("deleteFlag", false, metaObject); this.setFieldValByName("deleteFlag", false, metaObject);
} }
if (metaObject.hasGetter("id")) { if (metaObject.hasGetter("id")) {
//如果已经配置id则不再写入
if (metaObject.getValue("id") == null) {
this.setFieldValByName("id", String.valueOf(SnowFlake.getId()), metaObject); this.setFieldValByName("id", String.valueOf(SnowFlake.getId()), metaObject);
} }
} }
}
@Override @Override
public void updateFill(MetaObject metaObject) { public void updateFill(MetaObject metaObject) {

21
framework/src/main/java/cn/lili/base/mybatisplus/MybatisPlusConfig.java
View File

@ -1,15 +1,10 @@
package cn.lili.base.mybatisplus; package cn.lili.base.mybatisplus;
import com.baomidou.mybatisplus.core.parser.ISqlParser;
import com.baomidou.mybatisplus.extension.parsers.BlockAttackSqlParser;
import com.baomidou.mybatisplus.extension.plugins.PaginationInterceptor; import com.baomidou.mybatisplus.extension.plugins.PaginationInterceptor;
import org.mybatis.spring.annotation.MapperScan; import org.mybatis.spring.annotation.MapperScan;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import java.util.ArrayList;
import java.util.List;
/** /**
* @author Chopper * @author Chopper
*/ */
@ -21,12 +16,16 @@ public class MybatisPlusConfig {
*/ */
@Bean @Bean
public PaginationInterceptor paginationInterceptor() { public PaginationInterceptor paginationInterceptor() {
PaginationInterceptor paginationInterceptor = new PaginationInterceptor();
List<ISqlParser> sqlParserList = new ArrayList<>(); return new PaginationInterceptor();
// 攻击 SQL 阻断解析器加入解析链
sqlParserList.add(new BlockAttackSqlParser()); //阻断解析器测试环境使用
paginationInterceptor.setSqlParserList(sqlParserList); // PaginationInterceptor paginationInterceptor = new PaginationInterceptor();
return paginationInterceptor; //
// List<ISqlParser> sqlParserList = new ArrayList<>();
// // 攻击 SQL 阻断解析器加入解析链
// sqlParserList.add(new BlockAttackSqlParser());
// paginationInterceptor.setSqlParserList(sqlParserList);
// return paginationInterceptor;
} }
} }

46
framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java
View File

@ -1,46 +0,0 @@
package cn.lili.common.security.filter;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
/**
* 防止Xss sql注入
*
* @author Chopper
* @version v1.0
* 2021-06-04 10:39
*/
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest request;
public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
}
@Override
public String getParameter(String name) {
String value = request.getParameter(name);
if (!StringUtils.isEmpty(value)) {
value = StringEscapeUtils.escapeHtml4(value);
}
return value;
}
@Override
public String[] getParameterValues(String name) {
String[] parameterValues = super.getParameterValues(name);
if (parameterValues == null) {
return null;
}
for (int i = 0; i < parameterValues.length; i++) {
String value = parameterValues[i];
parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
}
return parameterValues;
}
}

33
framework/src/main/java/cn/lili/common/security/filter/XssFilter.java
View File

@ -1,11 +1,6 @@
package cn.lili.common.security.filter; package cn.lili.common.security.filter;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.module.SimpleModule;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Primary;
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
import org.springframework.stereotype.Component; import org.springframework.stereotype.Component;
import javax.servlet.*; import javax.servlet.*;
@ -23,38 +18,22 @@ import java.io.IOException;
@WebFilter @WebFilter
@Component @Component
public class XssFilter implements Filter { public class XssFilter implements Filter {
FilterConfig filterConfig = null;
@Override @Override
public void init(FilterConfig filterConfig) throws ServletException { public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
} }
@Override @Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException { throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request; //对请求进行拦截,防xss处理
XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req); chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
chain.doFilter(xssRequestWrapper, response);
} }
@Override @Override
public void destroy() { public void destroy() {
} this.filterConfig = null;
/**
* 过滤json类型的
*
* @param builder
* @return
*/
@Bean
@Primary
public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
//解析器
ObjectMapper objectMapper = builder.createXmlMapper(false).build();
//注册xss解析器
SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
xssModule.addSerializer(new XssStringJsonSerializer());
objectMapper.registerModule(xssModule);
//返回
return objectMapper;
} }
} }

136
framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java Normal file
View File

@ -0,0 +1,136 @@
package cn.lili.common.security.filter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.regex.Pattern;
/**
* 防止Xss sql注入
*
* @author Chopper
* @version v1.0
* 2021-06-04 10:39
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest request;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
this.request = request;
}
/**
* 对数组参数进行特殊字符过滤
*/
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0; i < count; i++) {
encodedValues[i] = cleanXSS(values[i]);
}
return encodedValues;
}
/**
* 对参数中特殊字符进行过滤
*/
@Override
public String getParameter(String name) {
String value = super.getParameter(name);
if (value == null) {
return null;
}
return cleanXSS(value);
}
/**
* 获取attribute,特殊字符过滤
*/
@Override
public Object getAttribute(String name) {
Object value = super.getAttribute(name);
if (value != null && value instanceof String) {
cleanXSS((String) value);
}
return value;
}
/**
* 对请求头部进行特殊字符过滤
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null) {
return null;
}
return cleanXSS(value);
}
/**
* 转义字符,使用该方法存在一定的弊端
*
* @param value
* @return
*/
private String cleanXSS2(String value) {
// 移除特殊标签
value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");
value = value.replaceAll("'", "&#39;");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
value = value.replaceAll("script", "");
return value;
}
private String cleanXSS(String value) {
if (value != null) {
//推荐使用ESAPI库来避免脚本攻击,value = ESAPI.encoder().canonicalize(value);
// 避免空字符串
value = value.replaceAll(" ", "");
// 避免script 标签
Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免src形式的表达式
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 删除单个的 </script> 标签
scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 删除单个的<script ...> 标签
scriptPattern = Pattern.compile("<script(.*?)>",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 eval(...) 形式表达式
scriptPattern = Pattern.compile("eval\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 e­xpression(...) 表达式
scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 javascript: 表达式
scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 vbscript:表达式
scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
value = scriptPattern.matcher(value).replaceAll("");
// 避免 onload= 表达式
scriptPattern = Pattern.compile("onload(.*?)=",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
}

32
framework/src/main/java/cn/lili/common/security/filter/XssStringJsonSerializer.java
View File

@ -1,32 +0,0 @@
package cn.lili.common.security.filter;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
import org.apache.commons.text.StringEscapeUtils;
import java.io.IOException;
/**
* 防止xss攻击 过滤字符串解析
*
* @author Chopper
* @version v1.0
* 2021-06-04 10:40
*/
public class XssStringJsonSerializer extends JsonSerializer<String> {
@Override
public Class<String> handledType() {
return String.class;
}
@Override
public void serialize(String value, JsonGenerator jsonGenerator,
SerializerProvider serializerProvider) throws IOException {
if (value != null) {
String encodedValue = StringEscapeUtils.escapeHtml4(value);
jsonGenerator.writeString(encodedValue);
}
}
}

4
framework/src/main/java/cn/lili/modules/base/serviceimpl/RegionServiceImpl.java
View File

@ -1,6 +1,7 @@
package cn.lili.modules.base.serviceimpl; package cn.lili.modules.base.serviceimpl;
import cn.lili.common.utils.HttpClientUtils; import cn.lili.common.utils.HttpClientUtils;
import cn.lili.common.utils.SnowFlake;
import cn.lili.common.utils.StringUtils; import cn.lili.common.utils.StringUtils;
import cn.lili.modules.base.mapper.RegionMapper; import cn.lili.modules.base.mapper.RegionMapper;
import cn.lili.modules.base.service.RegionService; import cn.lili.modules.base.service.RegionService;
@ -11,9 +12,7 @@ import com.alibaba.fastjson.JSONObject;
import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl; import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
import lombok.RequiredArgsConstructor;
import org.apache.commons.lang3.ArrayUtils; import org.apache.commons.lang3.ArrayUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional; import org.springframework.transaction.annotation.Transactional;
@ -244,6 +243,7 @@ public class RegionServiceImpl extends ServiceImpl<RegionMapper, Region> impleme
record.setName(name); record.setName(name);
record.setParentId(parentId); record.setParentId(parentId);
record.setOrderNum(order); record.setOrderNum(order);
record.setId(String.valueOf(SnowFlake.getId()));
String megName = ","; String megName = ",";
for (int i = 0; i < ids.length; i++) { for (int i = 0; i < ids.length; i++) {
megName = megName + ids[i]; megName = megName + ids[i];