Merge branch 'master' into Bulbasaur

2021-06-07 15:08:36 +08:00 · 2021-06-07 15:08:36 +08:00 · 86360cf5f8
commit 86360cf5f8
parent e176d920cc f9f8cce13e
7 changed files with 159 additions and 120 deletions
--- a/framework/src/main/java/cn/lili/base/mybatisplus/MyMetaObjectHandler.java
+++ b/framework/src/main/java/cn/lili/base/mybatisplus/MyMetaObjectHandler.java
@ -29,9 +29,12 @@ public class MyMetaObjectHandler implements MetaObjectHandler {
            this.setFieldValByName("deleteFlag", false, metaObject);
        }
        if (metaObject.hasGetter("id")) {
            //如果已经配置id，则不再写入
            if (metaObject.getValue("id") == null) {
                this.setFieldValByName("id", String.valueOf(SnowFlake.getId()), metaObject);
            }
        }
    }
    @Override
    public void updateFill(MetaObject metaObject) {
--- a/framework/src/main/java/cn/lili/base/mybatisplus/MybatisPlusConfig.java
+++ b/framework/src/main/java/cn/lili/base/mybatisplus/MybatisPlusConfig.java
@ -1,32 +1,31 @@
 package cn.lili.base.mybatisplus;
 import com.baomidou.mybatisplus.core.parser.ISqlParser;
 import com.baomidou.mybatisplus.extension.parsers.BlockAttackSqlParser;
 import com.baomidou.mybatisplus.extension.plugins.PaginationInterceptor;
 import org.mybatis.spring.annotation.MapperScan;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import java.util.ArrayList;
 import java.util.List;
 /**
 * @author Chopper
 */
@Configuration
-@MapperScan({"cn.lili.modules.*.*.mapper","cn.lili.modules.*.mapper"})
+@MapperScan({"cn.lili.modules.*.*.mapper", "cn.lili.modules.*.mapper"})
 public class MybatisPlusConfig {
    /**
     * 分页插件，自动识别数据库类型
     */
    @Bean
    public PaginationInterceptor paginationInterceptor() {
        PaginationInterceptor paginationInterceptor = new PaginationInterceptor();
-        List<ISqlParser> sqlParserList = new ArrayList<>();
+        return new PaginationInterceptor();
-        // 攻击 SQL 阻断解析器、加入解析链
+
-        sqlParserList.add(new BlockAttackSqlParser());
+        //阻断解析器，测试环境使用
-        paginationInterceptor.setSqlParserList(sqlParserList);
+//        PaginationInterceptor paginationInterceptor = new PaginationInterceptor();
-        return paginationInterceptor;
+//
 //        List<ISqlParser> sqlParserList = new ArrayList<>();
 //        // 攻击 SQL 阻断解析器、加入解析链
 //        sqlParserList.add(new BlockAttackSqlParser());
 //        paginationInterceptor.setSqlParserList(sqlParserList);
 //        return paginationInterceptor;
    }
 }
--- a/framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssAndSqlHttpServletRequestWrapper.java
@ -1,46 +0,0 @@
 package cn.lili.common.security.filter;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringEscapeUtils;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 /**
 * 防止Xss sql注入
 *
 * @author Chopper
 * @version v1.0
 * 2021-06-04 10:39
 */
 public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest request;
    public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        this.request = request;
    }
    @Override
    public String getParameter(String name) {
        String value = request.getParameter(name);
        if (!StringUtils.isEmpty(value)) {
            value = StringEscapeUtils.escapeHtml4(value);
        }
        return value;
    }
    @Override
    public String[] getParameterValues(String name) {
        String[] parameterValues = super.getParameterValues(name);
        if (parameterValues == null) {
            return null;
        }
        for (int i = 0; i < parameterValues.length; i++) {
            String value = parameterValues[i];
            parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
        }
        return parameterValues;
    }
 }
--- a/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssFilter.java
@ -1,11 +1,6 @@
 package cn.lili.common.security.filter;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.module.SimpleModule;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Primary;
 import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
 import org.springframework.stereotype.Component;
 import javax.servlet.*;
@ -23,38 +18,22 @@ import java.io.IOException;
@WebFilter
@Component
 public class XssFilter implements Filter {
    FilterConfig filterConfig = null;
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
-        HttpServletRequest req = (HttpServletRequest) request;
+        //对请求进行拦截,防xss处理
-        XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
+        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
        chain.doFilter(xssRequestWrapper, response);
    }
    @Override
    public void destroy() {
-    }
+        this.filterConfig = null;
    /**
     * 过滤json类型的
     *
     * @param builder
     * @return
     */
    @Bean
    @Primary
    public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
        //解析器
        ObjectMapper objectMapper = builder.createXmlMapper(false).build();
        //注册xss解析器
        SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
        xssModule.addSerializer(new XssStringJsonSerializer());
        objectMapper.registerModule(xssModule);
        //返回
        return objectMapper;
    }
 }
--- a/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
@ -0,0 +1,136 @@
 package cn.lili.common.security.filter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletRequestWrapper;
 import java.util.regex.Pattern;
 /**
 * 防止Xss sql注入
 *
 * @author Chopper
 * @version v1.0
 * 2021-06-04 10:39
 */
 public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest request;
    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        this.request = request;
    }
    /**
     * 对数组参数进行特殊字符过滤
     */
    @Override
    public String[] getParameterValues(String name) {
        String[] values = super.getParameterValues(name);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = cleanXSS(values[i]);
        }
        return encodedValues;
    }
    /**
     * 对参数中特殊字符进行过滤
     */
    @Override
    public String getParameter(String name) {
        String value = super.getParameter(name);
        if (value == null) {
            return null;
        }
        return cleanXSS(value);
    }
    /**
     * 获取attribute,特殊字符过滤
     */
    @Override
    public Object getAttribute(String name) {
        Object value = super.getAttribute(name);
        if (value != null && value instanceof String) {
            cleanXSS((String) value);
        }
        return value;
    }
    /**
     * 对请求头部进行特殊字符过滤
     */
    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (value == null) {
            return null;
        }
        return cleanXSS(value);
    }
    /**
     * 转义字符,使用该方法存在一定的弊端
     *
     * @param value
     * @return
     */
    private String cleanXSS2(String value) {
        // 移除特殊标签
        value = value.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
        value = value.replaceAll("\\(", "&#40;").replaceAll("\\)", "&#41;");
        value = value.replaceAll("'", "&#39;");
        value = value.replaceAll("eval\\((.*)\\)", "");
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
        value = value.replaceAll("script", "");
        return value;
    }
    private String cleanXSS(String value) {
        if (value != null) {
            //推荐使用ESAPI库来避免脚本攻击,value = ESAPI.encoder().canonicalize(value);
            // 避免空字符串
            value = value.replaceAll(" ", "");
            // 避免script 标签
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免src形式的表达式
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 删除单个的 </script> 标签
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // 删除单个的<script ...> 标签
            scriptPattern = Pattern.compile("<script(.*?)>",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 eval(...) 形式表达式
            scriptPattern = Pattern.compile("eval\\((.*?)\\)",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 expression(...) 表达式
            scriptPattern = Pattern.compile("expression\\((.*?)\\)",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 javascript: 表达式
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 vbscript:表达式
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
            // 避免 onload= 表达式
            scriptPattern = Pattern.compile("onload(.*?)=",
                    Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }
 }
--- a/framework/src/main/java/cn/lili/common/security/filter/XssStringJsonSerializer.java
+++ b/framework/src/main/java/cn/lili/common/security/filter/XssStringJsonSerializer.java
@ -1,32 +0,0 @@
 package cn.lili.common.security.filter;
 import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.databind.JsonSerializer;
 import com.fasterxml.jackson.databind.SerializerProvider;
 import org.apache.commons.text.StringEscapeUtils;
 import java.io.IOException;
 /**
 * 防止xss攻击 过滤字符串解析
 *
 * @author Chopper
 * @version v1.0
 * 2021-06-04 10:40
 */
 public class XssStringJsonSerializer extends JsonSerializer<String> {
    @Override
    public Class<String> handledType() {
        return String.class;
    }
    @Override
    public void serialize(String value, JsonGenerator jsonGenerator,
                          SerializerProvider serializerProvider) throws IOException {
        if (value != null) {
            String encodedValue = StringEscapeUtils.escapeHtml4(value);
            jsonGenerator.writeString(encodedValue);
        }
    }
 }
--- a/framework/src/main/java/cn/lili/modules/base/serviceimpl/RegionServiceImpl.java
+++ b/framework/src/main/java/cn/lili/modules/base/serviceimpl/RegionServiceImpl.java
@ -1,6 +1,7 @@
 package cn.lili.modules.base.serviceimpl;
 import cn.lili.common.utils.HttpClientUtils;
 import cn.lili.common.utils.SnowFlake;
 import cn.lili.common.utils.StringUtils;
 import cn.lili.modules.base.mapper.RegionMapper;
 import cn.lili.modules.base.service.RegionService;
@ -11,9 +12,7 @@ import com.alibaba.fastjson.JSONObject;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
 import lombok.RequiredArgsConstructor;
 import org.apache.commons.lang3.ArrayUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@ -244,6 +243,7 @@ public class RegionServiceImpl extends ServiceImpl<RegionMapper, Region> impleme
        record.setName(name);
        record.setParentId(parentId);
        record.setOrderNum(order);
        record.setId(String.valueOf(SnowFlake.getId()));
        String megName = ",";
        for (int i = 0; i < ids.length; i++) {
            megName = megName + ids[i];