安全问题
This commit is contained in:
Chopper
parent
f11c3205ee
commit
9fedc25f3f
@ -45,9 +45,9 @@
|
||||
<de.codecentric>2.3.1</de.codecentric>
|
||||
<userAgentUtils>1.21</userAgentUtils>
|
||||
<interceptor-api>1.2</interceptor-api>
|
||||
<commons-text>1.4</commons-text>
|
||||
</properties>
|
||||
|
||||
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>javax.interceptor</groupId>
|
||||
@ -385,6 +385,13 @@
|
||||
<artifactId>UserAgentUtils</artifactId>
|
||||
<version>${userAgentUtils}</version>
|
||||
</dependency>
|
||||
|
||||
|
||||
<dependency>
|
||||
<groupId>org.apache.commons</groupId>
|
||||
<artifactId>commons-text</artifactId>
|
||||
<version>${commons-text}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
|
||||
|
||||
|
||||
@ -0,0 +1,46 @@
|
||||
package cn.lili.common.security.filter;
|
||||
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.commons.text.StringEscapeUtils;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletRequestWrapper;
|
||||
|
||||
/**
|
||||
* 防止Xss sql注入
|
||||
*
|
||||
* @author Chopper
|
||||
* @version v1.0
|
||||
* 2021-06-04 10:39
|
||||
*/
|
||||
public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper {
|
||||
private HttpServletRequest request;
|
||||
|
||||
public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) {
|
||||
super(request);
|
||||
this.request = request;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getParameter(String name) {
|
||||
String value = request.getParameter(name);
|
||||
if (!StringUtils.isEmpty(value)) {
|
||||
value = StringEscapeUtils.escapeHtml4(value);
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String[] getParameterValues(String name) {
|
||||
String[] parameterValues = super.getParameterValues(name);
|
||||
if (parameterValues == null) {
|
||||
return null;
|
||||
}
|
||||
for (int i = 0; i < parameterValues.length; i++) {
|
||||
String value = parameterValues[i];
|
||||
parameterValues[i] = StringEscapeUtils.escapeHtml4(value);
|
||||
}
|
||||
return parameterValues;
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,60 @@
|
||||
package cn.lili.common.security.filter;
|
||||
|
||||
|
||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import com.fasterxml.jackson.databind.module.SimpleModule;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Primary;
|
||||
import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
import javax.servlet.*;
|
||||
import javax.servlet.annotation.WebFilter;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* 防止XSS攻击过滤器
|
||||
*
|
||||
* @author Chopper
|
||||
* @version v1.0
|
||||
* 2021-06-04 10:37
|
||||
*/
|
||||
@WebFilter
|
||||
@Component
|
||||
public class XssFilter implements Filter {
|
||||
@Override
|
||||
public void init(FilterConfig filterConfig) throws ServletException {
|
||||
}
|
||||
|
||||
@Override
|
||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
|
||||
throws IOException, ServletException {
|
||||
HttpServletRequest req = (HttpServletRequest) request;
|
||||
XssAndSqlHttpServletRequestWrapper xssRequestWrapper = new XssAndSqlHttpServletRequestWrapper(req);
|
||||
chain.doFilter(xssRequestWrapper, response);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void destroy() {
|
||||
}
|
||||
|
||||
/**
|
||||
* 过滤json类型的
|
||||
*
|
||||
* @param builder
|
||||
* @return
|
||||
*/
|
||||
@Bean
|
||||
@Primary
|
||||
public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
|
||||
//解析器
|
||||
ObjectMapper objectMapper = builder.createXmlMapper(false).build();
|
||||
//注册xss解析器
|
||||
SimpleModule xssModule = new SimpleModule("XssStringJsonSerializer");
|
||||
xssModule.addSerializer(new XssStringJsonSerializer());
|
||||
objectMapper.registerModule(xssModule);
|
||||
//返回
|
||||
return objectMapper;
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,32 @@
|
||||
package cn.lili.common.security.filter;
|
||||
|
||||
|
||||
import com.fasterxml.jackson.core.JsonGenerator;
|
||||
import com.fasterxml.jackson.databind.JsonSerializer;
|
||||
import com.fasterxml.jackson.databind.SerializerProvider;
|
||||
import org.apache.commons.text.StringEscapeUtils;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
/**
|
||||
* 防止xss攻击 过滤字符串解析
|
||||
*
|
||||
* @author Chopper
|
||||
* @version v1.0
|
||||
* 2021-06-04 10:40
|
||||
*/
|
||||
public class XssStringJsonSerializer extends JsonSerializer<String> {
|
||||
@Override
|
||||
public Class<String> handledType() {
|
||||
return String.class;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void serialize(String value, JsonGenerator jsonGenerator,
|
||||
SerializerProvider serializerProvider) throws IOException {
|
||||
if (value != null) {
|
||||
String encodedValue = StringEscapeUtils.escapeHtml4(value);
|
||||
jsonGenerator.writeString(encodedValue);
|
||||
}
|
||||
}
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user