caojiahao/dev_caojiahao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

优化管理端登录和xss

Browse Source
This commit is contained in:
paulGao 2022-01-17 17:42:42 +08:00
parent b93d10eeea
commit def6247e9f
2 changed files with 7 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
framework/src/main/java/cn/lili/common/security/filter/XssHttpServletRequestWrapper.java
View File

@ -7,7 +7,6 @@ import cn.hutool.json.JSONUtil;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import org.owasp.html.HtmlPolicyBuilder; import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory; import org.owasp.html.PolicyFactory;
import org.owasp.html.Sanitizers;
import javax.servlet.ReadListener; import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream; import javax.servlet.ServletInputStream;
@ -32,33 +31,6 @@ import java.util.Map;
@Slf4j @Slf4j
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* xss过滤参数
*
* @todo 这里的参数应该更智能些例如iv前端的参数包含这两个字母就会放过这是有问题的
*/
private static final String[] IGNORE_FIELD = {
"logo",
"url",
"photo",
"intro",
"content",
"name",
"image",
"encrypted",
"iv",
"mail",
"sell",
"id",
"price",
"prop",
"reply",
"profile",
"privateKey",
"wechatpay",
};
//允许的标签 //允许的标签
private static final String[] allowedTags = {"h1", "h2", "h3", "h4", "h5", "h6", private static final String[] allowedTags = {"h1", "h2", "h3", "h4", "h5", "h6",
"span", "strong", "span", "strong",
@ -74,8 +46,10 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
"footer", "header", "hgroup", "section", "summary"}; "footer", "header", "hgroup", "section", "summary"};
//带有超链接的标签 //带有超链接的标签
private static final String[] linkTags = {"img", "video", "source", "a", "iframe"}; private static final String[] linkTags = {"img", "video", "source", "a", "iframe", "p"};
//带有超链接的标签
private static final String[] allowAttributes = {"style", "src", "href", "target", "width", "height"};
public XssHttpServletRequestWrapper(HttpServletRequest request) { public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request); super(request);
@ -284,19 +258,11 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
.allowElements(allowedTags) .allowElements(allowedTags)
//内容标签转化为div //内容标签转化为div
.allowElements((elementName, attributes) -> "div", needTransformTags) .allowElements((elementName, attributes) -> "div", needTransformTags)
.allowAttributes("src", "href", "target", "width", "height").onElements(linkTags) .allowAttributes(allowAttributes).onElements(linkTags)
//校验链接中的是否为http .allowStyling()
// .allowUrlProtocols("https")
.toFactory(); .toFactory();
// basic prepackaged policies for links, tables, integers, images, styles, blocks // basic prepackaged policies for links, tables, integers, images, styles, blocks
value = Sanitizers.FORMATTING value = policy.sanitize(value);
.and(Sanitizers.STYLES)
.and(Sanitizers.IMAGES)
.and(Sanitizers.LINKS)
.and(Sanitizers.BLOCKS)
.and(Sanitizers.TABLES)
.and(policy)
.sanitize(value);
} }
return HtmlUtil.unescape(value); return HtmlUtil.unescape(value);
} }
@ -309,12 +275,6 @@ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
* @return 参数值 * @return 参数值
*/ */
private String filterXss(String name, String value) { private String filterXss(String name, String value) {
// if (CharSequenceUtil.containsAny(name.toLowerCase(Locale.ROOT), IGNORE_FIELD)) {
// // 忽略的处理过滤敏感字符
// return value;
// } else {
// return cleanXSS(value);
// }
return cleanXSS(value); return cleanXSS(value);
} }

2
manager-api/src/main/java/cn/lili/controller/passport/AdminUserManagerController.java
View File

@ -62,7 +62,7 @@ public class AdminUserManagerController {
@Autowired @Autowired
private VerificationService verificationService; private VerificationService verificationService;
@GetMapping(value = "/login") @PostMapping(value = "/login")
@ApiOperation(value = "登录管理员") @ApiOperation(value = "登录管理员")
public ResultMessage<Token> login(@NotNull(message = "用户名不能为空") @RequestParam String username, public ResultMessage<Token> login(@NotNull(message = "用户名不能为空") @RequestParam String username,
@NotNull(message = "密码不能为空") @RequestParam String password, @NotNull(message = "密码不能为空") @RequestParam String password,