Skip to content

D
dataease
提交 5e34d52d authored 作者: fit2cloud-chenyw's avatar fit2cloud-chenyw
浏览文件
操作

fix: sql注入和xss攻击

上级 9579d08b
全部展开 隐藏空白字符变更
内嵌 并排
正在显示 包含 123 行增加0 行删除
backend/src/main/java/io/dataease/commons/filter/SqlFilter.java 0 → 100644
浏览文件 @ 5e34d52d
package io.dataease.commons.filter;
import io.dataease.commons.holder.ThreadLocalContextHolder;
import io.dataease.commons.wrapper.XssAndSqlHttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.*;
public class SqlFilter implements Filter {
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String method = "GET";
String param = "";
XssAndSqlHttpServletRequestWrapper xssRequest = null;
if (request instanceof HttpServletRequest) {
method = ((HttpServletRequest) request).getMethod();
xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request);
}
if ("POST".equalsIgnoreCase(method)) {
param = this.getBodyString(xssRequest.getReader());
if(StringUtils.isNotBlank(param)){
if(xssRequest.checkXSSAndSql(param)){
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json;charset=UTF-8");
PrintWriter out = response.getWriter();
String msg = ThreadLocalContextHolder.getData().toString();
out.write(msg);
return;
}
}
}
if (xssRequest.checkParameter()) {
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json;charset=UTF-8");
PrintWriter out = response.getWriter();
String msg = ThreadLocalContextHolder.getData().toString();
out.write(msg);
return;
}
chain.doFilter(xssRequest, response);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
// 获取request请求body中参数
public static String getBodyString(BufferedReader br) {
String inputLine;
String str = "";
try {
while ((inputLine = br.readLine()) != null) {
str += inputLine;
}
br.close();
} catch (IOException e) {
System.out.println("IOException: " + e);
}
return str;
}
}
backend/src/main/java/io/dataease/commons/holder/ThreadLocalContextHolder.java 0 → 100644
浏览文件 @ 5e34d52d
package io.dataease.commons.holder;
public class ThreadLocalContextHolder {
private static ThreadLocal<Object> sceneThreadLocal = new ThreadLocal<>();
public static Object getData() {
return sceneThreadLocal.get();
}
public static void setData(Object data) {
if (ThreadLocalContextHolder.sceneThreadLocal == null) {
ThreadLocalContextHolder.sceneThreadLocal = new ThreadLocal<>();
}
ThreadLocalContextHolder.sceneThreadLocal.set(data);
}
public static void clearScene() {
setData(null);
}
}
backend/src/main/java/io/dataease/config/FilterConfig.java 0 → 100644
浏览文件 @ 5e34d52d
package io.dataease.config;
import io.dataease.commons.filter.SqlFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class FilterConfig {
@Bean
public FilterRegistrationBean registration(){
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
filterRegistrationBean.setFilter(new SqlFilter());//实例化Filter类
filterRegistrationBean.addUrlPatterns("/*");//设置匹配模式,这里设置为所有,可以按需求设置为"/hello"等等
filterRegistrationBean.setName("SqlFilter");//设置过滤器名称
filterRegistrationBean.setOrder(1);//设置执行顺序
return filterRegistrationBean;
}
}
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论