From 3ab5d9545881e8ed3d0d5a7e6b8a76f49690ea10 Mon Sep 17 00:00:00 2001 From: Jerry Yan <792602257@qq.com> Date: Sat, 1 Mar 2025 15:36:07 +0800 Subject: [PATCH] =?UTF-8?q?=E5=88=A0=E9=99=A4XSSFilter=EF=BC=8C=E9=81=BF?= =?UTF-8?q?=E5=85=8DOOM?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/ycwl/basic/config/FilterConfig.java | 22 --- .../java/com/ycwl/basic/filter/XssFilter.java | 33 ---- .../xss/XSSHttpServletRequestWrapper.java | 186 ------------------ 3 files changed, 241 deletions(-) delete mode 100644 src/main/java/com/ycwl/basic/config/FilterConfig.java delete mode 100644 src/main/java/com/ycwl/basic/filter/XssFilter.java delete mode 100644 src/main/java/com/ycwl/basic/xss/XSSHttpServletRequestWrapper.java diff --git a/src/main/java/com/ycwl/basic/config/FilterConfig.java b/src/main/java/com/ycwl/basic/config/FilterConfig.java deleted file mode 100644 index 712bbad..0000000 --- a/src/main/java/com/ycwl/basic/config/FilterConfig.java +++ /dev/null @@ -1,22 +0,0 @@ -package com.ycwl.basic.config; - -import com.ycwl.basic.filter.XssFilter; -import org.springframework.boot.web.servlet.FilterRegistrationBean; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; - -import javax.servlet.DispatcherType; - -@Configuration -public class FilterConfig { - @Bean - public FilterRegistrationBean xssFilterRegistrationBean(){ - FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean(); - filterRegistrationBean.setFilter(new XssFilter()); - filterRegistrationBean.setOrder(1); - filterRegistrationBean.setDispatcherTypes(DispatcherType.REQUEST); - filterRegistrationBean.setEnabled(true); - filterRegistrationBean.addUrlPatterns("/*"); - return filterRegistrationBean; - } -} diff --git a/src/main/java/com/ycwl/basic/filter/XssFilter.java b/src/main/java/com/ycwl/basic/filter/XssFilter.java deleted file mode 100644 index 95cba91..0000000 --- a/src/main/java/com/ycwl/basic/filter/XssFilter.java +++ /dev/null @@ -1,33 +0,0 @@ -package com.ycwl.basic.filter; - -import com.ycwl.basic.xss.XSSHttpServletRequestWrapper; - -import javax.servlet.*; -import javax.servlet.http.HttpServletRequest; -import java.io.IOException; - -public class XssFilter implements Filter { - /** - * 初始化方法 - */ - @Override - public void init(FilterConfig filterConfig) throws ServletException { - } - /** - * 过滤方法 - */ - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - ServletRequest wrapper = null; - if (request instanceof HttpServletRequest) { - HttpServletRequest servletRequest = (HttpServletRequest) request; - wrapper = new XSSHttpServletRequestWrapper(servletRequest); - } - - if (null == wrapper) { - chain.doFilter(request, response); - } else { - chain.doFilter(wrapper, response); - } - } -} diff --git a/src/main/java/com/ycwl/basic/xss/XSSHttpServletRequestWrapper.java b/src/main/java/com/ycwl/basic/xss/XSSHttpServletRequestWrapper.java deleted file mode 100644 index 91c70cd..0000000 --- a/src/main/java/com/ycwl/basic/xss/XSSHttpServletRequestWrapper.java +++ /dev/null @@ -1,186 +0,0 @@ -package com.ycwl.basic.xss; - - -import cn.hutool.core.collection.CollectionUtil; -import org.apache.commons.lang3.StringUtils; -import org.apache.commons.text.StringEscapeUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import javax.servlet.ReadListener; -import javax.servlet.ServletInputStream; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; -import java.io.*; -import java.nio.charset.StandardCharsets; -import java.util.Arrays; -import java.util.Map; - -/** - * 重新包装一下Request。重写一些获取参数的方法,将每个参数都进行过滤 - */ -public class XSSHttpServletRequestWrapper extends HttpServletRequestWrapper { - private static final Logger logger = LoggerFactory.getLogger(XSSHttpServletRequestWrapper.class); - - private HttpServletRequest request; - /** - * 请求体 RequestBody - */ - private String reqBody; - - /** - * Constructs a request object wrapping the given request. - * - * @param request The request to wrap - * @throws IllegalArgumentException if the request is null - */ - public XSSHttpServletRequestWrapper(HttpServletRequest request) { - super(request); - this.request = request; - reqBody = getBodyString(); - } - - - @Override - public String getQueryString() { - return StringEscapeUtils.escapeHtml4(super.getQueryString()); - } - - /** - * The default behavior of this method is to return getParameter(String - * name) on the wrapped request object. - * - * @param name - */ - @Override - public String getParameter(String name) { - String parameter = request.getParameter(name); - if (StringUtils.isNotBlank(parameter)) { - parameter = StringEscapeUtils.escapeHtml4(parameter); - } - return parameter; - } - - /** - * The default behavior of this method is to return - * getParameterValues(String name) on the wrapped request object. - * - * @param name - */ - @Override - public String[] getParameterValues(String name) { - String[] parameterValues = request.getParameterValues(name); - if (parameterValues != null && parameterValues.length > 0) { - if (!CollectionUtil.isEmpty(Arrays.asList(parameterValues))) { - for (int i = 0; i < parameterValues.length; i++) - { - parameterValues[i] = StringEscapeUtils.escapeHtml4(parameterValues[i]); - } - } - } - return parameterValues; - } - - /** - * The default behavior of this method is to return getParameterMap() on the - * wrapped request object. - */ - @Override - public Map getParameterMap() { - Map map = request.getParameterMap(); - if (map != null && !map.isEmpty()) { - for (String[] value : map.values()) { - /*循环所有的value*/ - for (String str : value) { - logger.info("----filter before--value:{}----", str); - str = StringEscapeUtils.escapeHtml4(str); - logger.info("----filter after--value:{}----", str); - } - } - } - return map; - } - - /*重写输入流的方法,因为使用RequestBody的情况下是不会走上面的方法的*/ - /** - * The default behavior of this method is to return getReader() on the - * wrapped request object. - */ - @Override - public BufferedReader getReader() throws IOException { - return new BufferedReader(new InputStreamReader(getInputStream())); - } - - /** - * The default behavior of this method is to return getInputStream() on the - * wrapped request object. - */ - @Override - public ServletInputStream getInputStream() throws IOException { - /*创建字节数组输入流*/ - final ByteArrayInputStream bais = new ByteArrayInputStream(reqBody.getBytes(StandardCharsets.UTF_8)); - return new ServletInputStream() { - @Override - public boolean isFinished() { - return false; - } - - @Override - public boolean isReady() { - return false; - } - - @Override - public void setReadListener(ReadListener listener) { - } - - @Override - public int read() throws IOException { - return bais.read(); - } - }; - } - - - /** - * 获取请求体 - * - * @return 请求体 - */ - private String getBodyString() { - StringBuilder builder = new StringBuilder(); - InputStream inputStream = null; - BufferedReader reader = null; - - try { - inputStream = request.getInputStream(); - - reader = new BufferedReader(new InputStreamReader(inputStream)); - - String line; - - while ((line = reader.readLine()) != null) { - builder.append(line); - } - } catch (IOException e) { - logger.error("-----get Body String Error:{}----", e.getMessage(), e); - } finally { - if (inputStream != null) { - try { - inputStream.close(); - } catch (IOException e) { - logger.error("-----get Body String Error:{}----", e.getMessage(), e); - } - } - if (reader != null) { - try { - reader.close(); - } catch (IOException e) { - logger.error("-----get Body String Error:{}----", e.getMessage(), e); - } - } - } - return builder.toString(); - } -} -