删除XSSFilter,避免OOM
This commit is contained in:
parent
ee6489d21c
commit
3ab5d95458
@ -1,22 +0,0 @@
|
||||
package com.ycwl.basic.config;
|
||||
|
||||
import com.ycwl.basic.filter.XssFilter;
|
||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
|
||||
import javax.servlet.DispatcherType;
|
||||
|
||||
@Configuration
|
||||
public class FilterConfig {
|
||||
@Bean
|
||||
public FilterRegistrationBean xssFilterRegistrationBean(){
|
||||
FilterRegistrationBean filterRegistrationBean = new FilterRegistrationBean();
|
||||
filterRegistrationBean.setFilter(new XssFilter());
|
||||
filterRegistrationBean.setOrder(1);
|
||||
filterRegistrationBean.setDispatcherTypes(DispatcherType.REQUEST);
|
||||
filterRegistrationBean.setEnabled(true);
|
||||
filterRegistrationBean.addUrlPatterns("/*");
|
||||
return filterRegistrationBean;
|
||||
}
|
||||
}
|
||||
@ -1,33 +0,0 @@
|
||||
package com.ycwl.basic.filter;
|
||||
|
||||
import com.ycwl.basic.xss.XSSHttpServletRequestWrapper;
|
||||
|
||||
import javax.servlet.*;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import java.io.IOException;
|
||||
|
||||
public class XssFilter implements Filter {
|
||||
/**
|
||||
* 初始化方法
|
||||
*/
|
||||
@Override
|
||||
public void init(FilterConfig filterConfig) throws ServletException {
|
||||
}
|
||||
/**
|
||||
* 过滤方法
|
||||
*/
|
||||
@Override
|
||||
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
|
||||
ServletRequest wrapper = null;
|
||||
if (request instanceof HttpServletRequest) {
|
||||
HttpServletRequest servletRequest = (HttpServletRequest) request;
|
||||
wrapper = new XSSHttpServletRequestWrapper(servletRequest);
|
||||
}
|
||||
|
||||
if (null == wrapper) {
|
||||
chain.doFilter(request, response);
|
||||
} else {
|
||||
chain.doFilter(wrapper, response);
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1,186 +0,0 @@
|
||||
package com.ycwl.basic.xss;
|
||||
|
||||
|
||||
import cn.hutool.core.collection.CollectionUtil;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.apache.commons.text.StringEscapeUtils;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import javax.servlet.ReadListener;
|
||||
import javax.servlet.ServletInputStream;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletRequestWrapper;
|
||||
import java.io.*;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.util.Arrays;
|
||||
import java.util.Map;
|
||||
|
||||
/**
|
||||
* 重新包装一下Request。重写一些获取参数的方法,将每个参数都进行过滤
|
||||
*/
|
||||
public class XSSHttpServletRequestWrapper extends HttpServletRequestWrapper {
|
||||
private static final Logger logger = LoggerFactory.getLogger(XSSHttpServletRequestWrapper.class);
|
||||
|
||||
private HttpServletRequest request;
|
||||
/**
|
||||
* 请求体 RequestBody
|
||||
*/
|
||||
private String reqBody;
|
||||
|
||||
/**
|
||||
* Constructs a request object wrapping the given request.
|
||||
*
|
||||
* @param request The request to wrap
|
||||
* @throws IllegalArgumentException if the request is null
|
||||
*/
|
||||
public XSSHttpServletRequestWrapper(HttpServletRequest request) {
|
||||
super(request);
|
||||
this.request = request;
|
||||
reqBody = getBodyString();
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public String getQueryString() {
|
||||
return StringEscapeUtils.escapeHtml4(super.getQueryString());
|
||||
}
|
||||
|
||||
/**
|
||||
* The default behavior of this method is to return getParameter(String
|
||||
* name) on the wrapped request object.
|
||||
*
|
||||
* @param name
|
||||
*/
|
||||
@Override
|
||||
public String getParameter(String name) {
|
||||
String parameter = request.getParameter(name);
|
||||
if (StringUtils.isNotBlank(parameter)) {
|
||||
parameter = StringEscapeUtils.escapeHtml4(parameter);
|
||||
}
|
||||
return parameter;
|
||||
}
|
||||
|
||||
/**
|
||||
* The default behavior of this method is to return
|
||||
* getParameterValues(String name) on the wrapped request object.
|
||||
*
|
||||
* @param name
|
||||
*/
|
||||
@Override
|
||||
public String[] getParameterValues(String name) {
|
||||
String[] parameterValues = request.getParameterValues(name);
|
||||
if (parameterValues != null && parameterValues.length > 0) {
|
||||
if (!CollectionUtil.isEmpty(Arrays.asList(parameterValues))) {
|
||||
for (int i = 0; i < parameterValues.length; i++)
|
||||
{
|
||||
parameterValues[i] = StringEscapeUtils.escapeHtml4(parameterValues[i]);
|
||||
}
|
||||
}
|
||||
}
|
||||
return parameterValues;
|
||||
}
|
||||
|
||||
/**
|
||||
* The default behavior of this method is to return getParameterMap() on the
|
||||
* wrapped request object.
|
||||
*/
|
||||
@Override
|
||||
public Map<String, String[]> getParameterMap() {
|
||||
Map<String, String[]> map = request.getParameterMap();
|
||||
if (map != null && !map.isEmpty()) {
|
||||
for (String[] value : map.values()) {
|
||||
/*循环所有的value*/
|
||||
for (String str : value) {
|
||||
logger.info("----filter before--value:{}----", str);
|
||||
str = StringEscapeUtils.escapeHtml4(str);
|
||||
logger.info("----filter after--value:{}----", str);
|
||||
}
|
||||
}
|
||||
}
|
||||
return map;
|
||||
}
|
||||
|
||||
/*重写输入流的方法,因为使用RequestBody的情况下是不会走上面的方法的*/
|
||||
/**
|
||||
* The default behavior of this method is to return getReader() on the
|
||||
* wrapped request object.
|
||||
*/
|
||||
@Override
|
||||
public BufferedReader getReader() throws IOException {
|
||||
return new BufferedReader(new InputStreamReader(getInputStream()));
|
||||
}
|
||||
|
||||
/**
|
||||
* The default behavior of this method is to return getInputStream() on the
|
||||
* wrapped request object.
|
||||
*/
|
||||
@Override
|
||||
public ServletInputStream getInputStream() throws IOException {
|
||||
/*创建字节数组输入流*/
|
||||
final ByteArrayInputStream bais = new ByteArrayInputStream(reqBody.getBytes(StandardCharsets.UTF_8));
|
||||
return new ServletInputStream() {
|
||||
@Override
|
||||
public boolean isFinished() {
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isReady() {
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setReadListener(ReadListener listener) {
|
||||
}
|
||||
|
||||
@Override
|
||||
public int read() throws IOException {
|
||||
return bais.read();
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* 获取请求体
|
||||
*
|
||||
* @return 请求体
|
||||
*/
|
||||
private String getBodyString() {
|
||||
StringBuilder builder = new StringBuilder();
|
||||
InputStream inputStream = null;
|
||||
BufferedReader reader = null;
|
||||
|
||||
try {
|
||||
inputStream = request.getInputStream();
|
||||
|
||||
reader = new BufferedReader(new InputStreamReader(inputStream));
|
||||
|
||||
String line;
|
||||
|
||||
while ((line = reader.readLine()) != null) {
|
||||
builder.append(line);
|
||||
}
|
||||
} catch (IOException e) {
|
||||
logger.error("-----get Body String Error:{}----", e.getMessage(), e);
|
||||
} finally {
|
||||
if (inputStream != null) {
|
||||
try {
|
||||
inputStream.close();
|
||||
} catch (IOException e) {
|
||||
logger.error("-----get Body String Error:{}----", e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
if (reader != null) {
|
||||
try {
|
||||
reader.close();
|
||||
} catch (IOException e) {
|
||||
logger.error("-----get Body String Error:{}----", e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
}
|
||||
return builder.toString();
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user