SpringBoot+Xss過濾(@RequestBody引數過濾Xss)
阿新 • • 發佈:2021-12-14
記一次SpringBoot+Xss過濾
XssFilter過濾器
import org.springframework.stereotype.Component; import org.springframework.web.multipart.MultipartHttpServletRequest; import org.springframework.web.multipart.commons.CommonsMultipartResolver; import javax.servlet.*; import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import java.io.IOException; import com.jfinal.kit.StrKit; /** * @ProjectName: smt * @ClassName: * @Description: * @Author: yue zhenbin * @Date: 2021/7/7 9:16 */ @Component @WebFilter(urlPatterns = "/*", filterName = "xssFilter") public class XssFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { String contentType = request.getContentType(); if (StrKit.notBlank(contentType) && contentType.contains("multipart/form-data")) {//對圖片上傳不進行xss過濾 chain.doFilter(request, response); }else { XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); chain.doFilter(xssRequest, response); } } @Override public void destroy() {} }
XssHttpServletRequestWrapper過濾規則類
主要針對@RequestBody進行的引數過濾
import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.charset.Charset; import javax.servlet.ReadListener; import javax.servlet.ServletInputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; import org.apache.commons.lang3.StringUtils; import org.jsoup.Jsoup; import org.jsoup.nodes.Document; import org.jsoup.nodes.Document.OutputSettings; import org.jsoup.safety.Whitelist; import org.springframework.util.StreamUtils; import com.alibaba.fastjson.JSONObject; /** * XSS過濾處理 * * @author ruoyi */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { //使用basic() private static final Whitelist whitelist = createWhitelist(); private static final OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false); private byte[] requestBody; private Charset charSet; private static Whitelist createWhitelist() { return Whitelist.basic(); } private static String filter(String value) { if(value!=null) { value = Jsoup.clean(value, "", whitelist, outputSettings).trim(); } return value; } /** * * @param request */ public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); //快取請求body try { String requestBodyStr = getRequestPostStr(request); requestBodyStr=filterBadString(requestBodyStr); if (StringUtils.isNotBlank(requestBodyStr)) { requestBodyStr=filter(requestBodyStr); JSONObject resultJson = JSONObject.parseObject(requestBodyStr); requestBody = resultJson.toString().getBytes(charSet); } else { requestBody = new byte[0]; } } catch (IOException e) { e.printStackTrace(); } } /** * 獲取POST請求體中資料 * @param request * @return * @throws IOException */ public String getRequestPostStr(HttpServletRequest request) throws IOException { String charSetStr = request.getCharacterEncoding(); if (charSetStr == null) { charSetStr = "UTF-8"; } charSet = Charset.forName(charSetStr); return StreamUtils.copyToString(request.getInputStream(), charSet); } @Override public ServletInputStream getInputStream() { if (requestBody == null) { requestBody = new byte[0]; } final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(requestBody); return new ServletInputStream() { @Override public boolean isFinished() { return false; } @Override public boolean isReady() { return false; } @Override public void setReadListener(ReadListener readListener) { } @Override public int read() { return byteArrayInputStream.read(); } }; } /** * 特殊字元過濾 * * @param value * @return */ private static String filterBadString(String value) { String REP_TIPS = "BadParamter"; value = value.replaceAll("select", REP_TIPS); value = value.replaceAll("SELECT", REP_TIPS); value = value.replaceAll("insert", REP_TIPS); value = value.replaceAll("INSERT", REP_TIPS); value = value.replaceAll("delete", REP_TIPS); value = value.replaceAll("DELETE", REP_TIPS); value = value.replaceAll("update", REP_TIPS); value = value.replaceAll("UPDATE", REP_TIPS); value = value.replaceAll("script", REP_TIPS); value = value.replaceAll(">", REP_TIPS); value = value.replaceAll("<", REP_TIPS); value = value.replaceAll("=", REP_TIPS); value = value.replaceAll("@", REP_TIPS); return value; } }
啟動類需新增Servlet掃描:@ServletComponentScan("com.xxx.smt.config.XssFilter")
所需要的依賴:
<dependency> <groupId>org.jsoup</groupId> <artifactId>jsoup</artifactId> <version>1.10.2</version> </dependency> <dependency> <groupId>org.apache.commons</groupId> <artifactId>commons-lang3</artifactId> </dependency> <!-- jfinal 核心包 --> <dependency> <groupId>com.jfinal</groupId> <artifactId>jfinal</artifactId> <version>2.2</version> </dependency> <dependency> <groupId>com.jfinal</groupId> <artifactId>cos</artifactId> <version>26Dec2008</version> </dependency>