Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
H
hp-smart
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
platform
hp-smart
Commits
0cfa2c2a
Commit
0cfa2c2a
authored
Mar 11, 2024
by
yukang
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'origin/dev' into dev
parents
a2e8a604
0fd1e1c9
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
320 additions
and
0 deletions
+320
-0
FilterConfig.java
src/main/java/com/baosight/hpjx/config/FilterConfig.java
+25
-0
StringUtils.java
src/main/java/com/baosight/hpjx/util/StringUtils.java
+63
-0
HTMLFilter.java
src/main/java/com/baosight/hpjx/xss/HTMLFilter.java
+0
-0
XssFilter.java
src/main/java/com/baosight/hpjx/xss/XssFilter.java
+77
-0
XssHttpServletRequestWrapper.java
...a/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java
+155
-0
No files found.
src/main/java/com/baosight/hpjx/config/FilterConfig.java
0 → 100644
View file @
0cfa2c2a
package
com
.
baosight
.
hpjx
.
config
;
import
com.baosight.hpjx.xss.XssFilter
;
import
org.springframework.boot.web.servlet.FilterRegistrationBean
;
import
org.springframework.context.annotation.Bean
;
import
org.springframework.context.annotation.Configuration
;
/**
* @Author wwl
* @Date 2024/3/11 14:20
*/
@Configuration
public
class
FilterConfig
{
@Bean
public
FilterRegistrationBean
<
XssFilter
>
xssFilterRegistration
()
{
FilterRegistrationBean
<
XssFilter
>
registration
=
new
FilterRegistrationBean
<>();
registration
.
setFilter
(
new
XssFilter
());
registration
.
addUrlPatterns
(
"/*"
);
registration
.
setOrder
(
1
);
return
registration
;
}
}
\ No newline at end of file
src/main/java/com/baosight/hpjx/util/StringUtils.java
View file @
0cfa2c2a
...
@@ -2,9 +2,12 @@ package com.baosight.hpjx.util;
...
@@ -2,9 +2,12 @@ package com.baosight.hpjx.util;
import
com.alibaba.fastjson.JSONObject
;
import
com.alibaba.fastjson.JSONObject
;
import
com.baosight.iplat4j.core.exception.PlatException
;
import
com.baosight.iplat4j.core.exception.PlatException
;
import
org.springframework.util.AntPathMatcher
;
import
java.io.UnsupportedEncodingException
;
import
java.io.UnsupportedEncodingException
;
import
java.net.URLDecoder
;
import
java.net.URLDecoder
;
import
java.util.Collection
;
import
java.util.List
;
import
java.util.Map
;
import
java.util.Map
;
import
java.util.UUID
;
import
java.util.UUID
;
...
@@ -128,4 +131,64 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils {
...
@@ -128,4 +131,64 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils {
return
JSONObject
.
parseObject
(
paramsText
).
getInnerMap
();
return
JSONObject
.
parseObject
(
paramsText
).
getInnerMap
();
}
}
/**
* 查找指定字符串是否匹配指定字符串列表中的任意一个字符串
*
* @param str 指定字符串
* @param strs 需要检查的字符串数组
* @return 是否匹配
*/
public
static
boolean
matches
(
String
str
,
List
<
String
>
strs
)
{
if
(
isEmpty
(
str
)
||
isEmpty
(
strs
))
{
return
false
;
}
for
(
String
pattern
:
strs
)
{
if
(
isMatch
(
pattern
,
str
))
{
return
true
;
}
}
return
false
;
}
/**
* 判断url是否与规则配置:
* ? 表示单个字符;
* * 表示一层路径内的任意字符串,不可跨层级;
* ** 表示任意层路径;
*
* @param pattern 匹配规则
* @param url 需要匹配的url
* @return
*/
public
static
boolean
isMatch
(
String
pattern
,
String
url
)
{
AntPathMatcher
matcher
=
new
AntPathMatcher
();
return
matcher
.
match
(
pattern
,
url
);
}
/**
* * 判断一个Collection是否为空, 包含List,Set,Queue
*
* @param coll 要判断的Collection
* @return true:为空 false:非空
*/
public
static
boolean
isEmpty
(
Collection
<?>
coll
)
{
return
isNull
(
coll
)
||
coll
.
isEmpty
();
}
/**
* * 判断一个对象是否为空
*
* @param object Object
* @return true:为空 false:非空
*/
public
static
boolean
isNull
(
Object
object
)
{
return
object
==
null
;
}
}
}
src/main/java/com/baosight/hpjx/xss/HTMLFilter.java
0 → 100644
View file @
0cfa2c2a
This diff is collapsed.
Click to expand it.
src/main/java/com/baosight/hpjx/xss/XssFilter.java
0 → 100644
View file @
0cfa2c2a
package
com
.
baosight
.
hpjx
.
xss
;
import
com.baosight.hpjx.util.StringUtils
;
import
java.io.IOException
;
import
java.util.ArrayList
;
import
java.util.List
;
import
javax.servlet.Filter
;
import
javax.servlet.FilterChain
;
import
javax.servlet.FilterConfig
;
import
javax.servlet.ServletException
;
import
javax.servlet.ServletRequest
;
import
javax.servlet.ServletResponse
;
import
javax.servlet.http.HttpServletRequest
;
/**
* xss过滤
*/
public
class
XssFilter
implements
Filter
{
//不拦截的地址
private
List
<
String
>
excludedList
=
new
ArrayList
<
String
>();
@Override
public
void
init
(
FilterConfig
config
)
throws
ServletException
{
/*
* 这里只处理了需要拦截的url地址,如果想不拦截某个字段,比如富文本字段,
* 需要自己在XssHttpServletRequestWrapper类中去添加逻辑
*/
excludedList
.
add
(
"/service/HP*/*"
);
}
@Override
public
void
doFilter
(
ServletRequest
request
,
ServletResponse
response
,
FilterChain
chain
)
throws
IOException
,
ServletException
{
XssHttpServletRequestWrapper
xssRequest
=
new
XssHttpServletRequestWrapper
(
(
HttpServletRequest
)
request
);
String
url
=
xssRequest
.
getServletPath
();
if
(
isExcluded
(
url
)){
chain
.
doFilter
(
request
,
response
);
}
else
{
//使用XSS过滤
chain
.
doFilter
(
xssRequest
,
response
);
}
}
@Override
public
void
destroy
()
{
}
/**
* 是否不拦截
* @param url 请求地址
* @return true不拦截,false拦截
*/
private
boolean
isExcluded
(
String
url
){
// if(StringUtils.isBlank(url)){
// return false;
// }
if
(!
StringUtils
.
matches
(
url
,
excludedList
)){
return
true
;
}
// for (String excluded : excludedList) {
// if(!url.contains(excluded)){
// return true;
// }
// }
return
false
;
}
}
src/main/java/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java
0 → 100644
View file @
0cfa2c2a
package
com
.
baosight
.
hpjx
.
xss
;
import
org.apache.commons.lang3.StringEscapeUtils
;
import
org.apache.commons.lang3.StringUtils
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletRequestWrapper
;
import
java.util.LinkedHashMap
;
import
java.util.Map
;
import
java.io.ByteArrayInputStream
;
import
java.io.IOException
;
import
javax.servlet.ReadListener
;
import
javax.servlet.ServletInputStream
;
import
org.apache.commons.io.IOUtils
;
import
org.springframework.http.HttpHeaders
;
import
org.springframework.http.MediaType
;
public
class
XssHttpServletRequestWrapper
extends
HttpServletRequestWrapper
{
// 没被包装过的HttpServletRequest(特殊场景,需求自己过滤)
HttpServletRequest
orgRequest
;
// html过滤
private
final
static
HTMLFilter
htmlFilter
=
new
HTMLFilter
();
public
XssHttpServletRequestWrapper
(
HttpServletRequest
request
)
{
super
(
request
);
orgRequest
=
request
;
}
/**
* 过滤json参数
*/
@Override
public
ServletInputStream
getInputStream
()
throws
IOException
{
String
contentType
=
super
.
getHeader
(
HttpHeaders
.
CONTENT_TYPE
);
//非json类型,直接返回
if
(!(
MediaType
.
APPLICATION_JSON_VALUE
.
equalsIgnoreCase
(
contentType
)
||
MediaType
.
APPLICATION_JSON_UTF8_VALUE
.
equalsIgnoreCase
(
contentType
))){
return
super
.
getInputStream
();
}
//为空,直接返回
String
json
=
IOUtils
.
toString
(
super
.
getInputStream
(),
"utf-8"
);
if
(
StringUtils
.
isBlank
(
json
))
{
return
super
.
getInputStream
();
}
//xss过滤
json
=
xssEncode
(
json
);
json
=
StringEscapeUtils
.
unescapeHtml4
(
json
);
final
ByteArrayInputStream
bis
=
new
ByteArrayInputStream
(
json
.
getBytes
(
"utf-8"
));
return
new
ServletInputStream
()
{
@Override
public
boolean
isFinished
()
{
return
true
;
}
@Override
public
boolean
isReady
()
{
return
true
;
}
@Override
public
void
setReadListener
(
ReadListener
readListener
)
{
}
@Override
public
int
read
()
throws
IOException
{
return
bis
.
read
();
}
};
}
@Override
public
String
getParameter
(
String
name
)
{
String
value
=
super
.
getParameter
(
xssEncode
(
name
));
if
(
StringUtils
.
isNotBlank
(
value
))
{
value
=
xssEncode
(
value
);
}
return
StringEscapeUtils
.
unescapeHtml4
(
value
);
}
@Override
public
String
[]
getParameterValues
(
String
name
)
{
String
[]
parameters
=
super
.
getParameterValues
(
name
);
if
(
parameters
==
null
||
parameters
.
length
==
0
)
{
return
null
;
}
for
(
int
i
=
0
;
i
<
parameters
.
length
;
i
++)
{
parameters
[
i
]
=
xssEncode
(
parameters
[
i
]);
parameters
[
i
]
=
StringEscapeUtils
.
unescapeHtml4
(
parameters
[
i
]);
}
return
parameters
;
}
@Override
public
Map
<
String
,
String
[]>
getParameterMap
()
{
Map
<
String
,
String
[]>
map
=
new
LinkedHashMap
<>();
Map
<
String
,
String
[]>
parameters
=
super
.
getParameterMap
();
for
(
String
key
:
parameters
.
keySet
())
{
String
[]
values
=
parameters
.
get
(
key
);
for
(
int
i
=
0
;
i
<
values
.
length
;
i
++)
{
values
[
i
]
=
xssEncode
(
values
[
i
]);
values
[
i
]
=
StringEscapeUtils
.
unescapeHtml4
(
values
[
i
]);
}
map
.
put
(
key
,
values
);
}
return
map
;
}
@Override
public
String
getHeader
(
String
name
)
{
String
value
=
super
.
getHeader
(
xssEncode
(
name
));
if
(
StringUtils
.
isNotBlank
(
value
))
{
value
=
xssEncode
(
value
);
}
return
StringEscapeUtils
.
unescapeHtml4
(
value
);
}
private
String
xssEncode
(
String
input
)
{
return
htmlFilter
.
filter
(
input
);
}
/**
* 获取最原始的request
*/
public
HttpServletRequest
getOrgRequest
()
{
return
orgRequest
;
}
/**
* 获取最原始的request
*/
public
static
HttpServletRequest
getOrgRequest
(
HttpServletRequest
request
)
{
if
(
request
instanceof
XssHttpServletRequestWrapper
)
{
return
((
XssHttpServletRequestWrapper
)
request
).
getOrgRequest
();
}
return
request
;
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment