4141b16a73b9653c22d0706201d85cd31022930f.svn-base 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214
  1. package cn.com.goldenwater.dcproj.filter;
  2. import net.sf.json.JSONArray;
  3. import net.sf.json.JSONObject;
  4. import org.apache.commons.lang3.StringUtils;
  5. import org.slf4j.LoggerFactory;
  6. import javax.servlet.ReadListener;
  7. import javax.servlet.ServletInputStream;
  8. import javax.servlet.http.HttpServletRequest;
  9. import javax.servlet.http.HttpServletResponse;
  10. import java.io.*;
  11. import java.nio.charset.StandardCharsets;
  12. import java.util.ArrayList;
  13. import java.util.HashMap;
  14. import java.util.List;
  15. import java.util.Map;
  16. /**
  17. * @author 81229
  18. * 防xss攻击方案
  19. */
  20. public class XssHttpServletRequestWrapper extends BodyReaderHttpServletRequestWrapper {
  21. private final String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|" +
  22. "char|declare|sitename|net user|xp_cmdshell|;|or|+|like'|and|create|" +
  23. "table|from|grant|use|group_concat|column_name" +
  24. "information_schema.columns|table_schema|union|where|" +
  25. "chr|mid|master|truncate|--|,|like|//|/|%|frame|style|script|DBMS_PIPE|**/";
  26. private org.slf4j.Logger logger = LoggerFactory.getLogger(getClass());
  27. /**
  28. * Constructs a request object wrapping the given request.
  29. *
  30. * @param request The request to wrap
  31. * @throws IllegalArgumentException if the request is null
  32. */
  33. HttpServletRequest request;
  34. HttpServletResponse response;
  35. public XssHttpServletRequestWrapper(HttpServletRequest request, HttpServletResponse response) {
  36. super(request);
  37. this.request = request;
  38. this.response = response;
  39. }
  40. @Override
  41. public String getHeader(String name) {
  42. String value = super.getHeader(name);
  43. if (StringUtils.isEmpty(value)) {
  44. return value;
  45. } else {
  46. return cleanXSS(value);
  47. }
  48. }
  49. @Override
  50. public String getParameter(String name) {
  51. String value = super.getParameter(name);
  52. if (StringUtils.isEmpty(value)) {
  53. return value;
  54. } else {
  55. return cleanXSS(value);
  56. }
  57. }
  58. @Override
  59. public Object getAttribute(String name) {
  60. Object object = super.getAttribute(name);
  61. if (object instanceof Map) {
  62. return getParams((Map<String, Object>) object);
  63. }
  64. if (object instanceof String) {
  65. return cleanXSS(object + "");
  66. }
  67. return object;
  68. }
  69. @Override
  70. public String[] getParameterValues(String name) {
  71. String[] values = super.getParameterValues(name);
  72. if (values != null) {
  73. int length = values.length;
  74. String[] escapseValues = new String[length];
  75. for (int i = 0; i < length; i++) {
  76. escapseValues[i] = cleanXSS(values[i]);
  77. }
  78. return escapseValues;
  79. }
  80. return super.getParameterValues(name);
  81. }
  82. private Map<String, Object> getParams(Map<String, Object> map) {
  83. Map<String, Object> resultMap = new HashMap<>();
  84. for (String key : map.keySet()) {
  85. Object val = map.get(key);
  86. if (map.get(key) instanceof String) {
  87. resultMap.put(key, cleanXSS(val.toString()));
  88. } else {
  89. resultMap.put(key, val);
  90. }
  91. }
  92. return resultMap;
  93. }
  94. @Override
  95. public ServletInputStream getInputStream() throws IOException {
  96. String str = getRequestBody(super.getInputStream());
  97. if (StringUtils.isNotBlank(str)) {
  98. if (str.startsWith("{")) {
  99. JSONObject jsonObject = JSONObject.fromObject(str);
  100. Map<String, Object> map = (Map<String, Object>) JSONObject.toBean(jsonObject, Map.class);
  101. str = JSONObject.fromObject(getParams(map)).toString();
  102. } else if (str.startsWith("[")) {
  103. JSONArray jsonArray = JSONArray.fromObject(str);
  104. List<Map<String, Object>> paramsList = new ArrayList<>();
  105. if (jsonArray != null && jsonArray.size() > 0) {
  106. if (jsonArray.get(0) instanceof JSONArray) {
  107. for (int i = 0; i < jsonArray.size(); i++) {
  108. JSONObject jsonObject = jsonArray.getJSONObject(i);
  109. Map<String, Object> map = (Map<String, Object>) JSONObject.toBean(jsonObject, Map.class);
  110. paramsList.add(getParams(map));
  111. }
  112. str = JSONArray.fromObject(paramsList).toString();
  113. }
  114. }
  115. }
  116. }
  117. final ByteArrayInputStream bais = new ByteArrayInputStream(str.getBytes());
  118. return new ServletInputStream() {
  119. @Override
  120. public int read() {
  121. return bais.read();
  122. }
  123. @Override
  124. public boolean isFinished() {
  125. return false;
  126. }
  127. @Override
  128. public boolean isReady() {
  129. return false;
  130. }
  131. @Override
  132. public void setReadListener(ReadListener listener) {
  133. }
  134. };
  135. }
  136. private String cleanXSS(String value) {
  137. // value = RequestUtils.cleanScript(value);
  138. // if (value.contains("error-333:")){
  139. // try {
  140. // ReturnUtils.responseFail(response, "路径存在异常,请仔细检查", 5555);
  141. // } catch (Exception e) {
  142. // e.printStackTrace();
  143. // }
  144. // return "";
  145. // }
  146. /* value = value.replaceAll("'", "& #39;");
  147. value = value.replaceAll("eval\\((.*)\\)", "");
  148. value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
  149. value = value.replaceAll("script", "");
  150. // value = value.replaceAll("[*]","["+"*]");
  151. value = value.replaceAll("[?]","["+"?]");
  152. String[] values = value.split(" ");
  153. String[] badStrs = badStr.split("\\|");
  154. for (int i = 0;i<badStrs.length;i++){
  155. for (int j = 0;j<values.length;j++){
  156. if (values[j].equalsIgnoreCase(badStrs[i])){
  157. values[j] = "forbid";
  158. }
  159. }
  160. }
  161. StringBuilder sb = new StringBuilder();
  162. for (int i = 0;i<values.length;i++){
  163. if (i == values.length-1){
  164. sb.append(values[i]);
  165. } else {
  166. sb.append(values[i]+" ");
  167. }
  168. }
  169. value = sb.toString();*/
  170. // System.out.println("outer-->"+value);
  171. return value;
  172. }
  173. public static String getRequestBody(InputStream stream) {
  174. String line = "";
  175. StringBuilder body = new StringBuilder();
  176. // 读取POST提交的数据内容
  177. BufferedReader reader = new BufferedReader(new InputStreamReader(stream, StandardCharsets.UTF_8));
  178. try {
  179. while ((line = reader.readLine()) != null) {
  180. body.append(line);
  181. }
  182. } catch (IOException e) {
  183. e.printStackTrace();
  184. }
  185. return body.toString();
  186. }
  187. }