SpringCloud之Zuul网关过滤器,处理XSS攻击和SQL注入

编写一个过滤器SqLinjectionFilter,继承ZuulFilter

代码如下:

import com.google.gson.Gson;
import com.netflix.zuul.ZuulFilter;
import com.netflix.zuul.context.RequestContext;
import com.netflix.zuul.http.ServletInputStreamWrapper;
import com.yijiayi.common.bean.ResponseCode;
import com.yijiayi.common.bean.ResponseResult;
import lombok.extern.slf4j.Slf4j;
import net.sf.json.JSONObject;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.cloud.netflix.zuul.filters.support.FilterConstants;
import org.springframework.stereotype.Component;
import org.springframework.util.StreamUtils;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.Charset;
import java.util.HashMap;
import java.util.Map;
/**
* 对请求json参数进行防sql注入过滤
*
* @create 2019-04-15
*/
@Component
@Slf4j
@RefreshScope
public class SqLinjectionFilter extends ZuulFilter {
	@Override
	public String filterType() {
		return FilterConstants.PRE_TYPE;
	}
	// 自定义过滤器执行的顺序,数值越大越靠后执行,越小就越先执行
	@Override
	public int filterOrder() {
		return FilterConstants.PRE_DECORATION_FILTER_ORDER - 2;
	}
	@Override
	public boolean shouldFilter() {
		return true;
	}
	// 执行过滤逻辑
	@Override
	public Object run() {
		RequestContext ctx = RequestContext.getCurrentContext();
		HttpServletRequest request = ctx.getRequest();
		try {
			InputStream in = ctx.getRequest().getInputStream();
			String body = StreamUtils.copyToString(in, Charset.forName("UTF-8"));
			Map stringObjectMap = cleanXSS(body);
			JSONObject json = JSONObject.fromObject(stringObjectMap);
			String newBody = json.toString();
			//	如果存在sql注入,直接拦截请求
			if (newBody.contains("forbid")) {
				setUnauthorizedResponse(ctx);
			}
			final byte[] reqBodyBytes = newBody.getBytes();
			ctx.setRequest(new HttpServletRequestWrapper(request){

			@Override
			public ServletInputStream getInputStream() throws IOException {
				return new ServletInputStreamWrapper(reqBodyBytes);
			}

			@Override
			public int getContentLength() {
				return reqBodyBytes.length;
			}
	
			@Override
			public long getContentLengthLong() {
				return reqBodyBytes.length;
			}
			});
		} catch (IOException e) {
			e.printStackTrace();
		}
		return null;
	}

	private Map cleanXSS(String value) {
		value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
		value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
		value = value.replaceAll("'", "& #39;");
		value = value.replaceAll("eval\\((.*)\\)", "");
		value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
		value = value.replaceAll("script", "");
		value = value.replaceAll("[*]","["+"*]");
		value = value.replaceAll("[+]","["+"+]");
		value = value.replaceAll("[?]","["+"?]");

		String badStr = "'|and|exec|execute|insert|select|delete|update|count|drop|%|chr|mid|master|truncate|" +
					"char|declare|sitename|net user|xp_cmdshell|;|or|+|,|like'|and|exec|execute|insert|create|drop|" +
					"table|from|grant|use|group_concat|column_name|" +
					"information_schema.columns|table_schema|union|where|select|delete|update|order|by|count|" +
					"chr|mid|master|truncate|char|declare|or|;|--|,|like|//|/|%|#";

	JSONObject json = JSONObject.fromObject(value);
	String[] badStrs = badStr.split("\\|");
	Map map = json;
	Map mapjson = new HashMap<>();
	for (Map.Entry entry : map.entrySet()) {
		String value1 =  entry.getValue().toString();
		for (String bad : badStrs) {
				if (value1.equalsIgnoreCase(bad)) {
					value1 = "forbid";
					mapjson.put(entry.getKey(),value1);
					break;
				} else {
					mapjson.put(entry.getKey(),entry.getValue());
				}
			}
		}
		return mapjson;
	}
	/**
	 * 设置500拦截状态
	 */
	private void setUnauthorizedResponse(RequestContext requestContext) {
		Gson gson = new Gson();
		ResponseResult jResult = ResponseResult.e(ResponseCode.TOKEN_ILLEGAL_REQUEST);
		requestContext.setResponseBody(gson.toJson(jResult));
	}
}

你可能感兴趣的:(Java)