解决扫描漏洞的拦截器


import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.servlet.mvc.method.RequestMappingInfo;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * 类名称:ScanInteceptor
 * 类描述: 解决扫描漏洞的拦截器
 * @author: 
 */
public class ScanInteceptor extends HandlerInterceptorAdapter {


    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object object) throws Exception {
        String requestPath = request.getRequestURI();
        System.out.println("拦截器 ========requestPath========"+requestPath);

        if (isSpecialChar(requestPath.toLowerCase())) {
            response.setContentType("text/html;charset=utf-8");
            response.getWriter().println("参数含有非法字符, 已禁止继续访问!");
            return false;
        }

        if (ToolUtil.isNotEmpty(request.getQueryString())) {
            if (judgeSQLInjectUrl(request.getQueryString().toLowerCase())) {
                response.setContentType("text/html;charset=utf-8");
                response.getWriter().println("参数含有非法字符, 已禁止继续访问!");
                return false;
            }
        }

        return true;
    }

    /**
     * 方法名: judgeSQLInjectUrl
     * 方法描述:  判断参数是否含有攻击字符串
     * 修改日期: 2019/9/18 15:57
      * @param toLowerCase
     * @return boolean
     * @author 
     * @throws
     */
    private boolean judgeSQLInjectUrl(String value) {
        if (value == null || "".equals(value)) {
            return false;
        }

        String xssStr ="and |or |select |insert |update |delete |drop |truncate |alert|eval";
        String[] xssArr = xssStr.split("\\|");

        //遍历是否有攻击字符串
        for (int i = 0; i < xssArr.length; i++) {

            if (value.indexOf(xssArr[i]) > -1) {
                return true;
            }
        }
        return false;
    }

    @Override
    public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, ModelAndView modelAndView) throws Exception {

    }

    @Override
    public void afterCompletion(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object o, Exception e) throws Exception {

    }

    /**
     * 方法名: isSpecialChar
     * 方法描述:  判断是否有特殊字符
     * 修改日期: 2019/9/18 9:25
     * @param str
     * @return boolean
     * @author 
     * @throws
     */
    private  boolean isSpecialChar(String str) {
        String regEx = "[`()|{}''\\[\\]<>()]";
        Pattern p = Pattern.compile(regEx);
        Matcher m = p.matcher(str);
        return m.find();
    }


}

注册拦截器

import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

/**
 * 类名称:InterceptorConfig
 * 类描述:TODO
 *
 * @author: 
 * 创建时间:2019/9/18 16:19
 * Version 1.0
 */
@Configuration
public class InterceptorConfig implements WebMvcConfigurer {

    /**
     * 注册自定义拦截器
     */
    @Override
    public void addInterceptors(InterceptorRegistry registry) {

        registry.addInterceptor(new ScanInteceptor()).addPathPatterns("/**");

    }
}


你可能感兴趣的:(spring)