优化XSS跨站脚本过滤
This commit is contained in:
parent
e6becb9337
commit
6b5dd4d2be
@ -115,6 +115,6 @@ xss:
|
|||||||
# 过滤开关
|
# 过滤开关
|
||||||
enabled: true
|
enabled: true
|
||||||
# 排除链接(多个用逗号分隔)
|
# 排除链接(多个用逗号分隔)
|
||||||
excludes: /system/notice/*
|
excludes: /system/notice
|
||||||
# 匹配链接
|
# 匹配链接
|
||||||
urlPatterns: /system/*,/monitor/*,/tool/*
|
urlPatterns: /system/*,/monitor/*,/tool/*
|
||||||
|
@ -3,8 +3,6 @@ package com.ruoyi.common.filter;
|
|||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.regex.Matcher;
|
|
||||||
import java.util.regex.Pattern;
|
|
||||||
import javax.servlet.Filter;
|
import javax.servlet.Filter;
|
||||||
import javax.servlet.FilterChain;
|
import javax.servlet.FilterChain;
|
||||||
import javax.servlet.FilterConfig;
|
import javax.servlet.FilterConfig;
|
||||||
@ -27,16 +25,10 @@ public class XssFilter implements Filter
|
|||||||
*/
|
*/
|
||||||
public List<String> excludes = new ArrayList<>();
|
public List<String> excludes = new ArrayList<>();
|
||||||
|
|
||||||
/**
|
|
||||||
* xss过滤开关
|
|
||||||
*/
|
|
||||||
public boolean enabled = false;
|
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void init(FilterConfig filterConfig) throws ServletException
|
public void init(FilterConfig filterConfig) throws ServletException
|
||||||
{
|
{
|
||||||
String tempExcludes = filterConfig.getInitParameter("excludes");
|
String tempExcludes = filterConfig.getInitParameter("excludes");
|
||||||
String tempEnabled = filterConfig.getInitParameter("enabled");
|
|
||||||
if (StringUtils.isNotEmpty(tempExcludes))
|
if (StringUtils.isNotEmpty(tempExcludes))
|
||||||
{
|
{
|
||||||
String[] url = tempExcludes.split(",");
|
String[] url = tempExcludes.split(",");
|
||||||
@ -45,10 +37,6 @@ public class XssFilter implements Filter
|
|||||||
excludes.add(url[i]);
|
excludes.add(url[i]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (StringUtils.isNotEmpty(tempEnabled))
|
|
||||||
{
|
|
||||||
enabled = Boolean.valueOf(tempEnabled);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@ -68,25 +56,14 @@ public class XssFilter implements Filter
|
|||||||
|
|
||||||
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response)
|
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response)
|
||||||
{
|
{
|
||||||
if (!enabled)
|
|
||||||
{
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
if (excludes == null || excludes.isEmpty())
|
|
||||||
{
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
String url = request.getServletPath();
|
String url = request.getServletPath();
|
||||||
for (String pattern : excludes)
|
String method = request.getMethod();
|
||||||
{
|
// GET DELETE 不过滤
|
||||||
Pattern p = Pattern.compile("^" + pattern);
|
if (method == null || method.matches("GET") || method.matches("DELETE"))
|
||||||
Matcher m = p.matcher(url);
|
|
||||||
if (m.find())
|
|
||||||
{
|
{
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
return StringUtils.matches(url, excludes);
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -6,6 +6,7 @@ import java.util.HashSet;
|
|||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
import org.springframework.util.AntPathMatcher;
|
||||||
import com.ruoyi.common.constant.Constants;
|
import com.ruoyi.common.constant.Constants;
|
||||||
import com.ruoyi.common.core.text.StrFormatter;
|
import com.ruoyi.common.core.text.StrFormatter;
|
||||||
|
|
||||||
@ -463,6 +464,45 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils
|
|||||||
return sb.toString();
|
return sb.toString();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 查找指定字符串是否匹配指定字符串列表中的任意一个字符串
|
||||||
|
*
|
||||||
|
* @param str 指定字符串
|
||||||
|
* @param strs 需要检查的字符串数组
|
||||||
|
* @return 是否匹配
|
||||||
|
*/
|
||||||
|
public static boolean matches(String str, List<String> strs)
|
||||||
|
{
|
||||||
|
if (isEmpty(str) || isEmpty(strs))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
for (String pattern : strs)
|
||||||
|
{
|
||||||
|
if (isMatch(pattern, str))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* 判断url是否与规则配置:
|
||||||
|
* ? 表示单个字符;
|
||||||
|
* * 表示一层路径内的任意字符串,不可跨层级;
|
||||||
|
* ** 表示任意层路径;
|
||||||
|
*
|
||||||
|
* @param pattern 匹配规则
|
||||||
|
* @param url 需要匹配的url
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
public static boolean isMatch(String pattern, String url)
|
||||||
|
{
|
||||||
|
AntPathMatcher matcher = new AntPathMatcher();
|
||||||
|
return matcher.match(pattern, url);
|
||||||
|
}
|
||||||
|
|
||||||
@SuppressWarnings("unchecked")
|
@SuppressWarnings("unchecked")
|
||||||
public static <T> T cast(Object obj)
|
public static <T> T cast(Object obj)
|
||||||
{
|
{
|
||||||
|
@ -4,6 +4,7 @@ import java.util.HashMap;
|
|||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import javax.servlet.DispatcherType;
|
import javax.servlet.DispatcherType;
|
||||||
import org.springframework.beans.factory.annotation.Value;
|
import org.springframework.beans.factory.annotation.Value;
|
||||||
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
||||||
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
import org.springframework.boot.web.servlet.FilterRegistrationBean;
|
||||||
import org.springframework.context.annotation.Bean;
|
import org.springframework.context.annotation.Bean;
|
||||||
import org.springframework.context.annotation.Configuration;
|
import org.springframework.context.annotation.Configuration;
|
||||||
@ -17,11 +18,9 @@ import com.ruoyi.common.utils.StringUtils;
|
|||||||
* @author ruoyi
|
* @author ruoyi
|
||||||
*/
|
*/
|
||||||
@Configuration
|
@Configuration
|
||||||
|
@ConditionalOnProperty(value = "xss.enabled", havingValue = "true")
|
||||||
public class FilterConfig
|
public class FilterConfig
|
||||||
{
|
{
|
||||||
@Value("${xss.enabled}")
|
|
||||||
private String enabled;
|
|
||||||
|
|
||||||
@Value("${xss.excludes}")
|
@Value("${xss.excludes}")
|
||||||
private String excludes;
|
private String excludes;
|
||||||
|
|
||||||
@ -40,7 +39,6 @@ public class FilterConfig
|
|||||||
registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);
|
registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);
|
||||||
Map<String, String> initParameters = new HashMap<String, String>();
|
Map<String, String> initParameters = new HashMap<String, String>();
|
||||||
initParameters.put("excludes", excludes);
|
initParameters.put("excludes", excludes);
|
||||||
initParameters.put("enabled", enabled);
|
|
||||||
registration.setInitParameters(initParameters);
|
registration.setInitParameters(initParameters);
|
||||||
return registration;
|
return registration;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user