2023-11-9 拦截器加入sql校验。

zd-gateway/src/main/java/com/zd/gateway/filter/XssFilter.java

@@ -37,6 +37,9 @@ public class XssFilter implements GlobalFilter, Ordered {
     @Autowired
     private XssProperties xss;
 
+    private static final Pattern PATTERN = Pattern.compile("\\b(\\s*and\\s*|\\s*exec\\s*|\\s*insert\\s*|\\s*select\\s*|\\s*drop\\s*|\\s*grant\\s*|\\s*alter\\s*|\\s*" +
+            "delete\\s*|\\s*update\\s*|\\s*count\\s*|\\s*chr\\s*|\\s*mid\\s*|\\s*master\\s*|\\s*truncate\\s*|\\s*char\\s*|\\s*declare\\s*|\\s*or\\s*)\\b|(\\*|;|\\+)");
+
     @Override
     public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
         ServerHttpRequest request = exchange.getRequest();
@@ -50,6 +53,11 @@ public class XssFilter implements GlobalFilter, Ordered {
             if(result){
                 throw new TypeMismatchException("非法参数异常!");
             }
+            String urlPath = request.getURI().getSchemeSpecificPart().toLowerCase();
+            Matcher matcher = PATTERN.matcher(urlPath);
+            if(matcher.find()){
+                throw new TypeMismatchException("非法参数异常!");
+            }
             return chain.filter(exchange);
         }
         // 非json类型，不过滤