../问题处理

zd-modules/zd-airbottle/src/main/java/com/zd/airbottle/config/InjectFilter.java

@@ -0,0 +1,105 @@
+package com.zd.airbottle.config;
+
+import com.alibaba.fastjson.JSON;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+@Component
+public class InjectFilter implements Filter {
+    private static Logger log = LoggerFactory.getLogger(InjectFilter.class);
+    private static final String REG_EXP = "\\.\\./";
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response,
+                         FilterChain filterchain) throws IOException, ServletException {
+        //判断是否有注入攻击字符
+        HttpServletRequest req = (HttpServletRequest) request;
+        boolean flag = injectInput(req, response);
+        if (!flag) {
+            return;
+        } else {
+            filterchain.doFilter(request, response);
+        }
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+    /**
+     * 判断request中是否含有注入攻击字符
+     *
+     * @param request
+     * @return
+     */
+    public boolean injectInput(ServletRequest request, ServletResponse response) throws IOException {
+        Enumeration e = request.getParameterNames();
+        String attributeName;
+        String attributeValues[];
+        HttpServletRequest req = (HttpServletRequest) request;
+        String cookie = req.getHeader("Cookie");
+        if (!isSpecialChar(cookie, response)){
+            return false;
+        }
+        while (e.hasMoreElements()) {
+            attributeName = (String) e.nextElement();
+            //不对密码信息进行过滤，一般密码中可以包含特殊字符
+            if (attributeName.equals("username") || attributeName.equals("password")) {
+                continue;
+            }
+            attributeValues = request.getParameterValues(attributeName);
+            for (int i = 0; i < attributeValues.length; i++) {
+                if (attributeValues[i] == null || attributeValues[i].equals(""))
+                    continue;
+                boolean flag = isSpecialChar(attributeValues[i], response);
+                if (!flag){
+                    return flag;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * 判断字符串中是否含有注入攻击字符
+     */
+    private boolean isSpecialChar(String value, ServletResponse servletResponse) throws IOException {
+        Pattern pattern = Pattern.compile(REG_EXP);
+        if (value == null) {
+            return true;
+        }
+        Matcher matcher = pattern.matcher(value);
+        if (matcher.find()) {
+            log.info("入参中有非法字符: " + value);
+            HttpServletResponse response = (HttpServletResponse) servletResponse;
+            Map<String, Object> responseMap = new HashMap<>();
+            // 匹配到非法字符,立即返回
+            responseMap.put("code", 500);
+            responseMap.put("msg", "入参中有非法字符");
+            response.setContentType("application/json;charset=UTF-8");
+            response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
+            PrintWriter writer = response.getWriter();
+            writer.write(JSON.toJSONString(responseMap));
+            writer.flush();
+            writer.close();
+            return false;
+        }
+        return true;
+    }
+}

zd-modules/zd-algorithm/src/main/java/com/zd/alg/config/InjectFilter.java

@@ -0,0 +1,106 @@
+package com.zd.alg.config;
+
+import com.alibaba.fastjson.JSON;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@Component
+public class InjectFilter implements Filter {
+    private static Logger log = LoggerFactory.getLogger(InjectFilter.class);
+    private static final String REG_EXP = "\\.\\./";
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response,
+                         FilterChain filterchain) throws IOException, ServletException {
+        //判断是否有注入攻击字符
+        HttpServletRequest req = (HttpServletRequest) request;
+        boolean flag = injectInput(req, response);
+        if (!flag) {
+            return;
+        } else {
+            filterchain.doFilter(request, response);
+        }
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+    /**
+     * 判断request中是否含有注入攻击字符
+     *
+     * @param request
+     * @return
+     */
+    public boolean injectInput(ServletRequest request, ServletResponse response) throws IOException {
+        Enumeration e = request.getParameterNames();
+        String attributeName;
+        String attributeValues[];
+        HttpServletRequest req = (HttpServletRequest) request;
+        String cookie = req.getHeader("Cookie");
+        if (!isSpecialChar(cookie, response)){
+            return false;
+        }
+        while (e.hasMoreElements()) {
+            attributeName = (String) e.nextElement();
+            //不对密码信息进行过滤，一般密码中可以包含特殊字符
+            if (attributeName.equals("username") || attributeName.equals("password")) {
+                continue;
+            }
+            attributeValues = request.getParameterValues(attributeName);
+            for (int i = 0; i < attributeValues.length; i++) {
+                if (attributeValues[i] == null || attributeValues[i].equals(""))
+                    continue;
+                boolean flag = isSpecialChar(attributeValues[i], response);
+                if (!flag){
+                    return flag;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * 判断字符串中是否含有注入攻击字符
+     */
+    private boolean isSpecialChar(String value, ServletResponse servletResponse) throws IOException {
+        Pattern pattern = Pattern.compile(REG_EXP);
+        if (value == null) {
+            return true;
+        }
+        Matcher matcher = pattern.matcher(value);
+        if (matcher.find()) {
+            log.info("入参中有非法字符: " + value);
+            HttpServletResponse response = (HttpServletResponse) servletResponse;
+            Map<String, Object> responseMap = new HashMap<>();
+            // 匹配到非法字符,立即返回
+            responseMap.put("code", 500);
+            responseMap.put("msg", "入参中有非法字符");
+            response.setContentType("application/json;charset=UTF-8");
+            response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
+            PrintWriter writer = response.getWriter();
+            writer.write(JSON.toJSONString(responseMap));
+            writer.flush();
+            writer.close();
+            return false;
+        }
+        return true;
+    }
+}

zd-modules/zd-modules-laboratory/src/main/java/com/zd/laboratory/config/InjectFilter.java

@@ -0,0 +1,106 @@
+package com.zd.laboratory.config;
+
+import com.alibaba.fastjson.JSON;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+@Component
+public class InjectFilter implements Filter {
+    private static Logger log = LoggerFactory.getLogger(InjectFilter.class);
+    private static final String REG_EXP = "\\.\\./";
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    public void doFilter(ServletRequest request, ServletResponse response,
+                         FilterChain filterchain) throws IOException, ServletException {
+        //判断是否有注入攻击字符
+        HttpServletRequest req = (HttpServletRequest) request;
+        boolean flag = injectInput(req, response);
+        if (!flag) {
+            return;
+        } else {
+            filterchain.doFilter(request, response);
+        }
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+    /**
+     * 判断request中是否含有注入攻击字符
+     *
+     * @param request
+     * @return
+     */
+    public boolean injectInput(ServletRequest request, ServletResponse response) throws IOException {
+        Enumeration e = request.getParameterNames();
+        String attributeName;
+        String attributeValues[];
+        HttpServletRequest req = (HttpServletRequest) request;
+        String cookie = req.getHeader("Cookie");
+        if (!isSpecialChar(cookie, response)){
+            return false;
+        }
+        while (e.hasMoreElements()) {
+            attributeName = (String) e.nextElement();
+            //不对密码信息进行过滤，一般密码中可以包含特殊字符
+            if (attributeName.equals("username") || attributeName.equals("password")) {
+                continue;
+            }
+            attributeValues = request.getParameterValues(attributeName);
+            for (int i = 0; i < attributeValues.length; i++) {
+                if (attributeValues[i] == null || attributeValues[i].equals(""))
+                    continue;
+                boolean flag = isSpecialChar(attributeValues[i], response);
+                if (!flag){
+                    return flag;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * 判断字符串中是否含有注入攻击字符
+     */
+    private boolean isSpecialChar(String value, ServletResponse servletResponse) throws IOException {
+        Pattern pattern = Pattern.compile(REG_EXP);
+        if (value == null) {
+            return true;
+        }
+        Matcher matcher = pattern.matcher(value);
+        if (matcher.find()) {
+            log.info("入参中有非法字符: " + value);
+            HttpServletResponse response = (HttpServletResponse) servletResponse;
+            Map<String, Object> responseMap = new HashMap<>();
+            // 匹配到非法字符,立即返回
+            responseMap.put("code", 500);
+            responseMap.put("msg", "入参中有非法字符");
+            response.setContentType("application/json;charset=UTF-8");
+            response.setStatus(HttpStatus.INTERNAL_SERVER_ERROR.value());
+            PrintWriter writer = response.getWriter();
+            writer.write(JSON.toJSONString(responseMap));
+            writer.flush();
+            writer.close();
+            return false;
+        }
+        return true;
+    }
+}