2023-11-7 Xss GET请求做..数据拦截。

zd-gateway/src/main/java/com/zd/gateway/filter/XssFilter.java

@@ -2,6 +2,8 @@ package com.zd.gateway.filter;
 
 import java.nio.charset.StandardCharsets;
 
+import com.sun.corba.se.impl.io.TypeMismatchException;
+import com.zd.common.core.exception.ServiceException;
 import com.zd.common.core.utils.EscapeUtil;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -40,6 +42,9 @@ public class XssFilter implements GlobalFilter, Ordered {
         // GET DELETE 不过滤
         HttpMethod method = request.getMethod();
         if (method == null || method.matches("GET") || method.matches("DELETE")) {
+            if(request.getURI().getSchemeSpecificPart().indexOf("..")!=-1){
+                throw new TypeMismatchException("非法参数异常!");
+            }
             return chain.filter(exchange);
         }
         // 非json类型，不过滤

zd-gateway/src/main/java/com/zd/gateway/handler/GatewayExceptionHandler.java

@@ -1,15 +1,16 @@
 package com.zd.gateway.handler;
 
-import org.springframework.cloud.gateway.support.NotFoundException;
+import com.sun.corba.se.impl.io.TypeMismatchException;
+import com.zd.common.core.utils.ServletUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.web.reactive.error.ErrorWebExceptionHandler;
+import org.springframework.cloud.gateway.support.NotFoundException;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.server.reactive.ServerHttpResponse;
 import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.server.ServerWebExchange;
-import com.zd.common.core.utils.ServletUtils;
 import reactor.core.publisher.Mono;
 
 /**
@@ -34,7 +35,9 @@ public class GatewayExceptionHandler implements ErrorWebExceptionHandler {
         } else if (ex instanceof ResponseStatusException) {
             ResponseStatusException responseStatusException = (ResponseStatusException) ex;
             msg = responseStatusException.getMessage();
-        } else {
+        } else if (ex instanceof TypeMismatchException){
+            msg = "非法参数异常!";
+        }else {
             msg = "服务异常，请稍后重试";
         }
         log.error("[网关异常处理]请求路径:{},异常信息:{}", exchange.getRequest().getPath(), ex.getMessage());