|
|
@@ -1,9 +1,10 @@
|
|
|
package com.zd.gateway.filter;
|
|
|
|
|
|
import java.nio.charset.StandardCharsets;
|
|
|
+import java.util.regex.Matcher;
|
|
|
+import java.util.regex.Pattern;
|
|
|
|
|
|
import com.sun.corba.se.impl.io.TypeMismatchException;
|
|
|
-import com.zd.common.core.exception.ServiceException;
|
|
|
import com.zd.common.core.utils.EscapeUtil;
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
|
|
|
@@ -42,7 +43,8 @@ public class XssFilter implements GlobalFilter, Ordered {
|
|
|
// GET DELETE 不过滤
|
|
|
HttpMethod method = request.getMethod();
|
|
|
if (method == null || method.matches("GET") || method.matches("DELETE")) {
|
|
|
- if(request.getURI().getSchemeSpecificPart().indexOf("..")!=-1){
|
|
|
+ boolean result = checkIsXSS(request.getURI().getSchemeSpecificPart());
|
|
|
+ if(result){
|
|
|
throw new TypeMismatchException("非法参数异常!");
|
|
|
}
|
|
|
return chain.filter(exchange);
|
|
|
@@ -112,4 +114,79 @@ public class XssFilter implements GlobalFilter, Ordered {
|
|
|
public int getOrder() {
|
|
|
return -100;
|
|
|
}
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+ private static Pattern[] patterns = new Pattern[]{
|
|
|
+ // Script fragments
|
|
|
+ Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
|
|
|
+ // src='...'
|
|
|
+ Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ // lonely script tags
|
|
|
+ Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
|
|
|
+ Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ // eval(...)
|
|
|
+ Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ // expression(...)
|
|
|
+ Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ // javascript:...
|
|
|
+ Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
|
|
|
+ // vbscript:...
|
|
|
+ Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
|
|
|
+ // 空格英文单双引号
|
|
|
+ Pattern.compile("[\\s\'\"]+", Pattern.CASE_INSENSITIVE),
|
|
|
+ // onload(...)=...
|
|
|
+ Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ // alert
|
|
|
+ Pattern.compile("alert(.*?)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ Pattern.compile("<", Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ Pattern.compile(">", Pattern.MULTILINE | Pattern.DOTALL),
|
|
|
+ //Checks any html tags i.e. <script, <embed, <object etc.
|
|
|
+ Pattern.compile("(<(script|iframe|embed|frame|frameset|object|img|applet|body|html|style|layer|link|ilayer|meta|bgsound))")
|
|
|
+ };
|
|
|
+
|
|
|
+ /**
|
|
|
+ * xss替换函数
|
|
|
+ *
|
|
|
+ * @param value 需要替换的字符
|
|
|
+ * @return 替换后的字符
|
|
|
+ */
|
|
|
+ public static String stripXSS(String value) {
|
|
|
+ if (value != null) {
|
|
|
+ // TODO ESAPI library
|
|
|
+ // NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
|
|
|
+ // avoid encoded attacks.
|
|
|
+ // value = ESAPI.encoder().canonicalize(value);
|
|
|
+
|
|
|
+ // Avoid null characters
|
|
|
+ value = value.replaceAll("\0", "");
|
|
|
+
|
|
|
+ // Remove all sections that match a pattern
|
|
|
+ for (Pattern scriptPattern : patterns) {
|
|
|
+ value = scriptPattern.matcher(value).replaceAll("");
|
|
|
+ }
|
|
|
+ }
|
|
|
+ return value;
|
|
|
+ }
|
|
|
+
|
|
|
+ /**
|
|
|
+ * xss校验函数
|
|
|
+ *
|
|
|
+ * @param value 需要校验的字符
|
|
|
+ * @return 返回值:true 表示存在xss漏洞,false:不存在
|
|
|
+ */
|
|
|
+ public static boolean checkIsXSS(String value) {
|
|
|
+ boolean isXss = false;
|
|
|
+ if (value != null) {
|
|
|
+ for (Pattern scriptPattern : patterns) {
|
|
|
+ Matcher matcher = scriptPattern.matcher(value);
|
|
|
+ if (matcher.find()) {
|
|
|
+ isXss = true;
|
|
|
+ break;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ return isXss;
|
|
|
+ }
|
|
|
}
|
chaiyunlong