github
/
RuoYi
mirror of https://gitee.com/y_project/RuoYi.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

优化XSS跨站脚本过滤

pull/274/MERGE
RuoYi 2021-07-28 16:37:56 +08:00
parent 15c7578692
commit 27277b51d7
4 changed files with 127 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ruoyi-common/src/main/java/com/ruoyi/common/constant/Constants.java
View File

@ -17,6 +17,16 @@ public class Constants
*/ */
public static final String GBK = "GBK"; public static final String GBK = "GBK";
/**
* http
*/
public static final String HTTP = "http://";
/**
* https
*/
public static final String HTTPS = "https://";
/** /**
* *
*/ */

108
ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java
View File

@ -1,7 +1,13 @@
package com.ruoyi.common.utils; package com.ruoyi.common.utils;
import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set;
import org.springframework.util.AntPathMatcher;
import com.ruoyi.common.constant.Constants;
import com.ruoyi.common.core.text.StrFormatter; import com.ruoyi.common.core.text.StrFormatter;
/** /**
@ -256,6 +262,68 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils
return StrFormatter.format(template, params); return StrFormatter.format(template, params);
} }
/**
* http(s)://开头
*
* @param link
* @return
*/
public static boolean ishttp(String link)
{
return StringUtils.startsWithAny(link, Constants.HTTP, Constants.HTTPS);
}
/**
* set
*
* @param str
* @param sep
* @return set
*/
public static final Set<String> str2Set(String str, String sep)
{
return new HashSet<String>(str2List(str, sep, true, false));
}
/**
* list
*
* @param str
* @param sep
* @param filterBlank
* @param trim
* @return list
*/
public static final List<String> str2List(String str, String sep, boolean filterBlank, boolean trim)
{
List<String> list = new ArrayList<String>();
if (StringUtils.isEmpty(str))
{
return list;
}
// 过滤空白字符串
if (filterBlank && StringUtils.isBlank(str))
{
return list;
}
String[] split = str.split(sep);
for (String string : split)
{
if (filterBlank && StringUtils.isBlank(string))
{
continue;
}
if (trim)
{
string = string.trim();
}
list.add(string);
}
return list;
}
/** /**
* 线 * 线
*/ */
@ -301,6 +369,7 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils
} }
sb.append(Character.toLowerCase(c)); sb.append(Character.toLowerCase(c));
} }
return sb.toString(); return sb.toString();
} }
@ -400,6 +469,45 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils
return sb.toString(); return sb.toString();
} }
/**
*
*
* @param str
* @param strs
* @return
*/
public static boolean matches(String str, List<String> strs)
{
if (isEmpty(str) || isEmpty(strs))
{
return false;
}
for (String pattern : strs)
{
if (isMatch(pattern, str))
{
return true;
}
}
return false;
}
/**
* url:
* ? ;
* * ;
* ** ;
*
* @param pattern
* @param url url
* @return
*/
public static boolean isMatch(String pattern, String url)
{
AntPathMatcher matcher = new AntPathMatcher();
return matcher.match(pattern, url);
}
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
public static <T> T cast(Object obj) public static <T> T cast(Object obj)
{ {

33
ruoyi-common/src/main/java/com/ruoyi/common/xss/XssFilter.java
View File

@ -3,8 +3,6 @@ package com.ruoyi.common.xss;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.FilterConfig; import javax.servlet.FilterConfig;
@ -27,16 +25,10 @@ public class XssFilter implements Filter
*/ */
public List<String> excludes = new ArrayList<>(); public List<String> excludes = new ArrayList<>();
/**
* xss
*/
public boolean enabled = false;
@Override @Override
public void init(FilterConfig filterConfig) throws ServletException public void init(FilterConfig filterConfig) throws ServletException
{ {
String tempExcludes = filterConfig.getInitParameter("excludes"); String tempExcludes = filterConfig.getInitParameter("excludes");
String tempEnabled = filterConfig.getInitParameter("enabled");
if (StringUtils.isNotEmpty(tempExcludes)) if (StringUtils.isNotEmpty(tempExcludes))
{ {
String[] url = tempExcludes.split(","); String[] url = tempExcludes.split(",");
@ -45,10 +37,6 @@ public class XssFilter implements Filter
excludes.add(url[i]); excludes.add(url[i]);
} }
} }
if (StringUtils.isNotEmpty(tempEnabled))
{
enabled = Boolean.valueOf(tempEnabled);
}
} }
@Override @Override
@ -68,25 +56,14 @@ public class XssFilter implements Filter
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response)
{ {
if (!enabled) String url = request.getServletPath();
String method = request.getMethod();
// GET DELETE 不过滤
if (method == null || method.matches("GET") || method.matches("DELETE"))
{ {
return true; return true;
} }
if (excludes == null || excludes.isEmpty()) return StringUtils.matches(url, excludes);
{
return false;
}
String url = request.getServletPath();
for (String pattern : excludes)
{
Pattern p = Pattern.compile("^" + pattern);
Matcher m = p.matcher(url);
if (m.find())
{
return true;
}
}
return false;
} }
@Override @Override

8
ruoyi-framework/src/main/java/com/ruoyi/framework/config/FilterConfig.java
View File

@ -4,6 +4,7 @@ import java.util.HashMap;
import java.util.Map; import java.util.Map;
import javax.servlet.DispatcherType; import javax.servlet.DispatcherType;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
@ -16,11 +17,9 @@ import com.ruoyi.common.xss.XssFilter;
* @author ruoyi * @author ruoyi
*/ */
@Configuration @Configuration
@ConditionalOnProperty(value = "xss.enabled", havingValue = "true")
public class FilterConfig public class FilterConfig
{ {
@Value("${xss.enabled}")
private String enabled;
@Value("${xss.excludes}") @Value("${xss.excludes}")
private String excludes; private String excludes;
@ -36,10 +35,9 @@ public class FilterConfig
registration.setFilter(new XssFilter()); registration.setFilter(new XssFilter());
registration.addUrlPatterns(StringUtils.split(urlPatterns, ",")); registration.addUrlPatterns(StringUtils.split(urlPatterns, ","));
registration.setName("xssFilter"); registration.setName("xssFilter");
registration.setOrder(Integer.MAX_VALUE); registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);
Map<String, String> initParameters = new HashMap<String, String>(); Map<String, String> initParameters = new HashMap<String, String>();
initParameters.put("excludes", excludes); initParameters.put("excludes", excludes);
initParameters.put("enabled", enabled);
registration.setInitParameters(initParameters); registration.setInitParameters(initParameters);
return registration; return registration;
} }