From f67d7179cd415b83840150072c5c1f688bd21ad8 Mon Sep 17 00:00:00 2001 From: RuoYi Date: Mon, 13 Aug 2018 21:40:50 +0800 Subject: [PATCH] =?UTF-8?q?xss=E5=8A=A0=E5=85=A5=E9=85=8D=E7=BD=AE?= =?UTF-8?q?=E6=96=87=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ruoyi/common/constant/ShiroConstants.java | 2 +- .../java/com/ruoyi/common/xss/XssFilter.java | 20 +++++++++---------- .../ruoyi/framework/config/FilterConfig.java | 17 +++++++++++++--- .../ruoyi/framework/config/ShiroConfig.java | 6 +++--- .../filter/captcha/CaptchaValidateFilter.java | 10 +++++----- src/main/resources/application.yml | 11 +++++++++- src/main/resources/templates/login.html | 2 +- 7 files changed, 43 insertions(+), 25 deletions(-) diff --git a/src/main/java/com/ruoyi/common/constant/ShiroConstants.java b/src/main/java/com/ruoyi/common/constant/ShiroConstants.java index a0583536d..dfce28d31 100644 --- a/src/main/java/com/ruoyi/common/constant/ShiroConstants.java +++ b/src/main/java/com/ruoyi/common/constant/ShiroConstants.java @@ -45,7 +45,7 @@ public interface ShiroConstants /** * 验证码开关 */ - public static final String CURRENT_EBABLED = "captchaEbabled"; + public static final String CURRENT_ENABLED = "captchaEnabled"; /** * 验证码开关 diff --git a/src/main/java/com/ruoyi/common/xss/XssFilter.java b/src/main/java/com/ruoyi/common/xss/XssFilter.java index 50179423c..4495ca491 100644 --- a/src/main/java/com/ruoyi/common/xss/XssFilter.java +++ b/src/main/java/com/ruoyi/common/xss/XssFilter.java @@ -11,7 +11,6 @@ import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; -import javax.servlet.annotation.WebFilter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import com.ruoyi.common.utils.StringUtils; @@ -21,7 +20,6 @@ import com.ruoyi.common.utils.StringUtils; * * @author ruoyi */ -@WebFilter(filterName = "xssFilter", urlPatterns = "/system/*") public class XssFilter implements Filter { /** @@ -32,14 +30,14 @@ public class XssFilter implements Filter /** * xss过滤开关 */ - public boolean xssEbabled = false; + public boolean enabled = false; @Override public void init(FilterConfig filterConfig) throws ServletException { String tempExcludes = filterConfig.getInitParameter("excludes"); - String tempXssEbabled = filterConfig.getInitParameter("xssEbabled"); - if (tempExcludes != null) + String tempEnabled = filterConfig.getInitParameter("enabled"); + if (StringUtils.isNotEmpty(tempExcludes)) { String[] url = tempExcludes.split(","); for (int i = 0; url != null && i < url.length; i++) @@ -47,9 +45,9 @@ public class XssFilter implements Filter excludes.add(url[i]); } } - if (StringUtils.isNotEmpty(tempXssEbabled)) + if (StringUtils.isNotEmpty(tempEnabled)) { - xssEbabled = Boolean.valueOf(tempXssEbabled); + enabled = Boolean.valueOf(tempEnabled); } } @@ -70,14 +68,14 @@ public class XssFilter implements Filter private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) { + if (!enabled) + { + return true; + } if (excludes == null || excludes.isEmpty()) { return false; } - if (!xssEbabled) - { - return true; - } String url = request.getServletPath(); for (String pattern : excludes) { diff --git a/src/main/java/com/ruoyi/framework/config/FilterConfig.java b/src/main/java/com/ruoyi/framework/config/FilterConfig.java index 5ef853962..11b619357 100644 --- a/src/main/java/com/ruoyi/framework/config/FilterConfig.java +++ b/src/main/java/com/ruoyi/framework/config/FilterConfig.java @@ -2,10 +2,12 @@ package com.ruoyi.framework.config; import java.util.Map; import javax.servlet.DispatcherType; +import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import com.google.common.collect.Maps; +import com.ruoyi.common.utils.StringUtils; import com.ruoyi.common.xss.XssFilter; /** @@ -16,6 +18,15 @@ import com.ruoyi.common.xss.XssFilter; @Configuration public class FilterConfig { + @Value("${xss.enabled}") + private String enabled; + + @Value("${xss.excludes}") + private String excludes; + + @Value("${xss.urlPatterns}") + private String urlPatterns; + @SuppressWarnings({ "rawtypes", "unchecked" }) @Bean public FilterRegistrationBean xssFilterRegistration() @@ -23,12 +34,12 @@ public class FilterConfig FilterRegistrationBean registration = new FilterRegistrationBean(); registration.setDispatcherTypes(DispatcherType.REQUEST); registration.setFilter(new XssFilter()); - registration.addUrlPatterns("/*"); + registration.addUrlPatterns(StringUtils.split(urlPatterns, ",")); registration.setName("xssFilter"); registration.setOrder(Integer.MAX_VALUE); Map initParameters = Maps.newHashMap(); - initParameters.put("excludes", "/system/notice/*,/img/*,/css/*,/fonts/*,/js/*,/ajax/*,/ruoyi/*"); - initParameters.put("xssEbabled", "false"); + initParameters.put("excludes", excludes); + initParameters.put("enabled", enabled); registration.setInitParameters(initParameters); return registration; } diff --git a/src/main/java/com/ruoyi/framework/config/ShiroConfig.java b/src/main/java/com/ruoyi/framework/config/ShiroConfig.java index 866115bb3..33228e431 100644 --- a/src/main/java/com/ruoyi/framework/config/ShiroConfig.java +++ b/src/main/java/com/ruoyi/framework/config/ShiroConfig.java @@ -46,8 +46,8 @@ public class ShiroConfig private int validationInterval; // 验证码开关 - @Value("${shiro.user.captchaEbabled}") - private boolean captchaEbabled; + @Value("${shiro.user.captchaEnabled}") + private boolean captchaEnabled; // 验证码类型 @Value("${shiro.user.captchaType}") @@ -297,7 +297,7 @@ public class ShiroConfig public CaptchaValidateFilter captchaValidateFilter() { CaptchaValidateFilter captchaValidateFilter = new CaptchaValidateFilter(); - captchaValidateFilter.setCaptchaEbabled(captchaEbabled); + captchaValidateFilter.setCaptchaEnabled(captchaEnabled); captchaValidateFilter.setCaptchaType(captchaType); return captchaValidateFilter; } diff --git a/src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java b/src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java index 3235e7d9c..efcfc00c4 100644 --- a/src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java +++ b/src/main/java/com/ruoyi/framework/shiro/web/filter/captcha/CaptchaValidateFilter.java @@ -20,16 +20,16 @@ public class CaptchaValidateFilter extends AccessControlFilter /** * 是否开启验证码 */ - private boolean captchaEbabled = true; + private boolean captchaEnabled = true; /** * 验证码类型 */ private String captchaType = "math"; - public void setCaptchaEbabled(boolean captchaEbabled) + public void setCaptchaEnabled(boolean captchaEnabled) { - this.captchaEbabled = captchaEbabled; + this.captchaEnabled = captchaEnabled; } public void setCaptchaType(String captchaType) @@ -40,7 +40,7 @@ public class CaptchaValidateFilter extends AccessControlFilter @Override public boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) throws Exception { - request.setAttribute(ShiroConstants.CURRENT_EBABLED, captchaEbabled); + request.setAttribute(ShiroConstants.CURRENT_ENABLED, captchaEnabled); request.setAttribute(ShiroConstants.CURRENT_TYPE, captchaType); return super.onPreHandle(request, response, mappedValue); } @@ -51,7 +51,7 @@ public class CaptchaValidateFilter extends AccessControlFilter { HttpServletRequest httpServletRequest = (HttpServletRequest) request; // 验证码禁用 或不是表单提交 允许访问 - if (captchaEbabled == false || !"post".equals(httpServletRequest.getMethod().toLowerCase())) + if (captchaEnabled == false || !"post".equals(httpServletRequest.getMethod().toLowerCase())) { return true; } diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml index f26c27926..a1c0715af 100644 --- a/src/main/resources/application.yml +++ b/src/main/resources/application.yml @@ -40,6 +40,7 @@ spring: thymeleaf: mode: HTML encoding: utf-8 + # 禁用缓存 cache: false messages: #国际化资源文件路径 @@ -82,7 +83,7 @@ shiro: # 首页地址 indexUrl: /index # 验证码开关 - captchaEbabled: true + captchaEnabled: true # 验证码类型 math 数组计算 char 字符 captchaType: math cookie: @@ -101,6 +102,14 @@ shiro: dbSyncPeriod: 1 # 相隔多久检查一次session的有效性,默认就是10分钟 validationInterval: 10 +# 防止XSS攻击 +xss: + # 过滤开关 + enabled: true + # 排除链接(多个用逗号分隔) + excludes: /system/notice/* + # 匹配链接 + urlPatterns: /system/*,/monitor/*,/tool/* # 代码生成 gen: # 作者 diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html index 3856233ab..165843a9a 100644 --- a/src/main/resources/templates/login.html +++ b/src/main/resources/templates/login.html @@ -50,7 +50,7 @@

你若不离不弃,我必生死相依

-
+