代码优化

This commit is contained in:
zhuangqian 2016-09-10 16:00:14 +08:00
parent 6895f3efc1
commit 4842abb1c9
8 changed files with 47 additions and 193 deletions

View File

@ -52,7 +52,7 @@ import com.smallchill.core.toolbox.kit.URLKit;
import com.smallchill.core.toolbox.log.LogManager;
import com.smallchill.core.toolbox.support.BeanInjector;
import com.smallchill.core.toolbox.support.Conver;
import com.smallchill.core.waf.request.WafRequestWrapper;
import com.smallchill.core.toolbox.support.WafRequestWrapper;
/**
* @author James Zhan, Chill Zhuang

View File

@ -20,7 +20,7 @@ import javax.servlet.http.HttpServletRequest;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import com.smallchill.core.waf.request.WafRequestWrapper;
import com.smallchill.core.toolbox.support.WafRequestWrapper;
public class HttpKit {

View File

@ -1,40 +1,42 @@
/**
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.smallchill.core.waf.attack;
package com.smallchill.core.toolbox.kit;
import java.util.regex.Pattern;
import com.smallchill.core.toolbox.kit.StrKit;
/**
* XSS脚本攻击
* Web防火墙工具类
* <p>
* @author hubin
* @Date 2014-5-8
*/
public class XSS implements Istrip {
public class WafKit {
/**
* @Description XSS脚本内容剥离
* @Description 过滤XSS脚本内容
* @param value
* 待处理内容
* @return
*/
public String strip( String value ) {
String rlt = null;
public static String stripXSS(String value) {
String rlt = StrKit.EMPTY;
if ( value != null ) {
if (StrKit.notBlank(value)) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
// value = ESAPI.encoder().canonicalize(value);
@ -87,8 +89,28 @@ public class XSS implements Istrip {
| Pattern.MULTILINE | Pattern.DOTALL);
rlt = scriptPattern.matcher(rlt).replaceAll("");
}
return rlt;
}
/**
* @Description 过滤SQL注入内容
* @param value
* 待处理内容
* @return
*/
public static String stripSqlInjection(String value) {
return (StrKit.isBlank(value)) ? StrKit.EMPTY : value.replaceAll("('.+--)|(--)|(\\|)|(%7C)", "");
}
/**
* @Description 过滤SQL/XSS注入内容
* @param value
* 待处理内容
* @return
*/
public static String stripSqlXSS(String value) {
return (StrKit.isBlank(value)) ? StrKit.EMPTY : stripXSS(stripSqlInjection(value));
}
}

View File

@ -13,7 +13,7 @@
* License for the specific language governing permissions and limitations under
* the License.
*/
package com.smallchill.core.waf.request;
package com.smallchill.core.toolbox.support;
import java.util.HashMap;
import java.util.Map;
@ -22,7 +22,8 @@ import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import com.smallchill.core.waf.WafHelper;
import com.smallchill.core.toolbox.kit.StrKit;
import com.smallchill.core.toolbox.kit.WafKit;
/**
* Request请求过滤包装
@ -137,15 +138,15 @@ public class WafRequestWrapper extends HttpServletRequestWrapper {
* @return
*/
protected String filterParamString(String rawValue) {
if (rawValue == null) {
return null;
if (StrKit.isBlank(rawValue)) {
return StrKit.EMPTY;
}
String tmpStr = rawValue;
if (this.filterXSS) {
tmpStr = WafHelper.stripXSS(rawValue);
tmpStr = WafKit.stripXSS(rawValue);
}
if (this.filterSQL) {
tmpStr = WafHelper.stripSqlInjection(tmpStr);
tmpStr = WafKit.stripSqlInjection(tmpStr);
}
return tmpStr;
}

View File

@ -1,69 +0,0 @@
/**
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.smallchill.core.waf;
import com.smallchill.core.toolbox.support.Singleton;
import com.smallchill.core.waf.attack.SqlInjection;
import com.smallchill.core.waf.attack.XSS;
/**
* Web防火墙工具类
* <p>
* @author hubin
* @Date 2014-5-8
*/
public class WafHelper {
/**
* @Description 过滤XSS脚本内容
* @param value
* 待处理内容
* @return
*/
public static String stripXSS(String value) {
if (value == null) {
return null;
}
return Singleton.create(XSS.class).strip(value);
}
/**
* @Description 过滤SQL注入内容
* @param value
* 待处理内容
* @return
*/
public static String stripSqlInjection(String value) {
if (value == null) {
return null;
}
return Singleton.create(SqlInjection.class).strip(value);
}
/**
* @Description 过滤SQL/XSS注入内容
* @param value
* 待处理内容
* @return
*/
public static String stripSqlXSS(String value) {
if (value == null) {
return null;
}
return stripXSS(stripSqlInjection(value));
}
}

View File

@ -1,33 +0,0 @@
/**
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.smallchill.core.waf.attack;
/**
* 攻击过滤父类
* <p>
* @author hubin
* @Date 2014-12-08
*/
public interface Istrip {
/**
* @Description 脚本内容剥离
* @param value
* 待处理内容
* @return
*/
public String strip(String value);
}

View File

@ -1,37 +0,0 @@
/**
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.smallchill.core.waf.attack;
/**
* SQL注入攻击
* <p>
* @author hubin
* @Date 2014-5-8
*/
public class SqlInjection implements Istrip {
/**
* @Description SQL注入内容剥离
* @param value
* 待处理内容
* @return
*/
public String strip(String value) {
//剥离SQL注入部分代码
return value.replaceAll("('.+--)|(--)|(\\|)|(%7C)", "");
}
}

View File

@ -1,30 +0,0 @@
-----------------------------------------------
一些特殊字的ascii码
-----------------------------------------------
%7 = ~
%09 表示 Tab
%20 表示 (1sp) 即一个space键
%22 表示 "
%23 表示 #
%25 表示 %
%26 表示 &
%28 表示 (
%29 表示 )
%2B 表示 +
%2C 表示 ,
%2F 表示 /
%3A 表示 :
%3B 表示 ;
%3C 表示 <
%3D 表示 =
%3E 表示 >
%3F 表示 ?
%40 表示 @
%5B 表示[
%5C 表示
%5D 表示]
%7C 表示 |
%7E 表示 ~
-----------------------------------------------