代码优化
This commit is contained in:
parent
6895f3efc1
commit
4842abb1c9
|
|
@ -52,7 +52,7 @@ import com.smallchill.core.toolbox.kit.URLKit;
|
|||
import com.smallchill.core.toolbox.log.LogManager;
|
||||
import com.smallchill.core.toolbox.support.BeanInjector;
|
||||
import com.smallchill.core.toolbox.support.Conver;
|
||||
import com.smallchill.core.waf.request.WafRequestWrapper;
|
||||
import com.smallchill.core.toolbox.support.WafRequestWrapper;
|
||||
|
||||
/**
|
||||
* @author James Zhan, Chill Zhuang
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ import javax.servlet.http.HttpServletRequest;
|
|||
import org.springframework.web.context.request.RequestContextHolder;
|
||||
import org.springframework.web.context.request.ServletRequestAttributes;
|
||||
|
||||
import com.smallchill.core.waf.request.WafRequestWrapper;
|
||||
import com.smallchill.core.toolbox.support.WafRequestWrapper;
|
||||
|
||||
public class HttpKit {
|
||||
|
||||
|
|
|
|||
|
|
@ -1,40 +1,42 @@
|
|||
/**
|
||||
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
||||
* use this file except in compliance with the License. You may obtain a copy of
|
||||
* the License at
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
* License for the specific language governing permissions and limitations under
|
||||
* the License.
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package com.smallchill.core.waf.attack;
|
||||
package com.smallchill.core.toolbox.kit;
|
||||
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import com.smallchill.core.toolbox.kit.StrKit;
|
||||
|
||||
/**
|
||||
* XSS脚本攻击
|
||||
* Web防火墙工具类
|
||||
* <p>
|
||||
* @author hubin
|
||||
* @Date 2014-5-8
|
||||
*/
|
||||
public class XSS implements Istrip {
|
||||
public class WafKit {
|
||||
|
||||
/**
|
||||
* @Description XSS脚本内容剥离
|
||||
* @Description 过滤XSS脚本内容
|
||||
* @param value
|
||||
* 待处理内容
|
||||
* @return
|
||||
*/
|
||||
public String strip( String value ) {
|
||||
String rlt = null;
|
||||
public static String stripXSS(String value) {
|
||||
String rlt = StrKit.EMPTY;
|
||||
|
||||
if ( value != null ) {
|
||||
if (StrKit.notBlank(value)) {
|
||||
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
|
||||
// avoid encoded attacks.
|
||||
// value = ESAPI.encoder().canonicalize(value);
|
||||
|
|
@ -87,8 +89,28 @@ public class XSS implements Istrip {
|
|||
| Pattern.MULTILINE | Pattern.DOTALL);
|
||||
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
||||
}
|
||||
|
||||
|
||||
return rlt;
|
||||
}
|
||||
|
||||
/**
|
||||
* @Description 过滤SQL注入内容
|
||||
* @param value
|
||||
* 待处理内容
|
||||
* @return
|
||||
*/
|
||||
public static String stripSqlInjection(String value) {
|
||||
return (StrKit.isBlank(value)) ? StrKit.EMPTY : value.replaceAll("('.+--)|(--)|(\\|)|(%7C)", "");
|
||||
}
|
||||
|
||||
/**
|
||||
* @Description 过滤SQL/XSS注入内容
|
||||
* @param value
|
||||
* 待处理内容
|
||||
* @return
|
||||
*/
|
||||
public static String stripSqlXSS(String value) {
|
||||
return (StrKit.isBlank(value)) ? StrKit.EMPTY : stripXSS(stripSqlInjection(value));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -13,7 +13,7 @@
|
|||
* License for the specific language governing permissions and limitations under
|
||||
* the License.
|
||||
*/
|
||||
package com.smallchill.core.waf.request;
|
||||
package com.smallchill.core.toolbox.support;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
|
@ -22,7 +22,8 @@ import javax.servlet.http.Cookie;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletRequestWrapper;
|
||||
|
||||
import com.smallchill.core.waf.WafHelper;
|
||||
import com.smallchill.core.toolbox.kit.StrKit;
|
||||
import com.smallchill.core.toolbox.kit.WafKit;
|
||||
|
||||
/**
|
||||
* Request请求过滤包装
|
||||
|
|
@ -137,15 +138,15 @@ public class WafRequestWrapper extends HttpServletRequestWrapper {
|
|||
* @return
|
||||
*/
|
||||
protected String filterParamString(String rawValue) {
|
||||
if (rawValue == null) {
|
||||
return null;
|
||||
if (StrKit.isBlank(rawValue)) {
|
||||
return StrKit.EMPTY;
|
||||
}
|
||||
String tmpStr = rawValue;
|
||||
if (this.filterXSS) {
|
||||
tmpStr = WafHelper.stripXSS(rawValue);
|
||||
tmpStr = WafKit.stripXSS(rawValue);
|
||||
}
|
||||
if (this.filterSQL) {
|
||||
tmpStr = WafHelper.stripSqlInjection(tmpStr);
|
||||
tmpStr = WafKit.stripSqlInjection(tmpStr);
|
||||
}
|
||||
return tmpStr;
|
||||
}
|
||||
|
|
@ -1,69 +0,0 @@
|
|||
/**
|
||||
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package com.smallchill.core.waf;
|
||||
|
||||
import com.smallchill.core.toolbox.support.Singleton;
|
||||
import com.smallchill.core.waf.attack.SqlInjection;
|
||||
import com.smallchill.core.waf.attack.XSS;
|
||||
|
||||
/**
|
||||
* Web防火墙工具类
|
||||
* <p>
|
||||
* @author hubin
|
||||
* @Date 2014-5-8
|
||||
*/
|
||||
public class WafHelper {
|
||||
|
||||
/**
|
||||
* @Description 过滤XSS脚本内容
|
||||
* @param value
|
||||
* 待处理内容
|
||||
* @return
|
||||
*/
|
||||
public static String stripXSS(String value) {
|
||||
if (value == null) {
|
||||
return null;
|
||||
}
|
||||
return Singleton.create(XSS.class).strip(value);
|
||||
}
|
||||
|
||||
/**
|
||||
* @Description 过滤SQL注入内容
|
||||
* @param value
|
||||
* 待处理内容
|
||||
* @return
|
||||
*/
|
||||
public static String stripSqlInjection(String value) {
|
||||
if (value == null) {
|
||||
return null;
|
||||
}
|
||||
return Singleton.create(SqlInjection.class).strip(value);
|
||||
}
|
||||
|
||||
/**
|
||||
* @Description 过滤SQL/XSS注入内容
|
||||
* @param value
|
||||
* 待处理内容
|
||||
* @return
|
||||
*/
|
||||
public static String stripSqlXSS(String value) {
|
||||
if (value == null) {
|
||||
return null;
|
||||
}
|
||||
return stripXSS(stripSqlInjection(value));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
/**
|
||||
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package com.smallchill.core.waf.attack;
|
||||
|
||||
/**
|
||||
* 攻击过滤父类
|
||||
* <p>
|
||||
* @author hubin
|
||||
* @Date 2014-12-08
|
||||
*/
|
||||
public interface Istrip {
|
||||
|
||||
/**
|
||||
* @Description 脚本内容剥离
|
||||
* @param value
|
||||
* 待处理内容
|
||||
* @return
|
||||
*/
|
||||
public String strip(String value);
|
||||
}
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
/**
|
||||
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package com.smallchill.core.waf.attack;
|
||||
|
||||
/**
|
||||
* SQL注入攻击
|
||||
* <p>
|
||||
* @author hubin
|
||||
* @Date 2014-5-8
|
||||
*/
|
||||
public class SqlInjection implements Istrip {
|
||||
|
||||
/**
|
||||
* @Description SQL注入内容剥离
|
||||
* @param value
|
||||
* 待处理内容
|
||||
* @return
|
||||
*/
|
||||
public String strip(String value) {
|
||||
|
||||
//剥离SQL注入部分代码
|
||||
return value.replaceAll("('.+--)|(--)|(\\|)|(%7C)", "");
|
||||
}
|
||||
}
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
|
||||
-----------------------------------------------
|
||||
一些特殊字的ascii码
|
||||
-----------------------------------------------
|
||||
%7 = ~
|
||||
%09 表示 Tab
|
||||
%20 表示 (1sp) 即一个space键
|
||||
%22 表示 "
|
||||
%23 表示 #
|
||||
%25 表示 %
|
||||
%26 表示 &
|
||||
%28 表示 (
|
||||
%29 表示 )
|
||||
%2B 表示 +
|
||||
%2C 表示 ,
|
||||
%2F 表示 /
|
||||
%3A 表示 :
|
||||
%3B 表示 ;
|
||||
%3C 表示 <
|
||||
%3D 表示 =
|
||||
%3E 表示 >
|
||||
%3F 表示 ?
|
||||
%40 表示 @
|
||||
%5B 表示[
|
||||
%5C 表示
|
||||
%5D 表示]
|
||||
%7C 表示 |
|
||||
%7E 表示 ~
|
||||
-----------------------------------------------
|
||||
|
||||
Loading…
Reference in New Issue
Block a user