代码优化
This commit is contained in:
parent
6895f3efc1
commit
4842abb1c9
|
|
@ -52,7 +52,7 @@ import com.smallchill.core.toolbox.kit.URLKit;
|
||||||
import com.smallchill.core.toolbox.log.LogManager;
|
import com.smallchill.core.toolbox.log.LogManager;
|
||||||
import com.smallchill.core.toolbox.support.BeanInjector;
|
import com.smallchill.core.toolbox.support.BeanInjector;
|
||||||
import com.smallchill.core.toolbox.support.Conver;
|
import com.smallchill.core.toolbox.support.Conver;
|
||||||
import com.smallchill.core.waf.request.WafRequestWrapper;
|
import com.smallchill.core.toolbox.support.WafRequestWrapper;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author James Zhan, Chill Zhuang
|
* @author James Zhan, Chill Zhuang
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,7 @@ import javax.servlet.http.HttpServletRequest;
|
||||||
import org.springframework.web.context.request.RequestContextHolder;
|
import org.springframework.web.context.request.RequestContextHolder;
|
||||||
import org.springframework.web.context.request.ServletRequestAttributes;
|
import org.springframework.web.context.request.ServletRequestAttributes;
|
||||||
|
|
||||||
import com.smallchill.core.waf.request.WafRequestWrapper;
|
import com.smallchill.core.toolbox.support.WafRequestWrapper;
|
||||||
|
|
||||||
public class HttpKit {
|
public class HttpKit {
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,40 +1,42 @@
|
||||||
/**
|
/**
|
||||||
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* use this file except in compliance with the License. You may obtain a copy of
|
* you may not use this file except in compliance with the License.
|
||||||
* the License at
|
* You may obtain a copy of the License at
|
||||||
*
|
*
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
*
|
*
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
* License for the specific language governing permissions and limitations under
|
* See the License for the specific language governing permissions and
|
||||||
* the License.
|
* limitations under the License.
|
||||||
*/
|
*/
|
||||||
package com.smallchill.core.waf.attack;
|
package com.smallchill.core.toolbox.kit;
|
||||||
|
|
||||||
import java.util.regex.Pattern;
|
import java.util.regex.Pattern;
|
||||||
|
|
||||||
|
import com.smallchill.core.toolbox.kit.StrKit;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* XSS脚本攻击
|
* Web防火墙工具类
|
||||||
* <p>
|
* <p>
|
||||||
* @author hubin
|
* @author hubin
|
||||||
* @Date 2014-5-8
|
* @Date 2014-5-8
|
||||||
*/
|
*/
|
||||||
public class XSS implements Istrip {
|
public class WafKit {
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @Description XSS脚本内容剥离
|
* @Description 过滤XSS脚本内容
|
||||||
* @param value
|
* @param value
|
||||||
* 待处理内容
|
* 待处理内容
|
||||||
* @return
|
* @return
|
||||||
*/
|
*/
|
||||||
public String strip( String value ) {
|
public static String stripXSS(String value) {
|
||||||
String rlt = null;
|
String rlt = StrKit.EMPTY;
|
||||||
|
|
||||||
if ( value != null ) {
|
if (StrKit.notBlank(value)) {
|
||||||
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
|
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
|
||||||
// avoid encoded attacks.
|
// avoid encoded attacks.
|
||||||
// value = ESAPI.encoder().canonicalize(value);
|
// value = ESAPI.encoder().canonicalize(value);
|
||||||
|
|
@ -87,8 +89,28 @@ public class XSS implements Istrip {
|
||||||
| Pattern.MULTILINE | Pattern.DOTALL);
|
| Pattern.MULTILINE | Pattern.DOTALL);
|
||||||
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
rlt = scriptPattern.matcher(rlt).replaceAll("");
|
||||||
}
|
}
|
||||||
|
|
||||||
return rlt;
|
return rlt;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @Description 过滤SQL注入内容
|
||||||
|
* @param value
|
||||||
|
* 待处理内容
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
public static String stripSqlInjection(String value) {
|
||||||
|
return (StrKit.isBlank(value)) ? StrKit.EMPTY : value.replaceAll("('.+--)|(--)|(\\|)|(%7C)", "");
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @Description 过滤SQL/XSS注入内容
|
||||||
|
* @param value
|
||||||
|
* 待处理内容
|
||||||
|
* @return
|
||||||
|
*/
|
||||||
|
public static String stripSqlXSS(String value) {
|
||||||
|
return (StrKit.isBlank(value)) ? StrKit.EMPTY : stripXSS(stripSqlInjection(value));
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
* License for the specific language governing permissions and limitations under
|
* License for the specific language governing permissions and limitations under
|
||||||
* the License.
|
* the License.
|
||||||
*/
|
*/
|
||||||
package com.smallchill.core.waf.request;
|
package com.smallchill.core.toolbox.support;
|
||||||
|
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
@ -22,7 +22,8 @@ import javax.servlet.http.Cookie;
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.servlet.http.HttpServletRequestWrapper;
|
import javax.servlet.http.HttpServletRequestWrapper;
|
||||||
|
|
||||||
import com.smallchill.core.waf.WafHelper;
|
import com.smallchill.core.toolbox.kit.StrKit;
|
||||||
|
import com.smallchill.core.toolbox.kit.WafKit;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Request请求过滤包装
|
* Request请求过滤包装
|
||||||
|
|
@ -137,15 +138,15 @@ public class WafRequestWrapper extends HttpServletRequestWrapper {
|
||||||
* @return
|
* @return
|
||||||
*/
|
*/
|
||||||
protected String filterParamString(String rawValue) {
|
protected String filterParamString(String rawValue) {
|
||||||
if (rawValue == null) {
|
if (StrKit.isBlank(rawValue)) {
|
||||||
return null;
|
return StrKit.EMPTY;
|
||||||
}
|
}
|
||||||
String tmpStr = rawValue;
|
String tmpStr = rawValue;
|
||||||
if (this.filterXSS) {
|
if (this.filterXSS) {
|
||||||
tmpStr = WafHelper.stripXSS(rawValue);
|
tmpStr = WafKit.stripXSS(rawValue);
|
||||||
}
|
}
|
||||||
if (this.filterSQL) {
|
if (this.filterSQL) {
|
||||||
tmpStr = WafHelper.stripSqlInjection(tmpStr);
|
tmpStr = WafKit.stripSqlInjection(tmpStr);
|
||||||
}
|
}
|
||||||
return tmpStr;
|
return tmpStr;
|
||||||
}
|
}
|
||||||
|
|
@ -1,69 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
package com.smallchill.core.waf;
|
|
||||||
|
|
||||||
import com.smallchill.core.toolbox.support.Singleton;
|
|
||||||
import com.smallchill.core.waf.attack.SqlInjection;
|
|
||||||
import com.smallchill.core.waf.attack.XSS;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Web防火墙工具类
|
|
||||||
* <p>
|
|
||||||
* @author hubin
|
|
||||||
* @Date 2014-5-8
|
|
||||||
*/
|
|
||||||
public class WafHelper {
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @Description 过滤XSS脚本内容
|
|
||||||
* @param value
|
|
||||||
* 待处理内容
|
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
public static String stripXSS(String value) {
|
|
||||||
if (value == null) {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
return Singleton.create(XSS.class).strip(value);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @Description 过滤SQL注入内容
|
|
||||||
* @param value
|
|
||||||
* 待处理内容
|
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
public static String stripSqlInjection(String value) {
|
|
||||||
if (value == null) {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
return Singleton.create(SqlInjection.class).strip(value);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @Description 过滤SQL/XSS注入内容
|
|
||||||
* @param value
|
|
||||||
* 待处理内容
|
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
public static String stripSqlXSS(String value) {
|
|
||||||
if (value == null) {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
return stripXSS(stripSqlInjection(value));
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
package com.smallchill.core.waf.attack;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* 攻击过滤父类
|
|
||||||
* <p>
|
|
||||||
* @author hubin
|
|
||||||
* @Date 2014-12-08
|
|
||||||
*/
|
|
||||||
public interface Istrip {
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @Description 脚本内容剥离
|
|
||||||
* @param value
|
|
||||||
* 待处理内容
|
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
public String strip(String value);
|
|
||||||
}
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
||||||
/**
|
|
||||||
* Copyright (c) 2011-2014, hubin (jobob@qq.com).
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
|
||||||
package com.smallchill.core.waf.attack;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* SQL注入攻击
|
|
||||||
* <p>
|
|
||||||
* @author hubin
|
|
||||||
* @Date 2014-5-8
|
|
||||||
*/
|
|
||||||
public class SqlInjection implements Istrip {
|
|
||||||
|
|
||||||
/**
|
|
||||||
* @Description SQL注入内容剥离
|
|
||||||
* @param value
|
|
||||||
* 待处理内容
|
|
||||||
* @return
|
|
||||||
*/
|
|
||||||
public String strip(String value) {
|
|
||||||
|
|
||||||
//剥离SQL注入部分代码
|
|
||||||
return value.replaceAll("('.+--)|(--)|(\\|)|(%7C)", "");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@ -1,30 +0,0 @@
|
||||||
|
|
||||||
-----------------------------------------------
|
|
||||||
一些特殊字的ascii码
|
|
||||||
-----------------------------------------------
|
|
||||||
%7 = ~
|
|
||||||
%09 表示 Tab
|
|
||||||
%20 表示 (1sp) 即一个space键
|
|
||||||
%22 表示 "
|
|
||||||
%23 表示 #
|
|
||||||
%25 表示 %
|
|
||||||
%26 表示 &
|
|
||||||
%28 表示 (
|
|
||||||
%29 表示 )
|
|
||||||
%2B 表示 +
|
|
||||||
%2C 表示 ,
|
|
||||||
%2F 表示 /
|
|
||||||
%3A 表示 :
|
|
||||||
%3B 表示 ;
|
|
||||||
%3C 表示 <
|
|
||||||
%3D 表示 =
|
|
||||||
%3E 表示 >
|
|
||||||
%3F 表示 ?
|
|
||||||
%40 表示 @
|
|
||||||
%5B 表示[
|
|
||||||
%5C 表示
|
|
||||||
%5D 表示]
|
|
||||||
%7C 表示 |
|
|
||||||
%7E 表示 ~
|
|
||||||
-----------------------------------------------
|
|
||||||
|
|
||||||
Loading…
Reference in New Issue
Block a user