记一次SpringBoot+Xss过滤
XssFilter过滤器
import org.springframework.stereotype.Component;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import com.jfinal.kit.StrKit;
/**
* @ProjectName: smt
* @ClassName:
* @Description:
* @Author: yue zhenbin
* @Date: 2021/7/7 9:16
*/
@Component
@WebFilter(urlPatterns = "/*", filterName = "xssFilter")
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
String contentType = request.getContentType();
if (StrKit.notBlank(contentType) && contentType.contains("multipart/form-data")) {//对图片上传不进行xss过滤
chain.doFilter(request, response);
}else {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request);
chain.doFilter(xssRequest, response);
}
}
@Override
public void destroy() {}
}
XssHttpServletRequestWrapper过滤规则类
主要针对@RequestBody进行的参数过滤
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.Charset;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Document.OutputSettings;
import org.jsoup.safety.Whitelist;
import org.springframework.util.StreamUtils;
import com.alibaba.fastjson.JSONObject;
/**
* XSS过滤处理
*
* @author ruoyi
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
//使用basic()
private static final Whitelist whitelist = createWhitelist();
private static final OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);
private byte[] requestBody;
private Charset charSet;
private static Whitelist createWhitelist() {
return Whitelist.basic();
}
private static String filter(String value) {
if(value!=null) {
value = Jsoup.clean(value, "", whitelist, outputSettings).trim();
}
return value;
}
/**
*
* @param request
*/
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
//缓存请求body
try {
String requestBodyStr = getRequestPostStr(request);
requestBodyStr=filterBadString(requestBodyStr);
if (StringUtils.isNotBlank(requestBodyStr)) {
requestBodyStr=filter(requestBodyStr);
JSONObject resultJson = JSONObject.parseObject(requestBodyStr);
requestBody = resultJson.toString().getBytes(charSet);
} else {
requestBody = new byte[0];
}
} catch (IOException e) {
e.printStackTrace();
}
}
/**
* 获取POST请求体中数据
* @param request
* @return
* @throws IOException
*/
public String getRequestPostStr(HttpServletRequest request)
throws IOException {
String charSetStr = request.getCharacterEncoding();
if (charSetStr == null) {
charSetStr = "UTF-8";
}
charSet = Charset.forName(charSetStr);
return StreamUtils.copyToString(request.getInputStream(), charSet);
}
@Override
public ServletInputStream getInputStream() {
if (requestBody == null) {
requestBody = new byte[0];
}
final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(requestBody);
return new ServletInputStream() {
@Override
public boolean isFinished() {
return false;
}
@Override
public boolean isReady() {
return false;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() {
return byteArrayInputStream.read();
}
};
}
/**
* 特殊字符过滤
*
* @param value
* @return
*/
private static String filterBadString(String value) {
String REP_TIPS = "BadParamter";
value = value.replaceAll("select", REP_TIPS);
value = value.replaceAll("SELECT", REP_TIPS);
value = value.replaceAll("insert", REP_TIPS);
value = value.replaceAll("INSERT", REP_TIPS);
value = value.replaceAll("delete", REP_TIPS);
value = value.replaceAll("DELETE", REP_TIPS);
value = value.replaceAll("update", REP_TIPS);
value = value.replaceAll("UPDATE", REP_TIPS);
value = value.replaceAll("script", REP_TIPS);
value = value.replaceAll(">", REP_TIPS);
value = value.replaceAll("<", REP_TIPS);
value = value.replaceAll("=", REP_TIPS);
value = value.replaceAll("@", REP_TIPS);
return value;
}
}
启动类需添加Servlet扫描:@ServletComponentScan("com.xxx.smt.config.XssFilter")
所需要的依赖:
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.10.2</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<!-- jfinal 核心包 -->
<dependency>
<groupId>com.jfinal</groupId>
<artifactId>jfinal</artifactId>
<version>2.2</version>
</dependency>
<dependency>
<groupId>com.jfinal</groupId>
<artifactId>cos</artifactId>
<version>26Dec2008</version>
</dependency>