碼上快樂

相關內容    簡體    繁體

利用RequestBodyAdvice對Http請求非法字符過濾

本文轉載自   查看原文   2020-01-14 16:49   1936    Spring

利用RequestBodyAdvice對HTTP請求參數放入body中的參數進行非法字符過濾。

 

  • 要求:spring 4.2+

額外的pom.xml

<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-io</artifactId>
<version>1.3.2</version>
</dependency>

           <dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version>1.2.44</version>
</dependency>

 

  • 代碼
package com.niugang.controller;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Type;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import org.apache.commons.io.IOUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.MethodParameter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpInputMessage;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.web.bind.annotation.ControllerAdvice;
import org.springframework.web.servlet.mvc.method.annotation.RequestBodyAdvice;


import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONArray;
/**
 * RequestBodyAdvice:解釋
 * 允許在將請求的主體讀取和轉換成一個對象之前對請求進行自定義,
 * 並允許在將其傳遞到控制器方法作為一個@RequestBody或HttpEntity方法參數之前處理結果對象。
 * 
 * @author niugang
 *
 */
@ControllerAdvice(basePackages = "com.niugang")
public class MyRequestBodyAdvice implements RequestBodyAdvice {
private final static Logger logger = LoggerFactory.getLogger(MyRequestBodyAdvice.class);


@Override
public boolean supports(MethodParameter methodParameter, Type targetType,
Class<? extends HttpMessageConverter<?>> converterType) {
return true;
}
     @Override
public Object handleEmptyBody(Object body, HttpInputMessage inputMessage, MethodParameter parameter,
Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
return body;
}


@Override
public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType,
Class<? extends HttpMessageConverter<?>> converterType) throws IOException {


try {
return new MyHttpInputMessage(inputMessage);
} catch (Exception e) {
e.printStackTrace();
return inputMessage;


}
}
@Override
public Object afterBodyRead(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType,
Class<? extends HttpMessageConverter<?>> converterType) {
return body;
}


class MyHttpInputMessage implements HttpInputMessage {
private HttpHeaders headers;
private InputStream body;
              @SuppressWarnings("unchecked")
public MyHttpInputMessage(HttpInputMessage inputMessage) throws Exception {
String string = IOUtils.toString(inputMessage.getBody(), "UTF-8");
Map<String, Object> mapJson = (Map<String, Object>) JSON.parseObject(string, Map.class);
Map<String, Object> map = new HashMap<String, Object>();
Set<Entry<String, Object>> entrySet = mapJson.entrySet();
for (Entry<String, Object> entry : entrySet) {
String key = entry.getKey();
Object objValue = entry.getValue();
                            if (objValue instanceof String) {
String value = objValue.toString();
map.put(key, filterDangerString(value));
} else { // 針對結合的處理
@SuppressWarnings("rawtypes")
List<HashMap> parseArray = JSONArray.parseArray(objValue.toString(), HashMap.class);
List<Map<String, Object>> listMap = new ArrayList<Map<String, Object>>();
for (Map<String, Object> innerMap : parseArray) {
Map<String, Object> childrenMap = new HashMap<String, Object>();
Set<Entry<String, Object>> elseEntrySet = innerMap.entrySet();
for (Entry<String, Object> en : elseEntrySet) {
                                                        String innerKey = en.getKey();
Object innerObj = en.getValue();
if (innerObj instanceof String) {
String value = innerObj.toString();
childrenMap.put(innerKey, filterDangerString(value));
}


}
listMap.add(childrenMap);
}
map.put(key, listMap);
}
}
this.headers = inputMessage.getHeaders();
this.body = IOUtils.toInputStream(JSON.toJSONString(map), "UTF-8");
}

@Override
public InputStream getBody() throws IOException {
return body;
}

@Override
public HttpHeaders getHeaders() {
return headers;
}
}
       private String filterDangerString(String value) {
if (value == null) {
return null;
}
value = value.replaceAll("\\|", "");
value = value.replaceAll("&", "");
value = value.replaceAll(";", "");
value = value.replaceAll("@", "");
value = value.replaceAll("'", "");
value = value.replaceAll("\\'", "");
value = value.replaceAll("<", "");
value = value.replaceAll("-", "");
value = value.replaceAll(">", "");
value = value.replaceAll("\\(", "");
value = value.replaceAll("\\)", "");
value = value.replaceAll("\\+", "");
value = value.replaceAll("\r", "");
value = value.replaceAll("\n", "");
value = value.replaceAll("script", "");
value = value.replaceAll("select", "");
value = value.replaceAll("\"", "");
value = value.replaceAll(">", "");
value = value.replaceAll("<", "");
value = value.replaceAll("=", "");
value = value.replaceAll("/", "");
return value;
}
}

 

對於以上的配置Controller接收參數需要加@RequestBody。

測試

   

 

過濾后的數據

   

 微信公眾號

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 js 過濾非法字符 Spring Boot過濾非法請求 Python sql注入 過濾字符串的非法字符 SpringMVC 過濾非法字符時 form表單類型 C#創建目錄,文件名過濾特殊字符串,非法字符 IOS 開發之 -- 過濾掉字符串里面所有的非法字符 字典和json之間的互轉 java: 非法字符: '\ufeff' 錯誤:非法字符:“\ufeff” xml中的非法字符 c# 判斷非法字符
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM