Merge remote-tracking branch 'origin/dev' into dev

business/base-service/src/main/java/com/yihu/jw/gateway/dao/GcTokenDao.java

@@ -6,6 +6,7 @@ import org.springframework.data.jpa.repository.Modifying;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.PagingAndSortingRepository;
import java.util.Date;
import java.util.List;
/**
@@ -20,6 +21,9 @@ public interface GcTokenDao extends PagingAndSortingRepository<GcToken, Long>, J
    @Query("from GcToken where accesstoken=?1")
    GcToken findByToken(String token);
    @Query("from GcToken where appid=?1 and outTime >= now()")
    @Query("from GcToken where appid=?1 and outTime >= ?1")
    List<GcToken> findByAppIdByDate(String token,Date date);
    @Query("from GcToken where appid=?1 and outTime >= now () ")
    List<GcToken> findByAppId(String token);
}

business/base-service/src/main/java/com/yihu/jw/gateway/service/GcTokenService.java

@@ -9,13 +9,12 @@ import com.yihu.jw.gateway.dao.GcTokenLogDao;
import com.yihu.jw.util.date.DateUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.StringUtils;
import java.util.Date;
import java.util.List;
import java.util.UUID;
import java.util.*;
/**
 * Created by chenweida on 2017/8/17.
@@ -26,6 +25,8 @@ public class GcTokenService {
    private GcTokenLogDao tokenLogDao;
    @Autowired
    private GcTokenDao tokenDao;
    @Autowired
    private JdbcTemplate jdbcTemplate;
    /**
@@ -95,7 +96,24 @@ public class GcTokenService {
        return tokenDao.findByToken(token);
    }
    public List<GcToken> findByAppId(String appid){
        return tokenDao.findByAppId(appid);
    public List<GcToken> findByAppId(String appid,String wxId){
        if (wxId.equalsIgnoreCase("xm_ykyy_wx")){
            String sql = "select ID AS \"id\",APPID as \"appId\",ACCESSTOKEN as \"accessToken\",CREATE_TIME as \"createTime\",to_char(OUT_TIME,'yyyy-MM-dd hh24:mi:ss') as \"outTime\" from GC_TOKEN where APPID = '"+appid+"' and OUT_TIME >= to_date('"+DateUtil.getStringDate()+"','YYYY-MM-DD HH24:MI:SS')";
            List<Map<String,Object>> mapList = jdbcTemplate.queryForList(sql);
            List<GcToken> gcTokens = new ArrayList<>();
            for (Map<String,Object> map:mapList){
                GcToken gcToken = new GcToken();
                gcToken.setId(Integer.parseInt(map.get("id").toString()));
                gcToken.setAccesstoken(map.get("accessToken").toString());
                gcToken.setAppid(map.get("appId").toString());
                gcToken.setOutTime(DateUtil.strToDate(map.get("outTime").toString()));
                gcTokens.add(gcToken);
                System.out.print("gcToken"+gcToken.getOutTime());
            }
            return gcTokens;
        }else {
            return tokenDao.findByAppId(appid);
        }
    }
}

business/im-service/src/main/java/com/yihu/jw/im/service/ImService.java

@@ -3886,12 +3886,19 @@ public class ImService {
	 * @throws Exception
	 */
	public List<Map<String,Object>>  getDoctorConsultCount(String doctorids) throws Exception{
		String ids[] = doctorids.replace("'","").split(",");
		String dotorIds = "";
		for (int i=0;i<ids.length;i++){
			dotorIds = "'"+ids[i]+"',";
		}
		dotorIds = dotorIds.substring(0,dotorIds.length()-1);
		//医生角色
		String sql = "SELECT " +
				"count(id) AS \"total\"," +
				"doctor as \"doctor\"" +
				"FROM wlyy_consult_team " +
				"WHERE doctor IN ("+doctorids+") AND (type=1 OR type=15 OR type=9 OR type =16) and status = 0 GROUP BY doctor";
				"WHERE doctor IN ("+dotorIds+") AND (type=1 OR type=15 OR type=9 OR type =16) and status = 0 GROUP BY doctor";
		List<Map<String,Object>> list = hibenateUtils.createSQLQuery(sql);
		return list;
	}

common/common-entity/src/main/java/com/yihu/jw/entity/iot/gateway/GcClientDetails.java

@@ -2,12 +2,10 @@ package com.yihu.jw.entity.iot.gateway;
import com.yihu.jw.entity.IntegerIdentityEntity;
import com.yihu.jw.entity.util.StringFStringEncryptConverter;
import javax.persistence.Column;
import javax.persistence.Convert;
import javax.persistence.Entity;
import javax.persistence.Table;
import javax.persistence.*;
import java.sql.Timestamp;
import java.util.Date;
@@ -16,7 +14,8 @@ import java.util.Date;
 */
@Entity
@Table(name = "gc_client_details")
public class GcClientDetails extends IdEntity implements java.io.Serializable {
@SequenceGenerator(name="id_generated", sequenceName="GC_CLIENT_DETAILS_SQU")
public class GcClientDetails extends IntegerIdentityEntity implements java.io.Serializable {
    // Fields

common/common-entity/src/main/java/com/yihu/jw/entity/iot/gateway/GcHttpLog.java

@@ -1,7 +1,10 @@
package com.yihu.jw.entity.iot.gateway;
import com.yihu.jw.entity.IntegerIdentityEntity;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.SequenceGenerator;
import javax.persistence.Table;
import java.sql.Timestamp;
import java.util.Date;
@@ -11,7 +14,8 @@ import java.util.Date;
 */
@Entity
@Table(name = "gc_http_log")
public class GcHttpLog extends IdEntity implements java.io.Serializable {
@SequenceGenerator(name="id_generated", sequenceName="GC_HTTP_LOG_SQU")
public class GcHttpLog extends IntegerIdentityEntity implements java.io.Serializable {
    // Fields

common/common-entity/src/main/java/com/yihu/jw/entity/iot/gateway/GcToken.java

@@ -1,7 +1,10 @@
package com.yihu.jw.entity.iot.gateway;
import com.yihu.jw.entity.IntegerIdentityEntity;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.SequenceGenerator;
import javax.persistence.Table;
import java.util.Date;
@@ -10,7 +13,8 @@ import java.util.Date;
 */
@Entity
@Table(name = "gc_token")
public class GcToken extends IdEntity implements java.io.Serializable {
@SequenceGenerator(name="id_generated", sequenceName="GC_TOKEN_SQU")
public class GcToken extends IntegerIdentityEntity implements java.io.Serializable {
    // Fields

common/common-entity/src/main/java/com/yihu/jw/entity/iot/gateway/GcTokenLog.java

@@ -1,7 +1,10 @@
package com.yihu.jw.entity.iot.gateway;
import com.yihu.jw.entity.IntegerIdentityEntity;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.SequenceGenerator;
import javax.persistence.Table;
import java.sql.Timestamp;
import java.util.Date;
@@ -11,7 +14,8 @@ import java.util.Date;
 */
@Entity
@Table(name = "gc_token_log")
public class GcTokenLog extends IdEntity implements java.io.Serializable {
@SequenceGenerator(name="id_generated", sequenceName="GC_TOKEN_LOG_SQU")
public class GcTokenLog extends IntegerIdentityEntity implements java.io.Serializable {
    // Fields

common/common-request-mapping/src/main/java/com/yihu/jw/rm/hospital/BaseHospitalRequestMapping.java

@@ -1526,7 +1526,7 @@ public class BaseHospitalRequestMapping {
     */
    public static class UpWebTherapySupserviceInfo{
        /*请求前缀*/
        public static final String PREFIX = "/open/gc/regulatory";
        public static final String PREFIX = "/open/gc";
        //保存医师唯一标识
        public static final String SAVEACHNS = "/saveAchns";

gateway/ag-basic/src/main/java/com/yihu/jw/gateway/filter/BasicZuulFilter.java

@@ -105,7 +105,8 @@ public class BasicZuulFilter extends ZuulFilter {
            url.contains("/open/noLogin/sfroutepushservice")||
            url.contains("/open/noLogin/ylzSettleRecord")||
                url.contains("/weixin")||
                url.contains("/excelControl"))){
                url.contains("/excelControl")||
                url.contains("/open/gc"))){
            logger.info("入参"+ctx.getRequestQueryParams());
            try {
                decrypt(ctx,request);

gateway/ag-basic/src/main/java/com/yihu/jw/gateway/filter/PostFilter.java

@@ -54,10 +54,10 @@ public class PostFilter extends ZuulFilter {
    @Override
    public Object run() {
        RequestContext ctx = RequestContext.getCurrentContext();
        BaseExceptionServerDictDao baseExceptionServiceDictDao = BeanUtil.getBean(BaseExceptionServerDictDao.class);
       /* BaseExceptionServerDictDao baseExceptionServiceDictDao = BeanUtil.getBean(BaseExceptionServerDictDao.class);
        BaseExceptionLogDao baseExceptionLogDao = BeanUtil.getBean(BaseExceptionLogDao.class);
        BaseExceptionService baseExceptionService = BeanUtil.getBean(BaseExceptionService.class);
        logger.info("进入post过滤器");
       */ logger.info("进入post过滤器");
        HttpServletRequest request = ctx.getRequest();
        String url = request.getRequestURI();
        if (url.contains("/excelControl")){
@@ -74,7 +74,7 @@ public class PostFilter extends ZuulFilter {
            bytes = StreamUtils.copyToByteArray(stream);
        }
        String body = new String(bytes,"UTF8");
        String serviceId="";
        /*String serviceId="";
        String responseCode="";
        String exceptionType="";
        List<BaseExceptionServerDictDO> baseExceptionServerDictDOS =baseExceptionServiceDictDao.findServiceAll();
@@ -120,8 +120,8 @@ public class PostFilter extends ZuulFilter {
            }
        }catch (Exception e){
            e.printStackTrace();
        }
        }*/
        logger.info("body",body);
        JSONObject object = new JSONObject();
        object.put("status","200");
        object.put("data", AesEncryptUtils.encrypt(body));
@@ -131,7 +131,8 @@ public class PostFilter extends ZuulFilter {
            url.contains("/open/noLogin/getSFExpressInfoNew")||
            url.contains("/open/noLogin/sfroutepushservice")||
            url.contains("/open/noLogin/ylzSettleRecord")||
                url.contains("/weixin")||url.contains("/oauth/getSsoPublicKey"))){
                url.contains("/weixin")||url.contains("/oauth/getSsoPublicKey")||
                url.contains("/open/gc"))){
            RequestContext.getCurrentContext().setResponseBody(object.toJSONString());
        }else {
            RequestContext.getCurrentContext().setResponseBody(body);

svr/svr-internet-hospital/src/main/java/com/yihu/jw/hospital/config/MvcConfig.java

@@ -0,0 +1,47 @@
package com.yihu.jw.hospital.config;
import com.yihu.jw.hospital.interceptor.CrosXssFilter;
import com.yihu.jw.hospital.interceptor.GateWayInterceptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
/**
 * Created by chenweida on 2017/4/6.
 */
@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {
    private Logger logger = LoggerFactory.getLogger(MvcConfig.class);
    @Autowired
    private GateWayInterceptor gateWayInterceptor;
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        // 多个拦截器组成一个拦截器链
        // addPathPatterns 用于添加拦截规则
//         excludePathPatterns 用户排除拦截 ,/third/juye/kit/**
        registry.addInterceptor(gateWayInterceptor).addPathPatterns("/open/gc/**").excludePathPatterns(
                "/open/gc/accesstoken",
                "/open/gc/createGcClientDetails");
        super.addInterceptors(registry);
        logger.info("init gateWayInterceptor");
    }
    @Bean
    public FilterRegistrationBean testFilterRegistration() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(new CrosXssFilter());
        registration.addUrlPatterns("/*");
        registration.setName("CrosXssFilter");
        registration.setOrder(1);
        return registration;
    }
}

svr/svr-internet-hospital/src/main/java/com/yihu/jw/hospital/endpoint/gateway/GcTokenController.java

@@ -12,6 +12,7 @@ import com.yihu.jw.hospital.endpoint.gateway.model.BaseResultModel;
import com.yihu.jw.hospital.endpoint.gateway.model.GcClientDetailsModel;
import com.yihu.jw.hospital.endpoint.gateway.model.GcTokenModel;
import com.yihu.jw.hospital.endpoint.gateway.model.ResultOneModel;
import com.yihu.jw.rm.hospital.BaseHospitalRequestMapping;
import com.yihu.jw.rm.iot.IotRequestMapping;
import com.yihu.jw.util.common.IpUtil;
import io.swagger.annotations.Api;
@@ -38,7 +39,7 @@ import java.util.List;
 * 对外的网关
 */
@Controller
@RequestMapping(value = IotRequestMapping.Common.openThird, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
@RequestMapping(value = BaseHospitalRequestMapping.UpWebTherapySupserviceInfo.PREFIX, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
@ResponseBody
@Api(description = "token相关服务")
public class GcTokenController {
@@ -50,6 +51,8 @@ public class GcTokenController {
    private GcHttpLogDao httpLogDao;
    @Value("${interceptor.accesstoken.time}")
    private Integer tokenTime;
    @Value("${wechat.id}")
    private String wxId;
    @ApiOperation("获取accesstoken")
    @RequestMapping(value = "accesstoken", method = RequestMethod.POST, produces = "application/json;charset=UTF-8")
@@ -63,7 +66,7 @@ public class GcTokenController {
            ip = IpUtil.getIpAddress(request);
            //查询appId 的token是否过期
            GcToken gcToken = new GcToken();
            List<GcToken> gcTokenList = gcTokenService.findByAppId(appid);
            List<GcToken> gcTokenList = gcTokenService.findByAppId(appid,wxId);
            if(gcTokenList == null || gcTokenList.size() == 0){
                //得到用户
                GcClientDetails clientDetails = clientDetailsService.findByAppId(appid);
@@ -94,9 +97,11 @@ public class GcTokenController {
            }
            GcTokenModel gcTokenModel = new GcTokenModel();
            BeanUtils.copyProperties(gcToken, gcTokenModel);
            System.out.print("token"+gcToken.getOutTime());
            gcTokenModel.setOutTime(gcToken.getOutTime().getTime());
            return new ResultOneModel(gcTokenModel);
        } catch (Exception e) {
            e.printStackTrace();
            saveHttpLog(ip, new JSONObject(request.getParameterMap()).toString(), "", "", request.getRequestURI(), 0, BaseResultModel.statusEm.login_system_error.getMessage());
            return new ResultOneModel(BaseResultModel.statusEm.login_system_error.getCode(), BaseResultModel.statusEm.login_system_error.getMessage());
        }

svr/svr-internet-hospital/src/main/java/com/yihu/jw/hospital/interceptor/CrosXssFilter.java

@@ -0,0 +1,38 @@
package com.yihu.jw.hospital.interceptor;
import com.alibaba.fastjson.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
/**
 * Created by yeshijie on 2020/9/2.
 */
//@WebFilter(filterName = "CrosXssFilter", urlPatterns = { "/*" })
public class CrosXssFilter implements Filter {
    private static final Logger logger = LoggerFactory.getLogger(CrosXssFilter.class);
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws IOException, ServletException {
        request.setCharacterEncoding("utf-8");
        response.setContentType("text/html;charset=utf-8");
        //sql,xss过滤
        HttpServletRequest httpServletRequest=(HttpServletRequest)request;
        logger.info("CrosXssFilter.......orignal url:{},ParameterMap:{}",httpServletRequest.getRequestURI(), JSONObject.toJSONString(httpServletRequest.getParameterMap()));
        XssHttpServletRequestWrapper xssHttpServletRequestWrapper=new XssHttpServletRequestWrapper(
                httpServletRequest);
        chain.doFilter(xssHttpServletRequestWrapper, response);
        logger.info("CrosXssFilter..........doFilter url:{},ParameterMap:{}",xssHttpServletRequestWrapper.getRequestURI(), JSONObject.toJSONString(xssHttpServletRequestWrapper.getParameterMap()));
    }
    @Override
    public void destroy() {
    }
}

svr/svr-internet-hospital/src/main/java/com/yihu/jw/hospital/interceptor/GateWayInterceptor.java

@@ -0,0 +1,164 @@
package com.yihu.jw.hospital.interceptor;
/**
 * Created by chenweida on 2017/8/17.
 */
import com.alibaba.fastjson.JSONObject;
import com.yihu.jw.entity.iot.gateway.GcHttpLog;
import com.yihu.jw.entity.iot.gateway.GcToken;
import com.yihu.jw.gateway.dao.GcHttpLogDao;
import com.yihu.jw.gateway.dao.GcTokenDao;
import com.yihu.jw.hospital.endpoint.gateway.model.BaseResultModel;
import com.yihu.jw.util.common.IpUtil;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Date;
/**
 * 对外的请求拦截
 */
@Component
public class GateWayInterceptor implements HandlerInterceptor {
    private Logger logger = LoggerFactory.getLogger(GateWayInterceptor.class);
    @Autowired
    private GcTokenDao gcTokenDaoDao;
    public static String status = "1";
    @Autowired
    private GcHttpLogDao httpLogDao;
    /**
     * preHandle：预处理回调方法
     *
     * @param request
     * @param response
     * @param handler
     * @return
     * @throws Exception
     */
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        boolean flag = true;
        String accesstoken = request.getHeader("accesstoken");
        String ip = IpUtil.getIpAddress(request);
        //********************************判断accesstoken********************************
        try {
            if (org.springframework.util.StringUtils.isEmpty(accesstoken)) {
                saveHttpLog(ip, JSONObject.toJSONString(request.getParameterMap()), null, accesstoken, request.getRequestURI(), GcHttpLog.flagEm.error.getCode(), BaseResultModel.statusEm.token_null.getMessage());
                //没权限
                BaseResultModel baseResultModel = new BaseResultModel(BaseResultModel.statusEm.token_null.getCode(), BaseResultModel.statusEm.token_null.getMessage());
                response.getOutputStream().write(JSONObject.toJSONString(baseResultModel).getBytes());
                flag = false;
            }
            GcToken gcToken = gcTokenDaoDao.findByToken(accesstoken);
            if (gcToken == null) {
                saveHttpLog(ip, JSONObject.toJSONString(request.getParameterMap()), null, accesstoken, request.getRequestURI(), GcHttpLog.flagEm.error.getCode(), BaseResultModel.statusEm.token_no_power.getMessage());
                //没权限
                BaseResultModel baseResultModel = new BaseResultModel(BaseResultModel.statusEm.token_no_power.getCode(), BaseResultModel.statusEm.token_no_power.getMessage());
                response.getOutputStream().write(JSONObject.toJSONString(baseResultModel).getBytes());
                flag = false;
            }
            if (gcToken.getDel() == null || gcToken.getDel() == 0) {
                saveHttpLog(ip, JSONObject.toJSONString(request.getParameterMap()), null, accesstoken, request.getRequestURI(), GcHttpLog.flagEm.error.getCode(), BaseResultModel.statusEm.token_out_effect.getMessage());
                //token无效
                BaseResultModel baseResultModel = new BaseResultModel(BaseResultModel.statusEm.token_out_effect.getCode(), BaseResultModel.statusEm.token_out_effect.getMessage());
                response.getOutputStream().write(JSONObject.toJSONString(baseResultModel).getBytes());
                flag = false;
            }
            if (System.currentTimeMillis() > gcToken.getOutTime().getTime()) {
                saveHttpLog(ip, JSONObject.toJSONString(request.getParameterMap()), null, accesstoken, request.getRequestURI(), GcHttpLog.flagEm.error.getCode(), BaseResultModel.statusEm.token_out_time.getMessage());
                //token过期
                BaseResultModel baseResultModel = new BaseResultModel(BaseResultModel.statusEm.token_out_time.getCode(), BaseResultModel.statusEm.token_out_time.getMessage());
                response.getOutputStream().write(JSONObject.toJSONString(baseResultModel).getBytes());
                flag = false;
            }
        } catch (Exception e) {
            saveHttpLog(ip, JSONObject.toJSONString(request.getParameterMap()), null, accesstoken, request.getRequestURI(), GcHttpLog.flagEm.error.getCode(), e.getMessage());
            return false;
        }
        //********************************判断accesstoken********************************
        return flag;
    }
    /**
     * 后处理回调方法
     *
     * @param request
     * @param response
     * @param handler
     * @param modelAndView
     * @throws Exception
     */
    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
        String output = "";
        if (modelAndView != null) {
            output = JSONObject.toJSONString(modelAndView.getModelMap());
        } else {
            Object returnObj = request.getAttribute("returnObj");
            if (returnObj != null) {
                output = JSONObject.toJSONString(returnObj);
            }
        }
        HandlerMethod handlerMethod = (HandlerMethod) handler;
//        response.getOutputStream()
        String token = request.getHeader("accesstoken");
        String ip = IpUtil.getIpAddress(request);
        saveHttpLog(ip,
                JSONObject.toJSONString(request.getParameterMap()),
                output,
                token,
                request.getRequestURI(),
                GcHttpLog.flagEm.success.getCode(),
                null);
    }
    /**
     * 整个请求处理完毕回调方法
     *
     * @param request
     * @param response
     * @param handler
     * @param ex
     * @throws Exception
     */
    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
    }
    public void saveHttpLog(String ip, String input, String output, String token, String method, Integer flag, String message) {
        GcHttpLog gcHttpLog = new GcHttpLog();
        gcHttpLog.setCreateTime(new Date());
        gcHttpLog.setIp(ip);
        gcHttpLog.setInput(input);
        if(StringUtils.isNotEmpty(output)&&output.length() > 3000) {
            output = output.substring(0, 3000);
        }
        gcHttpLog.setOutput(output);
        gcHttpLog.setToken(token);
        gcHttpLog.setMethod(method);
        gcHttpLog.setFlag(flag);
        gcHttpLog.setMessage(message);
        httpLogDao.save(gcHttpLog);
    }
    public String getStatus() {
        return status;
    }
}

svr/svr-internet-hospital/src/main/java/com/yihu/jw/hospital/interceptor/XssHttpServletRequestWrapper.java

@@ -0,0 +1,120 @@
package com.yihu.jw.hospital.interceptor;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
/**
 * Created by yeshijie on 2020/9/1.
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private final Logger log = LoggerFactory.getLogger(getClass());
    private static String key = "select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|*|%";
    private static Set<String> notAllowedKeyWords = new HashSet<String>(0);
    private static String replacedString="INVALID";
    static {
        String keyStr[] = key.split("\\|");
        for (String str : keyStr) {
            notAllowedKeyWords.add(str);
        }
    }
    private String currentUrl;
    public XssHttpServletRequestWrapper(HttpServletRequest servletRequest) {
        super(servletRequest);
        currentUrl = servletRequest.getRequestURI();
    }
    /**覆盖getParameter方法，将参数名和参数值都做xss过滤。
     * 如果需要获得原始的值，则通过super.getParameterValues(name)来获取
     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
     */
    @Override
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        if (value == null) {
            return null;
        }
        return cleanXSS(value);
    }
    @Override
    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = cleanXSS(values[i]);
        }
        return encodedValues;
    }
    @Override
    public Map<String, String[]> getParameterMap(){
        Map<String, String[]> values=super.getParameterMap();
        if (values == null) {
            return null;
        }
        Map<String, String[]> result=new HashMap<>();
        for(String key:values.keySet()){
            String encodedKey=cleanXSS(key);
            int count=values.get(key).length;
            String[] encodedValues = new String[count];
            for (int i = 0; i < count; i++){
                encodedValues[i]=cleanXSS(values.get(key)[i]);
            }
            result.put(encodedKey,encodedValues);
        }
        return result;
    }
    /**
     * 覆盖getHeader方法，将参数名和参数值都做xss过滤。
     * 如果需要获得原始的值，则通过super.getHeaders(name)来获取
     * getHeaderNames 也可能需要覆盖
     */
    @Override
    public String getHeader(String name) {
//        String value = super.getHeader(name);
//        if (value == null) {
//            return null;
//        }
//        return cleanXSS(value);
        return super.getHeader(name);
    }
    private String cleanXSS(String valueP) {
        // You'll need to remove the spaces from the html entities below
        String value = valueP.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
        value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
        value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
        value = value.replaceAll("'", "& #39;");
        value = value.replaceAll("eval\\((.*)\\)", "");
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"");
        value = value.replaceAll("script", "");
        value = cleanSqlKeyWords(value);
        return value;
    }
    private String cleanSqlKeyWords(String value) {
        String paramValue = value;
        for (String keyword : notAllowedKeyWords) {
            if (paramValue.length() > keyword.length() + 4
                    && (paramValue.contains(" "+keyword)||paramValue.contains(keyword+" ")||paramValue.contains(" "+keyword+" "))) {
                paramValue = StringUtils.replace(paramValue, keyword, replacedString);
                log.error(this.currentUrl + "已被过滤，因为参数中包含不允许sql的关键词(" + keyword
                        + ")"+";参数："+value+";过滤后的参数："+paramValue);
            }
        }
        return paramValue;
    }
}