3 周之前 · 7eef45b8a6
--- a/gateway/ag-basic/src/main/java/com/yihu/jw/gateway/filter/BasicZuulFilter.java
+++ b/gateway/ag-basic/src/main/java/com/yihu/jw/gateway/filter/BasicZuulFilter.java
@ -131,6 +131,11 @@ public class BasicZuulFilter extends ZuulFilter {
 
				            } catch (Exception e) {
			
 
				                e.printStackTrace();
			
 
				            }
			
 
				            //防止SQL注入过滤器
			
 
				            if(doSqlFilterCtx(ctx)){
			
 
				                logger.info("1111111111111111");
			
 
				                return this.forbidden(ctx, ResultStatus.ERROR_PARA, "Illegal parameter");
			
 
				            }
			
 
				        }
			
 
				
			
 
				        //保存操作日志
			
@ -362,6 +367,20 @@ public class BasicZuulFilter extends ZuulFilter {
 
				        return new RedisTokenStore(jedisConnectionFactory);
			
 
				    }
			
 
				
			
 
				    public boolean doSqlFilterCtx(RequestContext ctx){
			
 
				        Map<String, List<String>> map = ctx.getRequestQueryParams();
			
 
				        String sql = "";
			
 
				        if (map!=null&&map.size()!=0){
			
 
				            for (Map.Entry<String,List<String>> entry:map.entrySet()) {
			
 
				                sql = sql + entry.getValue();
			
 
				            }
			
 
				            if (sqlValidate(sql)) {
			
 
				                return true;
			
 
				            }
			
 
				        }
			
 
				        return false;
			
 
				    }
			
 
				
			
 
				    public boolean doSqlFilter(HttpServletRequest request){
			
 
				        Enumeration params = request.getParameterNames();
			
 
				        String sql = "";
			
@ -370,7 +389,10 @@ public class BasicZuulFilter extends ZuulFilter {
 
				            String name = params.nextElement().toString();
			
 
				            // 得到参数对应值
			
 
				            String[] value = request.getParameterValues(name);
			
 
				            System.out.println("入参"+JSONObject.toJSONString(value));
			
 
				            System.out.println("11111111111"+name);
			
 
				            for (int i = 0; i < value.length; i++) {
			
 
				
			
 
				                sql = sql + value[i];
			
 
				            }
			
 
				            if (sqlValidate(sql)) {
			
@ -419,10 +441,10 @@ public class BasicZuulFilter extends ZuulFilter {
 
				    private static boolean sqlValidate(String str) {
			
 
				        if (org.apache.commons.lang3.StringUtils.isNoneBlank(str)){
			
 
				            str = str.toLowerCase();//统一转为小写,比较简单的单词加入右边空格，避免单词中包含字段
			
 
				            String badStr = "and |exec |execute |insert |select |delete |update |drop |chr |mid |master |truncate |" +
			
 
				                    "declare | sitename |net user|xp_cmdshell|or |exec |execute |create |" +
			
 
				                    "table |from |grant |use |group_concat|column_name|" +
			
 
				                    "information_schema.columns|table_schema|union |where |select |update |order |by |like |" ;//过滤掉的sql关键字，可以手动添加
			
 
				            String badStr = "and|exec|execute|insert|select|delete|update|drop|chr|mid|master|truncate|" +
			
 
				                    "declare|sitename|net user|xp_cmdshell|or|exec|execute|create|" +
			
 
				                    "table|from|grant|use|group_concat|column_name|" +
			
 
				                    "information_schema.columns|table_schema|union|where|select|update|order|by|like|" ;//过滤掉的sql关键字，可以手动添加
			
 
				            String[] badStrs = badStr.split("\\|");
			
 
				            for (int i = 0; i < badStrs.length; i++) {
			
 
				                if (str.indexOf(badStrs[i]) >= 0) {