|
@ -131,6 +131,11 @@ public class BasicZuulFilter extends ZuulFilter {
|
|
|
} catch (Exception e) {
|
|
} catch (Exception e) {
|
|
|
e.printStackTrace();
|
|
e.printStackTrace();
|
|
|
}
|
|
}
|
|
|
|
|
//防止SQL注入过滤器
|
|
|
|
|
if(doSqlFilterCtx(ctx)){
|
|
|
|
|
logger.info("1111111111111111");
|
|
|
|
|
return this.forbidden(ctx, ResultStatus.ERROR_PARA, "Illegal parameter");
|
|
|
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
//保存操作日志
|
|
//保存操作日志
|
|
@ -362,6 +367,20 @@ public class BasicZuulFilter extends ZuulFilter {
|
|
|
return new RedisTokenStore(jedisConnectionFactory);
|
|
return new RedisTokenStore(jedisConnectionFactory);
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
public boolean doSqlFilterCtx(RequestContext ctx){
|
|
|
|
|
Map<String, List<String>> map = ctx.getRequestQueryParams();
|
|
|
|
|
String sql = "";
|
|
|
|
|
if (map!=null&&map.size()!=0){
|
|
|
|
|
for (Map.Entry<String,List<String>> entry:map.entrySet()) {
|
|
|
|
|
sql = sql + entry.getValue();
|
|
|
|
|
}
|
|
|
|
|
if (sqlValidate(sql)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
public boolean doSqlFilter(HttpServletRequest request){
|
|
public boolean doSqlFilter(HttpServletRequest request){
|
|
|
Enumeration params = request.getParameterNames();
|
|
Enumeration params = request.getParameterNames();
|
|
|
String sql = "";
|
|
String sql = "";
|
|
@ -370,7 +389,10 @@ public class BasicZuulFilter extends ZuulFilter {
|
|
|
String name = params.nextElement().toString();
|
|
String name = params.nextElement().toString();
|
|
|
// 得到参数对应值
|
|
// 得到参数对应值
|
|
|
String[] value = request.getParameterValues(name);
|
|
String[] value = request.getParameterValues(name);
|
|
|
|
|
System.out.println("入参"+JSONObject.toJSONString(value));
|
|
|
|
|
System.out.println("11111111111"+name);
|
|
|
for (int i = 0; i < value.length; i++) {
|
|
for (int i = 0; i < value.length; i++) {
|
|
|
|
|
|
|
|
sql = sql + value[i];
|
|
sql = sql + value[i];
|
|
|
}
|
|
}
|
|
|
if (sqlValidate(sql)) {
|
|
if (sqlValidate(sql)) {
|
|
@ -419,10 +441,10 @@ public class BasicZuulFilter extends ZuulFilter {
|
|
|
private static boolean sqlValidate(String str) {
|
|
private static boolean sqlValidate(String str) {
|
|
|
if (org.apache.commons.lang3.StringUtils.isNoneBlank(str)){
|
|
if (org.apache.commons.lang3.StringUtils.isNoneBlank(str)){
|
|
|
str = str.toLowerCase();//统一转为小写,比较简单的单词加入右边空格,避免单词中包含字段
|
|
str = str.toLowerCase();//统一转为小写,比较简单的单词加入右边空格,避免单词中包含字段
|
|
|
String badStr = "and |exec |execute |insert |select |delete |update |drop |chr |mid |master |truncate |" +
|
|
|
|
|
"declare | sitename |net user|xp_cmdshell|or |exec |execute |create |" +
|
|
|
|
|
"table |from |grant |use |group_concat|column_name|" +
|
|
|
|
|
"information_schema.columns|table_schema|union |where |select |update |order |by |like |" ;//过滤掉的sql关键字,可以手动添加
|
|
|
|
|
|
|
String badStr = "and|exec|execute|insert|select|delete|update|drop|chr|mid|master|truncate|" +
|
|
|
|
|
"declare|sitename|net user|xp_cmdshell|or|exec|execute|create|" +
|
|
|
|
|
"table|from|grant|use|group_concat|column_name|" +
|
|
|
|
|
"information_schema.columns|table_schema|union|where|select|update|order|by|like|" ;//过滤掉的sql关键字,可以手动添加
|
|
|
String[] badStrs = badStr.split("\\|");
|
|
String[] badStrs = badStr.split("\\|");
|
|
|
for (int i = 0; i < badStrs.length; i++) {
|
|
for (int i = 0; i < badStrs.length; i++) {
|
|
|
if (str.indexOf(badStrs[i]) >= 0) {
|
|
if (str.indexOf(badStrs[i]) >= 0) {
|
wangzhinan