中山处方上传加特殊病种

gateway/ag-basic/src/main/java/com/yihu/jw/gateway/config/MultipartConfig.java

@@ -1,7 +1,7 @@
package com.yihu.jw.gateway.config;
import com.yihu.jw.gateway.filter.CORSFilter;
import com.yihu.jw.gateway.filter.CsrfFilter;
//import com.yihu.jw.gateway.filter.CORSFilter;
//import com.yihu.jw.gateway.filter.CsrfFilter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
@@ -18,10 +18,10 @@ import java.io.*;
@Configuration
public class MultipartConfig {
    @Autowired
    CsrfFilter csrfFilter;
    @Autowired
    private CORSFilter corsFilter;
//    @Autowired
//    CsrfFilter csrfFilter;
//    @Autowired
//    private CORSFilter corsFilter;
    @Value("${server.tomcat.basedir}")
    String tomcatLocation;
@@ -38,24 +38,24 @@ public class MultipartConfig {
        return factory.createMultipartConfig();
    }
    @Bean
    public FilterRegistrationBean testFilterRegistration3() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(corsFilter);
        registration.addUrlPatterns("/*");
        registration.setName("corsFilter");
        registration.setOrder(-1);
        return registration;
    }
    @Bean
    public FilterRegistrationBean testFilterRegistration4() {
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setFilter(csrfFilter);
        registration.addUrlPatterns("/*");
        registration.setName("CsrfFilter");
        registration.setOrder(3);
        return registration;
    }
//    @Bean
//    public FilterRegistrationBean testFilterRegistration3() {
//        FilterRegistrationBean registration = new FilterRegistrationBean();
//        registration.setFilter(corsFilter);
//        registration.addUrlPatterns("/*");
//        registration.setName("corsFilter");
//        registration.setOrder(-1);
//        return registration;
//    }
//
//    @Bean
//    public FilterRegistrationBean testFilterRegistration4() {
//        FilterRegistrationBean registration = new FilterRegistrationBean();
//        registration.setFilter(csrfFilter);
//        registration.addUrlPatterns("/*");
//        registration.setName("CsrfFilter");
//        registration.setOrder(3);
//        return registration;
//    }
}

gateway/ag-basic/src/main/java/com/yihu/jw/gateway/filter/BasicZuulFilter.java

@@ -92,10 +92,10 @@ public class BasicZuulFilter extends ZuulFilter {
            request = ctx.getRequest();
            url = request.getRequestURI();
//            //防止SQL注入过滤器
//            if(doSqlFilter(request)){
//                return this.forbidden(ctx, ResultStatus.ERROR_PARA, "Illegal parameter");
//            }
            //防止SQL注入过滤器
            if(doSqlFilter(request)){
                return this.forbidden(ctx, ResultStatus.ERROR_PARA, "Illegal parameter");
            }
            //文件类型过滤器
            if(doFileFilter(request)){
@@ -131,11 +131,11 @@ public class BasicZuulFilter extends ZuulFilter {
            } catch (Exception e) {
                e.printStackTrace();
            }
            //防止SQL注入过滤器
            if(doSqlFilterCtx(ctx)){
                logger.info("1111111111111111");
                return this.forbidden(ctx, ResultStatus.ERROR_PARA, "Illegal parameter");
            }
//            //防止SQL注入过滤器
//            if(doSqlFilterCtx(ctx)){
//                logger.info("1111111111111111");
//                return this.forbidden(ctx, ResultStatus.ERROR_PARA, "Illegal parameter");
//            }
        }
        //保存操作日志
@@ -176,9 +176,13 @@ public class BasicZuulFilter extends ZuulFilter {
                for(String str:object.keySet()){
                    List<String> arrayList = new ArrayList<>();
                    String value = object.getString(str);
              /*  if (sqlValidate(value)){
                    throw new Exception("Illegal parameter");
                }*/
                    if (!StringUtils.isEmpty(value)){
                        if (sqlValidate(value)){
                            logger.info("11111111111111111111"+value);
                            throw new Exception("Illegal parameter");
                        }
                    }
                    arrayList.add(value);
                    map.put(str,arrayList);
                }
@@ -204,10 +208,10 @@ public class BasicZuulFilter extends ZuulFilter {
                JSONObject jsonObject = JSONObject.parseObject(jsonobject);
                for(String str:jsonObject.keySet()){
                    String value = jsonObject.getString(str);
                    /*if (sqlValidate(value)){
                        throw new Exception("Illegal parameter");
                    }*/
                    if (!StringUtils.isEmpty(value)){
                        if (sqlValidate(value)){
                            throw new Exception("Illegal parameter");
                        }
                        value = URLEncoder.encode(value);
                    }
                    body+=str+"="+ value+"&";
@@ -441,13 +445,12 @@ public class BasicZuulFilter extends ZuulFilter {
    private static boolean sqlValidate(String str) {
        if (org.apache.commons.lang3.StringUtils.isNoneBlank(str)){
            str = str.toLowerCase();//统一转为小写,比较简单的单词加入右边空格，避免单词中包含字段
            String badStr = "and|exec|execute|insert|select|delete|update|drop|chr|mid|master|truncate|" +
                    "declare|sitename|net user|xp_cmdshell|or|exec|execute|create|" +
                    "table|from|grant|use|group_concat|column_name|" +
            String badStr = "exec|execute|insert|select|delete|update|drop|chr"+
                    "information_schema.columns|table_schema|union|where|order|like|" ;//过滤掉的sql关键字，可以手动添加
            String[] badStrs = badStr.split("\\|");
            for (int i = 0; i < badStrs.length; i++) {
                if (str.indexOf(badStrs[i]) >= 0) {
                    logger.info("2222222222222222222"+badStrs[i]);
                    return true;
                }
            }

gateway/ag-basic/src/main/java/com/yihu/jw/gateway/filter/CORSFilter.java

@@ -1,58 +1,58 @@
package com.yihu.jw.gateway.filter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
 * Created by yeshijie on 2024/3/26.
 */
//@Order(-1)
//@WebFilter(filterName = "corsFilter", urlPatterns = {"/*"}) 注解的jar启动不生效要tomcat
@Component
public class CORSFilter implements Filter {
    private Logger logger = LoggerFactory.getLogger(CORSFilter.class);
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        logger.info(">>>>>>>>>>>>>>>>>来了》》》》》》》》》》》》》》》》"+request.getHeader("Origin"));
        //https://yyfbxt.szhz.hangzhou.gov.cn:8068/web/mgop/gov-open/zj/2002347641/reserved/index.html
//        response.setHeader("Access-Control-Allow-Origin", "https://yyfbxt.szhz.hangzhou.gov.cn:8068");
//        response.setHeader("Access-Control-Allow-Origin", "*");
//        response.setHeader("Access-Control-Allow-Headers", "access-control-allow-origin, authority, content-type, version-info, X-Requested-With");
        response.setHeader("Access-Control-Allow-Headers", "*");
//        response.setHeader("Access-Control-Expose-Headers", "*");
        response.setHeader("Access-Control-Allow-Methods", "*");
        response.setHeader("Access-Control-Max-Age", "3600");
        if(request.getRequestURI().contains("dump")){
            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
            logger.info("SC_FORBIDDEN=======================");
            return;
        }
        //response.setHeader("Access-Control-Allow-Credentials", "true");
        if ("OPTIONS".equals(request.getMethod())) {
            response.setStatus(HttpServletResponse.SC_OK);
            logger.info("OPTIONS=======================");
            return;
        }
        filterChain.doFilter(request, response);
    }
    @Override
    public void destroy() {
    }
}
//package com.yihu.jw.gateway.filter;
//
//import org.slf4j.Logger;
//import org.slf4j.LoggerFactory;
//import org.springframework.stereotype.Component;
//
//import javax.servlet.*;
//import javax.servlet.http.HttpServletRequest;
//import javax.servlet.http.HttpServletResponse;
//import java.io.IOException;
//
///**
// * Created by yeshijie on 2024/3/26.
// */
////@Order(-1)
////@WebFilter(filterName = "corsFilter", urlPatterns = {"/*"}) 注解的jar启动不生效要tomcat
//@Component
//public class CORSFilter implements Filter {
//
//    private Logger logger = LoggerFactory.getLogger(CORSFilter.class);
//
//    @Override
//    public void init(FilterConfig filterConfig) throws ServletException {
//
//    }
//
//    @Override
//    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
//        HttpServletResponse response = (HttpServletResponse) servletResponse;
//        HttpServletRequest request = (HttpServletRequest) servletRequest;
//        logger.info(">>>>>>>>>>>>>>>>>来了》》》》》》》》》》》》》》》》"+request.getHeader("Origin"));
//        //https://yyfbxt.szhz.hangzhou.gov.cn:8068/web/mgop/gov-open/zj/2002347641/reserved/index.html
////        response.setHeader("Access-Control-Allow-Origin", "https://yyfbxt.szhz.hangzhou.gov.cn:8068");
////        response.setHeader("Access-Control-Allow-Origin", "*");
////        response.setHeader("Access-Control-Allow-Headers", "access-control-allow-origin, authority, content-type, version-info, X-Requested-With");
//        response.setHeader("Access-Control-Allow-Headers", "*");
////        response.setHeader("Access-Control-Expose-Headers", "*");
//        response.setHeader("Access-Control-Allow-Methods", "*");
//        response.setHeader("Access-Control-Max-Age", "3600");
//        if(request.getRequestURI().contains("dump")){
//            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
//            logger.info("SC_FORBIDDEN=======================");
//            return;
//        }
//        //response.setHeader("Access-Control-Allow-Credentials", "true");
//        if ("OPTIONS".equals(request.getMethod())) {
//            response.setStatus(HttpServletResponse.SC_OK);
//            logger.info("OPTIONS=======================");
//            return;
//        }
//        filterChain.doFilter(request, response);
//    }
//
//    @Override
//    public void destroy() {
//
//    }
//}

gateway/ag-basic/src/main/java/com/yihu/jw/gateway/filter/CsrfFilter.java

@@ -1,122 +1,122 @@
package com.yihu.jw.gateway.filter;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.redis.core.StringRedisTemplate;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
 * Created by yeshijie on 2022/3/15.
 */
@Component
public class CsrfFilter implements Filter {
    @Autowired
    private StringRedisTemplate redisTemplate;
    private Logger log = LoggerFactory.getLogger(CsrfFilter.class);
    /**
     * 过滤器配置对象
     */
    FilterConfig filterConfig = null;
    private boolean getEnable(){
        String strEnable = redisTemplate.opsForValue().get("security:csrf:enable");
        if(StringUtils.isNotBlank(strEnable)){
            return "1".equals(strEnable);
        }
        redisTemplate.opsForValue().set("security:csrf:enable","0");
        return false;
    }
    /**
     * 忽略的URL
     */
    private List<String> excludes = new ArrayList<>();
    public void setExcludes(List<String> excludes) {
        this.excludes = excludes;
    }
    /**
     * 初始化
     */
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }
    /**
     * 拦截
     */
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        String referer = request.getHeader("Referer");
        String host = request.getServerName();
        // 不启用或者已忽略的URL不拦截
        if(!getEnable() ||referer == null||referer.indexOf("http://ehr.yihu.com")==0
                ||referer.indexOf("https://zhyzh.gongshu.gov.cn")==0
                ||referer.indexOf("https://yyfbxt.szhz.hangzhou.gov.cn")==0
                ||referer.indexOf("27.154.233.186")>0
                ||referer.indexOf(host)>0){
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        java.net.URL url = null;
        try {
            url = new java.net.URL(referer);
        } catch (MalformedURLException e) {
            // URL解析异常，也置为404
            response.setStatus(HttpServletResponse.SC_NOT_FOUND);
            return;
        }
        // 判断是否存在外链请求本站
        if (!host.equals(url.getHost())) {
            log.error("CSRF过滤器 => 服务器：{} => 当前域名：{}", host, referer);
            servletResponse.setContentType("text/html; charset=utf-8");
            servletResponse.getWriter().write("系统不支持当前域名的访问！");
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }
    /**
     * 销毁
     */
    @Override
    public void destroy() {
        this.filterConfig = null;
    }
    /**
     * 判断是否为忽略的URL
     *
     * @param url URL路径
     * @return true-忽略，false-过滤
     */
    private boolean isExcludeUrl(String url) {
        if (excludes == null || excludes.isEmpty()) {
            return false;
        }
        return excludes.stream().map(pattern -> Pattern.compile("^" + pattern)).map(p -> p.matcher(url))
                .anyMatch(Matcher::find);
    }
}
//package com.yihu.jw.gateway.filter;
//
//import org.apache.commons.lang3.StringUtils;
//import org.slf4j.Logger;
//import org.slf4j.LoggerFactory;
//import org.springframework.beans.factory.annotation.Autowired;
//import org.springframework.data.redis.core.StringRedisTemplate;
//import org.springframework.stereotype.Component;
//
//import javax.servlet.*;
//import javax.servlet.http.HttpServletRequest;
//import javax.servlet.http.HttpServletResponse;
//import java.io.IOException;
//import java.net.MalformedURLException;
//import java.util.ArrayList;
//import java.util.List;
//import java.util.regex.Matcher;
//import java.util.regex.Pattern;
//
///**
// * Created by yeshijie on 2022/3/15.
// */
//@Component
//public class CsrfFilter implements Filter {
//
//    @Autowired
//    private StringRedisTemplate redisTemplate;
//
//    private Logger log = LoggerFactory.getLogger(CsrfFilter.class);
//    /**
//     * 过滤器配置对象
//     */
//    FilterConfig filterConfig = null;
//
//    private boolean getEnable(){
//        String strEnable = redisTemplate.opsForValue().get("security:csrf:enable");
//        if(StringUtils.isNotBlank(strEnable)){
//            return "1".equals(strEnable);
//        }
//        redisTemplate.opsForValue().set("security:csrf:enable","0");
//        return false;
//    }
//
//    /**
//     * 忽略的URL
//     */
//    private List<String> excludes = new ArrayList<>();
//
//    public void setExcludes(List<String> excludes) {
//        this.excludes = excludes;
//    }
//
//    /**
//     * 初始化
//     */
//    @Override
//    public void init(FilterConfig filterConfig) throws ServletException {
//        this.filterConfig = filterConfig;
//    }
//
//    /**
//     * 拦截
//     */
//    @Override
//    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
//            throws IOException, ServletException {
//        HttpServletRequest request = (HttpServletRequest) servletRequest;
//        HttpServletResponse response = (HttpServletResponse) servletResponse;
//
//        String referer = request.getHeader("Referer");
//        String host = request.getServerName();
//        // 不启用或者已忽略的URL不拦截
//        if(!getEnable() ||referer == null||referer.indexOf("http://ehr.yihu.com")==0
//                ||referer.indexOf("https://zhyzh.gongshu.gov.cn")==0
//                ||referer.indexOf("https://yyfbxt.szhz.hangzhou.gov.cn")==0
//                ||referer.indexOf("27.154.233.186")>0
//                ||referer.indexOf(host)>0){
//            filterChain.doFilter(servletRequest, servletResponse);
//            return;
//        }
//
//        java.net.URL url = null;
//        try {
//            url = new java.net.URL(referer);
//        } catch (MalformedURLException e) {
//            // URL解析异常，也置为404
//            response.setStatus(HttpServletResponse.SC_NOT_FOUND);
//            return;
//        }
//
//        // 判断是否存在外链请求本站
//        if (!host.equals(url.getHost())) {
//            log.error("CSRF过滤器 => 服务器：{} => 当前域名：{}", host, referer);
//            servletResponse.setContentType("text/html; charset=utf-8");
//            servletResponse.getWriter().write("系统不支持当前域名的访问！");
//        } else {
//            filterChain.doFilter(servletRequest, servletResponse);
//        }
//    }
//
//    /**
//     * 销毁
//     */
//    @Override
//    public void destroy() {
//        this.filterConfig = null;
//    }
//
//    /**
//     * 判断是否为忽略的URL
//     *
//     * @param url URL路径
//     * @return true-忽略，false-过滤
//     */
//    private boolean isExcludeUrl(String url) {
//        if (excludes == null || excludes.isEmpty()) {
//            return false;
//        }
//        return excludes.stream().map(pattern -> Pattern.compile("^" + pattern)).map(p -> p.matcher(url))
//                .anyMatch(Matcher::find);
//    }
//}