fix 修复经过加密的请求无法过滤xss问题将xss实现从gateway移动到common-web解密后过滤

2026-04-25 20:48:35 +08:00 · 2024-10-20 12:26:05 +08:00
parent f64b17b548
commit 503a0efc31
8 changed files with 209 additions and 113 deletions
--- a/ruoyi-gateway/src/main/java/org/dromara/gateway/config/properties/XssProperties.java
+++ b/ruoyi-gateway/src/main/java/org/dromara/gateway/config/properties/XssProperties.java
@@ -1,32 +0,0 @@
-package org.dromara.gateway.config.properties;
-
-import lombok.Data;
-import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.cloud.context.config.annotation.RefreshScope;
-import org.springframework.context.annotation.Configuration;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * XSS跨站脚本配置
- *
- * @author ruoyi
- */
-@Data
-@Configuration
-@RefreshScope
-@ConfigurationProperties(prefix = "security.xss")
-public class XssProperties {
-
-    /**
-     * Xss开关
-     */
-    private Boolean enabled;
-
-    /**
-     * 排除路径
-     */
-    private List<String> excludeUrls = new ArrayList<>();
-
-}
--- a/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/XssFilter.java
+++ b/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/XssFilter.java
@@ -1,100 +0,0 @@
-package org.dromara.gateway.filter;
-
-import cn.hutool.http.HtmlUtil;
-import org.dromara.common.core.utils.StringUtils;
-import org.dromara.gateway.config.properties.XssProperties;
-import org.dromara.gateway.utils.WebFluxUtils;
-import io.netty.buffer.ByteBufAllocator;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
-import org.springframework.cloud.gateway.filter.GatewayFilterChain;
-import org.springframework.cloud.gateway.filter.GlobalFilter;
-import org.springframework.core.Ordered;
-import org.springframework.core.io.buffer.*;
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpMethod;
-import org.springframework.http.server.reactive.ServerHttpRequest;
-import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
-import org.springframework.stereotype.Component;
-import org.springframework.web.server.ServerWebExchange;
-import reactor.core.publisher.Flux;
-import reactor.core.publisher.Mono;
-
-import java.nio.charset.StandardCharsets;
-
-/**
- * 跨站脚本过滤器
- *
- * @author ruoyi
- */
-@Component
-@ConditionalOnProperty(value = "security.xss.enabled", havingValue = "true")
-public class XssFilter implements GlobalFilter, Ordered {
-    // 跨站脚本的 xss 配置，nacos自行添加
-    @Autowired
-    private XssProperties xss;
-
-    @Override
-    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
-        ServerHttpRequest request = exchange.getRequest();
-        // GET DELETE 不过滤
-        HttpMethod method = request.getMethod();
-        if (method == null || method == HttpMethod.GET || method == HttpMethod.DELETE) {
-            return chain.filter(exchange);
-        }
-        // 非json类型，不过滤
-        if (!WebFluxUtils.isJsonRequest(exchange)) {
-            return chain.filter(exchange);
-        }
-        // excludeUrls 不过滤
-        String url = request.getURI().getPath();
-        if (StringUtils.matches(url, xss.getExcludeUrls())) {
-            return chain.filter(exchange);
-        }
-        ServerHttpRequestDecorator httpRequestDecorator = requestDecorator(exchange);
-        return chain.filter(exchange.mutate().request(httpRequestDecorator).build());
-
-    }
-
-    private ServerHttpRequestDecorator requestDecorator(ServerWebExchange exchange) {
-        ServerHttpRequestDecorator serverHttpRequestDecorator = new ServerHttpRequestDecorator(exchange.getRequest()) {
-            @Override
-            public Flux<DataBuffer> getBody() {
-                Flux<DataBuffer> body = super.getBody();
-                return body.buffer().map(dataBuffers -> {
-                    DataBufferFactory dataBufferFactory = new DefaultDataBufferFactory();
-                    DataBuffer join = dataBufferFactory.join(dataBuffers);
-                    byte[] content = new byte[join.readableByteCount()];
-                    join.read(content);
-                    DataBufferUtils.release(join);
-                    String bodyStr = new String(content, StandardCharsets.UTF_8);
-                    // 防xss攻击过滤
-                    bodyStr = HtmlUtil.cleanHtmlTag(bodyStr);
-                    // 转成字节
-                    byte[] bytes = bodyStr.getBytes();
-                    NettyDataBufferFactory nettyDataBufferFactory = new NettyDataBufferFactory(ByteBufAllocator.DEFAULT);
-                    DataBuffer buffer = nettyDataBufferFactory.allocateBuffer(bytes.length);
-                    buffer.write(bytes);
-                    return buffer;
-                });
-            }
-
-            @Override
-            public HttpHeaders getHeaders() {
-                HttpHeaders httpHeaders = new HttpHeaders();
-                httpHeaders.putAll(super.getHeaders());
-                // 由于修改了请求体的body，导致content-length长度不确定，因此需要删除原先的content-length
-                httpHeaders.remove(HttpHeaders.CONTENT_LENGTH);
-                httpHeaders.set(HttpHeaders.TRANSFER_ENCODING, "chunked");
-                return httpHeaders;
-            }
-
-        };
-        return serverHttpRequestDecorator;
-    }
-
-    @Override
-    public int getOrder() {
-        return Ordered.HIGHEST_PRECEDENCE;
-    }
-}