From 7fb330f390daff9d05ea8625cbfd5aebf1049bb6 Mon Sep 17 00:00:00 2001 From: fit2cloud-chenyw Date: Wed, 4 Aug 2021 17:35:06 +0800 Subject: [PATCH] =?UTF-8?q?Revert=20"fix:=20sql=E6=B3=A8=E5=85=A5=E5=92=8C?= =?UTF-8?q?xss=E6=94=BB=E5=87=BB"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 5e34d52d6de65b8eb54092764219bb4637b12dda. --- .../io/dataease/commons/filter/SqlFilter.java | 78 ---- .../holder/ThreadLocalContextHolder.java | 24 -- .../XssAndSqlHttpServletRequestWrapper.java | 370 ------------------ .../java/io/dataease/config/FilterConfig.java | 21 - 4 files changed, 493 deletions(-) delete mode 100644 backend/src/main/java/io/dataease/commons/filter/SqlFilter.java delete mode 100644 backend/src/main/java/io/dataease/commons/holder/ThreadLocalContextHolder.java delete mode 100644 backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java delete mode 100644 backend/src/main/java/io/dataease/config/FilterConfig.java diff --git a/backend/src/main/java/io/dataease/commons/filter/SqlFilter.java b/backend/src/main/java/io/dataease/commons/filter/SqlFilter.java deleted file mode 100644 index 3a913cb270..0000000000 --- a/backend/src/main/java/io/dataease/commons/filter/SqlFilter.java +++ /dev/null @@ -1,78 +0,0 @@ -package io.dataease.commons.filter; - -import io.dataease.commons.holder.ThreadLocalContextHolder; -import io.dataease.commons.wrapper.XssAndSqlHttpServletRequestWrapper; -import org.apache.commons.lang3.StringUtils; -import javax.servlet.*; -import javax.servlet.http.HttpServletRequest; -import java.io.*; - - -public class SqlFilter implements Filter { - - - - - @Override - public void destroy() { - // TODO Auto-generated method stub - - } - - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - - String method = "GET"; - String param = ""; - XssAndSqlHttpServletRequestWrapper xssRequest = null; - if (request instanceof HttpServletRequest) { - method = ((HttpServletRequest) request).getMethod(); - xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request); - } - if ("POST".equalsIgnoreCase(method)) { - param = this.getBodyString(xssRequest.getReader()); - if(StringUtils.isNotBlank(param)){ - if(xssRequest.checkXSSAndSql(param)){ - response.setCharacterEncoding("UTF-8"); - response.setContentType("application/json;charset=UTF-8"); - PrintWriter out = response.getWriter(); - String msg = ThreadLocalContextHolder.getData().toString(); - out.write(msg); - return; - } - } - } - if (xssRequest.checkParameter()) { - response.setCharacterEncoding("UTF-8"); - response.setContentType("application/json;charset=UTF-8"); - PrintWriter out = response.getWriter(); - String msg = ThreadLocalContextHolder.getData().toString(); - out.write(msg); - return; - } - chain.doFilter(xssRequest, response); - } - - @Override - public void init(FilterConfig filterConfig) throws ServletException { - - } - - // 获取request请求body中参数 - public static String getBodyString(BufferedReader br) { - String inputLine; - String str = ""; - try { - while ((inputLine = br.readLine()) != null) { - str += inputLine; - } - br.close(); - } catch (IOException e) { - System.out.println("IOException: " + e); - } - return str; - - } - - -} diff --git a/backend/src/main/java/io/dataease/commons/holder/ThreadLocalContextHolder.java b/backend/src/main/java/io/dataease/commons/holder/ThreadLocalContextHolder.java deleted file mode 100644 index 6aad695532..0000000000 --- a/backend/src/main/java/io/dataease/commons/holder/ThreadLocalContextHolder.java +++ /dev/null @@ -1,24 +0,0 @@ -package io.dataease.commons.holder; - -public class ThreadLocalContextHolder { - - - private static ThreadLocal sceneThreadLocal = new ThreadLocal<>(); - - - public static Object getData() { - return sceneThreadLocal.get(); - } - - public static void setData(Object data) { - if (ThreadLocalContextHolder.sceneThreadLocal == null) { - ThreadLocalContextHolder.sceneThreadLocal = new ThreadLocal<>(); - } - ThreadLocalContextHolder.sceneThreadLocal.set(data); - } - - public static void clearScene() { - setData(null); - } - -} diff --git a/backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java b/backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java deleted file mode 100644 index 34fff33383..0000000000 --- a/backend/src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java +++ /dev/null @@ -1,370 +0,0 @@ -package io.dataease.commons.wrapper; - - -import java.io.BufferedReader; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStreamReader; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Map; -import java.util.Set; -import java.util.Vector; -import java.util.regex.Matcher; -import java.util.regex.Pattern; -import javax.servlet.ReadListener; -import javax.servlet.ServletInputStream; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; - -import io.dataease.commons.holder.ThreadLocalContextHolder; -import org.springframework.util.StreamUtils; - - -public class XssAndSqlHttpServletRequestWrapper extends HttpServletRequestWrapper { - - - HttpServletRequest orgRequest = null; - private Map parameterMap; - private final byte[] body; //用于保存读取body中数据 - - public XssAndSqlHttpServletRequestWrapper(HttpServletRequest request) throws IOException{ - super(request); - orgRequest = request; - parameterMap = request.getParameterMap(); - body = StreamUtils.copyToByteArray(request.getInputStream()); - } - - // 重写几个HttpServletRequestWrapper中的方法 - /** - * 获取所有参数名 - * - * @return 返回所有参数名 - */ - @Override - public Enumeration getParameterNames() { - Vector vector = new Vector(parameterMap.keySet()); - return vector.elements(); - } - - /** - * 覆盖getParameter方法,将参数名和参数值都做xss & sql过滤。
- * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取
- * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖 - */ - @Override - public String getParameter(String name) { - String[] results = parameterMap.get(name); - if (results == null || results.length <= 0) - return null; - else { - String value = results[0]; - if (value != null) { - value = xssEncode(value); - } - return value; - } - } - - /** - * 获取指定参数名的所有值的数组,如:checkbox的所有数据 接收数组变量 ,如checkobx类型 - */ - @Override - public String[] getParameterValues(String name) { - String[] results = parameterMap.get(name); - if (results == null || results.length <= 0) - return null; - else { - int length = results.length; - for (int i = 0; i < length; i++) { - results[i] = xssEncode(results[i]); - } - return results; - } - } - - /** - * 覆盖getHeader方法,将参数名和参数值都做xss & sql过滤。
- * 如果需要获得原始的值,则通过super.getHeaders(name)来获取
- * getHeaderNames 也可能需要覆盖 - */ - @Override - public String getHeader(String name) { - - String value = super.getHeader(xssEncode(name)); - if (value != null) { - value = xssEncode(value); - } - return value; - } - - /** - * 将容易引起xss & sql漏洞的半角字符直接替换成全角字符 - * - * @param s - * @return - */ - private static String xssEncode(String s) { - if (s == null || s.isEmpty()) { - return s; - } else { - s = stripXSSAndSql(s); - } - StringBuilder sb = new StringBuilder(s.length() + 16); - for (int i = 0; i < s.length(); i++) { - char c = s.charAt(i); - switch (c) { - case '>': - sb.append(">");// 转义大于号 - break; - case '<': - sb.append("<");// 转义小于号 - break; - // case '\'': - // sb.append("'");// 转义单引号 - // break; - // case '\"': - // sb.append(""");// 转义双引号 - // break; - case '&': - sb.append("&");// 转义& - break; - case '#': - sb.append("#");// 转义# - break; - default: - sb.append(c); - break; - } - } - return sb.toString(); - } - - /** - * 获取最原始的request - * - * @return - */ - public HttpServletRequest getOrgRequest() { - return orgRequest; - } - - /** - * 获取最原始的request的静态方法 - * - * @return - */ - public static HttpServletRequest getOrgRequest(HttpServletRequest req) { - if (req instanceof XssAndSqlHttpServletRequestWrapper) { - return ((XssAndSqlHttpServletRequestWrapper) req).getOrgRequest(); - } - - return req; - } - - /** - * - * 防止xss跨脚本攻击(替换,根据实际情况调整) - */ - - public static String stripXSSAndSql(String value) { - if (value != null) { - // NOTE: It's highly recommended to use the ESAPI library and - // uncomment the following line to - // avoid encoded attacks. - // value = ESAPI.encoder().canonicalize(value); - // Avoid null characters - /** value = value.replaceAll("", ""); ***/ - // Avoid anything between script tags - Pattern scriptPattern = Pattern.compile( - "<[\r\n| | ]*script[\r\n| | ]*>(.*?)", Pattern.CASE_INSENSITIVE); - value = scriptPattern.matcher(value).replaceAll(""); - // Avoid anything in a - // src="http://www.yihaomen.com/article/java/..." type of - // e-xpression - scriptPattern = Pattern.compile("src[\r\n| | ]*=[\r\n| | ]*[\\\"|\\\'](.*?)[\\\"|\\\']", - Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL); - value = scriptPattern.matcher(value).replaceAll(""); - // Remove any lonesome tag - scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE); - value = scriptPattern.matcher(value).replaceAll(""); - // Remove any lonesome tag - scriptPattern = Pattern.compile("", Pattern.CASE_INSENSITIVE); - flag = scriptPattern.matcher(value).find(); - if (flag) { - ThreadLocalContextHolder.setData("包含XSS攻击脚本,请检查参数!"); - return flag; - } - // Remove any lonesome