diff --git a/sa-token-core/src/main/java/cn/dev33/satoken/strategy/SaFirewallStrategy.java b/sa-token-core/src/main/java/cn/dev33/satoken/strategy/SaFirewallStrategy.java index d81f2912..49935b5d 100644 --- a/sa-token-core/src/main/java/cn/dev33/satoken/strategy/SaFirewallStrategy.java +++ b/sa-token-core/src/main/java/cn/dev33/satoken/strategy/SaFirewallStrategy.java @@ -18,10 +18,7 @@ package cn.dev33.satoken.strategy; import cn.dev33.satoken.SaManager; import cn.dev33.satoken.fun.strategy.SaFirewallCheckFailHandleFunction; import cn.dev33.satoken.fun.strategy.SaFirewallCheckFunction; -import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHook; -import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForBlackList; -import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForDangerCharacter; -import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForWhiteList; +import cn.dev33.satoken.strategy.hooks.*; import java.util.ArrayList; import java.util.List; @@ -48,6 +45,7 @@ public final class SaFirewallStrategy { checkHooks.add(SaFirewallCheckHookForWhiteList.instance); checkHooks.add(SaFirewallCheckHookForBlackList.instance); checkHooks.add(SaFirewallCheckHookForDangerCharacter.instance); + checkHooks.add(SaFirewallCheckHookForDirectoryTraversal.instance); } // 注册一个防火墙校验 hook diff --git a/sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDangerCharacter.java b/sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDangerCharacter.java index d2fbac3e..e4579438 100644 --- a/sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDangerCharacter.java +++ b/sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDangerCharacter.java @@ -42,8 +42,7 @@ public class SaFirewallCheckHookForDangerCharacter implements SaFirewallCheckHoo "%2f", "%2F", // / "%5c", "%5C", // \ ";", "%3b", "%3B", // ; // 参考资料:https://mp.weixin.qq.com/s/77CIDZbgBwRunJeluofPTA - "%25", // 空格 - "/.", "\\.", // /. \. 目录遍历符 + "%25" // 空格 }; /** diff --git a/sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDirectoryTraversal.java b/sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDirectoryTraversal.java new file mode 100644 index 00000000..1825be19 --- /dev/null +++ b/sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDirectoryTraversal.java @@ -0,0 +1,50 @@ +/* + * Copyright 2020-2099 sa-token.cc + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package cn.dev33.satoken.strategy.hooks; + +import cn.dev33.satoken.context.model.SaRequest; +import cn.dev33.satoken.context.model.SaResponse; +import cn.dev33.satoken.exception.RequestPathInvalidException; + +/** + * 防火墙策略校验钩子函数:目录遍历符检测 + * + * @author click33 + * @since 1.41.0 + */ +public class SaFirewallCheckHookForDirectoryTraversal implements SaFirewallCheckHook { + + /** + * 默认实例 + */ + public static SaFirewallCheckHookForDirectoryTraversal instance = new SaFirewallCheckHookForDirectoryTraversal(); + + /** + * 执行的方法 + * + * @param req 请求对象 + * @param res 响应对象 + * @param extArg 预留扩展参数 + */ + @Override + public void execute(SaRequest req, SaResponse res, Object extArg) { + String requestPath = req.getRequestPath(); + if(requestPath.contains("/.") || requestPath.contains("\\.")) { + throw new RequestPathInvalidException("非法请求:" + requestPath, requestPath); + } + } + +} diff --git a/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/SaBeanInject.java b/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/SaBeanInject.java index 5c8247df..c21c6ff6 100644 --- a/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/SaBeanInject.java +++ b/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/SaBeanInject.java @@ -38,7 +38,10 @@ import cn.dev33.satoken.stp.StpLogic; import cn.dev33.satoken.stp.StpUtil; import cn.dev33.satoken.strategy.SaAnnotationStrategy; import cn.dev33.satoken.temp.SaTempInterface; -import org.noear.solon.annotation.*; +import org.noear.solon.annotation.Bean; +import org.noear.solon.annotation.Condition; +import org.noear.solon.annotation.Configuration; +import org.noear.solon.annotation.Inject; import java.util.List; @@ -232,4 +235,5 @@ public class SaBeanInject { public void setStpLogic(StpLogic stpLogic) { StpUtil.setStpLogic(stpLogic); } + } diff --git a/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/SaBeanRegister.java b/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/SaBeanRegister.java index bb2e6a2f..206dcdcd 100644 --- a/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/SaBeanRegister.java +++ b/sa-token-starter/sa-token-solon-plugin/src/main/java/cn/dev33/satoken/solon/SaBeanRegister.java @@ -16,9 +16,12 @@ package cn.dev33.satoken.solon; import cn.dev33.satoken.config.SaTokenConfig; +import cn.dev33.satoken.solon.integration.SaFirewallCheckFilterForSolon; +import cn.dev33.satoken.util.SaTokenConsts; import org.noear.solon.annotation.Bean; import org.noear.solon.annotation.Configuration; import org.noear.solon.annotation.Inject; +import org.noear.solon.core.handle.Filter; /** * 注册Sa-Token所需要的Bean @@ -28,6 +31,7 @@ import org.noear.solon.annotation.Inject; */ @Configuration public class SaBeanRegister { + /** * 获取配置Bean * @@ -41,4 +45,15 @@ public class SaBeanRegister { return config; } } + + /** + * 防火墙校验过滤器 + * + * @return / + */ + @Bean(index = SaTokenConsts.FIREWALL_CHECK_FILTER_ORDER) + public Filter saFirewallCheckFilterForSolon() { + return new SaFirewallCheckFilterForSolon(); + } + }