manager/my-worker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加参数 web.xssFilterExcludeUri

Browse Source
This commit is contained in:
thinkgem
2023-06-28 19:05:55 +08:00
parent e658f9e6f6
commit 0d24b71fe3
5 changed files with 62 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
common/src/main/java/com/jeesite/common/codec/EncodeUtils.java
View File

@@ -207,7 +207,7 @@ public class EncodeUtils {
Pattern.compile("\\s*on[a-z]+\\s*=\\s*(\"[^\"]+\"|'[^']+'|[^\\s]+)\\s*(?=>)", Pattern.CASE_INSENSITIVE), Pattern.compile("\\s*on[a-z]+\\s*=\\s*(\"[^\"]+\"|'[^']+'|[^\\s]+)\\s*(?=>)", Pattern.CASE_INSENSITIVE),
Pattern.compile("(eval\\((.*?)\\)|xpression\\((.*?)\\))", Pattern.CASE_INSENSITIVE), Pattern.compile("(eval\\((.*?)\\)|xpression\\((.*?)\\))", Pattern.CASE_INSENSITIVE),
Pattern.compile("^(javascript:|vbscript:)", Pattern.CASE_INSENSITIVE) Pattern.compile("^(javascript:|vbscript:)", Pattern.CASE_INSENSITIVE)
); );
/** /**
* XSS 非法字符过滤,内容以<!--HTML-->开头的用以下规则(保留标签) * XSS 非法字符过滤,内容以<!--HTML-->开头的用以下规则(保留标签)
@@ -222,6 +222,10 @@ public class EncodeUtils {
* @author ThinkGem * @author ThinkGem
*/ */
public static String xssFilter(String text, HttpServletRequest request) { public static String xssFilter(String text, HttpServletRequest request) {
request = (request != null ? request : ServletUtils.getRequest());
if (request != null && StringUtils.containsAny(request.getRequestURI(), ServletUtils.XSS_FILE_EXCLUDE_URI)) {
return text;
}
String oriValue = StringUtils.trim(text); String oriValue = StringUtils.trim(text);
if (text != null){ if (text != null){
String value = oriValue; String value = oriValue;
@@ -232,39 +236,37 @@ public class EncodeUtils {
} }
} }
// 如果开始不是HTMLXMLJOSN格式则再进行HTML的 "、<、> 转码。 // 如果开始不是HTMLXMLJOSN格式则再进行HTML的 "、<、> 转码。
if (!StringUtils.startsWithIgnoreCase(value, "<!--HTML-->") // HTML if (!StringUtils.startsWithIgnoreCase(value, "<!--HTML-->") // HTML
&& !StringUtils.startsWithIgnoreCase(value, "<?xml ") // XML && !StringUtils.startsWithIgnoreCase(value, "<?xml ") // XML
&& !StringUtils.contains(value, "id=\"FormHtml\"") // JFlow && !StringUtils.contains(value, "id=\"FormHtml\"") // JFlow
&& !(StringUtils.startsWith(value, "{") && StringUtils.endsWith(value, "}")) // JSON Object && !(StringUtils.startsWith(value, "{") && StringUtils.endsWith(value, "}")) // JSON Object
&& !(StringUtils.startsWith(value, "[") && StringUtils.endsWith(value, "]")) // JSON Array && !(StringUtils.startsWith(value, "[") && StringUtils.endsWith(value, "]")) // JSON Array
&& !(StringUtils.containsAny((request != null ? request : ServletUtils.getRequest()) ){
.getRequestURI(), "/ureport/", "/visual/")) // UReport、Visual
){
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
for (int i = 0; i < value.length(); i++) { for (int i = 0; i < value.length(); i++) {
char c = value.charAt(i); char c = value.charAt(i);
switch (c) { switch (c) {
case '>': case '>':
sb.append(""); sb.append("");
break; break;
case '<': case '<':
sb.append(""); sb.append("");
break; break;
case '\'': case '\'':
sb.append(""); sb.append("");
break; break;
case '\"': case '\"':
sb.append(""); sb.append("");
break; break;
// case '&': // case '&':
// sb.append(""); // sb.append("");
// break; // break;
// case '#': // case '#':
// sb.append(""); // sb.append("");
// break; // break;
default: default:
sb.append(c); sb.append(c);
break; break;
} }
} }
value = sb.toString(); value = sb.toString();
@@ -281,8 +283,8 @@ public class EncodeUtils {
// 预编译SQL过滤正则表达式 // 预编译SQL过滤正则表达式
private static Pattern sqlPattern = Pattern.compile( private static Pattern sqlPattern = Pattern.compile(
"(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|((extractvalue|updatexml|if|mid|database|rand|user)([\\s]*?)\\()|" "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|((extractvalue|updatexml|if|mid|database|rand|user)([\\s]*?)\\()|"
+ "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|" + "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|"
+ "drop|execute|case when|sleep|union|load_file)\\b)", + "drop|execute|case when|sleep|union|load_file)\\b)",
Pattern.CASE_INSENSITIVE); Pattern.CASE_INSENSITIVE);
private static Pattern orderByPattern = Pattern.compile("[a-z0-9_\\.\\, ]*", Pattern.CASE_INSENSITIVE); private static Pattern orderByPattern = Pattern.compile("[a-z0-9_\\.\\, ]*", Pattern.CASE_INSENSITIVE);
@@ -293,6 +295,7 @@ public class EncodeUtils {
public static String sqlFilter(String text){ public static String sqlFilter(String text){
return sqlFilter(text, "common"); return sqlFilter(text, "common");
} }
/** /**
* SQL过滤防止注入传入参数输入有select相关代码替换空。 * SQL过滤防止注入传入参数输入有select相关代码替换空。
* @author ThinkGem * @author ThinkGem

11
common/src/main/java/com/jeesite/common/web/http/ServletUtils.java
View File

@@ -38,6 +38,9 @@ public class ServletUtils {
private static final String[] STATIC_FILE = StringUtils.splitComma(PROPS.getProperty("web.staticFile")); private static final String[] STATIC_FILE = StringUtils.splitComma(PROPS.getProperty("web.staticFile"));
private static final String[] STATIC_FILE_EXCLUDE_URI = StringUtils.splitComma(PROPS.getProperty("web.staticFileExcludeUri")); private static final String[] STATIC_FILE_EXCLUDE_URI = StringUtils.splitComma(PROPS.getProperty("web.staticFileExcludeUri"));
// XSS 过滤器要排除的URI地址
public static final String[] XSS_FILE_EXCLUDE_URI = StringUtils.splitComma(PROPS.getProperty("web.xssFilterExcludeUri"));
// AJAX 请求参数和请求头名 // AJAX 请求参数和请求头名
public static final String AJAX_PARAM_NAME = PROPS.getProperty("web.ajaxParamName", "__ajax"); public static final String AJAX_PARAM_NAME = PROPS.getProperty("web.ajaxParamName", "__ajax");
public static final String AJAX_HEADER_NAME = PROPS.getProperty("web.ajaxHeaderName", "x-ajax"); public static final String AJAX_HEADER_NAME = PROPS.getProperty("web.ajaxHeaderName", "x-ajax");
@@ -125,12 +128,8 @@ public class ServletUtils {
e.printStackTrace(); e.printStackTrace();
} }
} }
if (STATIC_FILE_EXCLUDE_URI != null){ if (StringUtils.containsAny(uri, STATIC_FILE_EXCLUDE_URI)) {
for (String s : STATIC_FILE_EXCLUDE_URI){ return false;
if (StringUtils.contains(uri, s)){
return false;
}
}
} }
if (StringUtils.endsWithAny(uri, STATIC_FILE)){ if (StringUtils.endsWithAny(uri, STATIC_FILE)){
return true; return true;

3
modules/core/src/main/resources/config/jeesite-core.yml
View File

@@ -646,6 +646,9 @@ web:
# 严格模式(更严格的数据安全验证) # 严格模式(更严格的数据安全验证)
strictMode: false strictMode: false
# 所有请求信息将进行xss过滤这里列出不被xss过滤的地址
xssFilterExcludeUri: /ureport/,/visual/
# 自定义正则表达式验证(主键、登录名) # 自定义正则表达式验证(主键、登录名)
validator: validator:
id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}' id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'

3
web-api/src/main/resources/config/application.yml
View File

@@ -787,6 +787,9 @@ web:
# # 严格模式(更严格的数据安全验证) # # 严格模式(更严格的数据安全验证)
# strictMode: false # strictMode: false
# #
# # 所有请求信息将进行xss过滤这里列出不被xss过滤的地址
# xssFilterExcludeUri: /ureport/,/visual/
#
# # 自定义正则表达式验证(主键、登录名) # # 自定义正则表达式验证(主键、登录名)
# validator: # validator:
# id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}' # id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'

3
web/src/main/resources/config/application.yml
View File

@@ -787,6 +787,9 @@ web:
# # 严格模式(更严格的数据安全验证) # # 严格模式(更严格的数据安全验证)
# strictMode: false # strictMode: false
# #
# # 所有请求信息将进行xss过滤这里列出不被xss过滤的地址
# xssFilterExcludeUri: /ureport/,/visual/
#
# # 自定义正则表达式验证(主键、登录名) # # 自定义正则表达式验证(主键、登录名)
# validator: # validator:
# id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}' # id: '[a-zA-Z0-9_\-/#\u4e00-\u9fa5]{0,64}'