场景:后端的SQL使用的是字符串拼接,容易引起SQL注入
解决方案:
1. 添加全局过滤,处理这类问题
2. 排查所有代码,拼接方式改为参数化查询
具体代码:
继承HttpServletRequestWrapper
@Slf4j
public class BodyReaderRequestWrapper extends HttpServletRequestWrapper {
HttpServletRequest orgRequest = null;
private Map<String, String[]> parameterMap;
private final byte[] body; // 用于保存读取body中数据
public BodyReaderRequestWrapper(HttpServletRequest request) throws IOException {
super(request);
orgRequest = request;
parameterMap = request.getParameterMap();
body = StreamUtils.copyToByteArray(request.getInputStream());
}
// 重写几个HttpServletRequestWrapper中的方法
/**
* 获取所有参数名
*
* @return 返回所有参数名
*/
@Override
public Enumeration<String> getParameterNames() {
Vector<String> vector = new Vector<String>(parameterMap.keySet());
return vector.elements();
}
/**
* 覆盖getParameter方法,将参数名和参数值都做xss & sql过滤。<br/>
* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
@Override
public String getParameter(String name) {
String[] results = parameterMap.get(name);
if (results == null || results.length <= 0)
return null;
else {
String value = results[0];
if (value != null) {
value = sqlFilter(value);
}
return value;
}
}
/**
* 获取指定参数名的所有值的数组,如:checkbox的所有数据 接收数组变量 ,如checkobx类型
*/
@Override
public String[] getParameterValues(String name) {
String[] results = parameterMap.get(name);
if (results == null || results.length <= 0)
return null;
else {
int length = results.length;
for (int i = 0; i < length; i++) {
results[i] = sqlFilter(results[i]);
}
return results;
}
}
/**
* 覆盖getHeader方法,将参数名和参数值都做xss & sql过滤。<br/>
* 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
* getHeaderNames 也可能需要覆盖
*/
@Override
public String getHeader(String name) {
String value = super.getHeader(name);
if (value == null || "".equals(value)) {
return value;
}
return sqlFilter(value);
}
/**
* 获取最原始的request
*
* @return
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 预编译SQL过滤正则表达式
*/
private static final Pattern sqlPattern = Pattern.compile(
"(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)",
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
/**
* SQL过滤
*
* @param v 参数值
* @return
*/
private String sqlFilter(String v) {
if (v != null) {
String resultVal = v;
Matcher matcher = sqlPattern.matcher(resultVal);
if (matcher.find()) {
resultVal = matcher.replaceAll("");
}
if (!resultVal.equals(v)) {
return "";
}
return resultVal;
}
return null;
}
/**
* 预编译SQL过滤正则表达式
* @param value
* @return
*/
public static boolean checkParameterPattern(String value) {
boolean flag = false;
if (value != null) {
flag = sqlPattern.matcher(value).find();
if (flag) {
return flag;
}
}
return flag;
}
/**
* 检查参数方法
* @return
*/
public final boolean checkParameter() {
Map<String, String[]> submitParams = new HashMap(parameterMap);
Set<String> submitNames = submitParams.keySet();
for (String submitName : submitNames) {
Object submitValues = submitParams.get(submitName);
if ((submitValues instanceof String)) {
if (checkParameterPattern((String) submitValues)) {
return true;
}
} else if ((submitValues instanceof String[])) {
for (String submitValue : (String[])submitValues){
if (checkParameterPattern(submitValue)) {
return true;
}
}
}
}
return false;
}
/**
* 获取最原始的request的静态方法
*
* @return
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof BodyReaderRequestWrapper) {
return ((BodyReaderRequestWrapper) req).getOrgRequest();
}
return req;
}
/**
* Servlet API规范中对该类型的请求内容提供了request.getParameter()方法来获取请求参数值。
* 但当请求内容不是该类型时,需要调用request.getInputStream()或request.getReader()方法来获取请求内容值。
*/
/**
* 获取请求内容
* @return
* @throws IOException
*/
@Override
public BufferedReader getReader() throws IOException {
return new BufferedReader(new InputStreamReader(getInputStream()));
}
/**
* 返回请求内容字节流,多用于文件上传,
* request.getReader()是对前者返回内容的封装,可以让调用者更方便字符内容的处理(不用自己先获取字节流再做字符流的转换操作)
* @return
* @throws IOException
*/
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream(body);
return new ServletInputStream() {
@Override
public int read() throws IOException {
return bais.read();
}
@Override
public boolean isFinished() {
// TODO Auto-generated method stub
return false;
}
@Override
public boolean isReady() {
// TODO Auto-generated method stub
return false;
}
@Override
public void setReadListener(ReadListener arg0) {
// TODO Auto-generated method stub
}
};
}
}
SqlFilter其中ResultModel换成自己的后端返回类即可
@Component
@WebFilter(value = "/*")
public class SqlFilter implements Filter {
// 需要过滤的URI,逗号拼接
private String filterURLS = "/login/login";
/**
* 初始化
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
String method = "GET";//设置初始值
String param = "";
HttpServletRequest req = (HttpServletRequest) request;
BodyReaderRequestWrapper xssRequest = null;
if (request instanceof HttpServletRequest) {//判断左边的对象是否是它右边对象的实例
method = ((HttpServletRequest) request).getMethod();//得到请求URL地址时使用的方法
xssRequest = new BodyReaderRequestWrapper((HttpServletRequest) request);//创建对象
}
// 过滤放行的URL
if(isExcludeUrl(req.getServletPath())) {
chain.doFilter(xssRequest, response);
return;
}
if ("POST".equalsIgnoreCase(method)) {//判断是否为post
param = this.getBodyString(xssRequest.getReader());//获取参数
if(StringUtils.isNotBlank(param)){//等价于 str != null && str.length > 0 && str.trim().length > 0
if(xssRequest.checkParameterPattern(param)){//进行参数审查
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json;charset=UTF-8");
PrintWriter out = response.getWriter();
out.write(JSONObject.toJSONString(ResultModel.error_400("携带非法字符!")));
return;
}
}
}
/**
* 检查参数的时候 同时检查请求的方法
* 只检查get请求方法和post请求方法的的参数的数据是否合法
* 并不是所有参数都要检查,首先必须是一个get或者post,再去校验参数
* 因为PUT方法在进行参数审查的时候没办法通过所以直接过滤掉
*/
if (xssRequest.checkParameter()&&(method.equals("POST") || method.equals("GET"))){
response.setCharacterEncoding("UTF-8");
response.setContentType("application/json;charset=UTF-8");
PrintWriter out = response.getWriter();
out.write(JSONObject.toJSONString(ResultModel.error_400("携带非法字符!")));
return;
}
chain.doFilter(xssRequest, response);
}
// 获取request请求body中参数
public static String getBodyString(BufferedReader br) {
String inputLine;
String str = "";
try {
while ((inputLine = br.readLine()) != null) {
str += inputLine;
}
br.close();
} catch (IOException e) {
System.out.println("IOException: " + e);
}
return str;
}
/**
* 销毁
*/
@Override
public void destroy() {
}
/**
* 判断是否为忽略的URL
*
* @param url URL路径
* @return true-忽略,false-过滤
*/
private boolean isExcludeUrl(String url) {
if (StringUtils.isEmpty(filterURLS)) {
return false;
}
return Arrays.asList(filterURLS.split(","))
.stream().anyMatch(str -> str.equals(url));
}
}