OpenResty预防SQL注入

一、环境准备

基于 Nginx 整合 lua-module；
直接使用 OpenResty（1.19.9.1）

二、配置内容

1. server层处理 RequestParam 入参

server {
    listen 7777;
    # 过滤requestParam 中的 非法参数，返回403
    if ($query_string ~* ".*('|--|union|insert|drop|truncate|update|from|grant|exec|where|select|and|chr|mid|like|iframe|script|alert|webscan|dbappsecurity|style|WAITFOR|confirm|innerhtml|innertext|class).*")
    { return 403; }
    location / {
        # 过滤 requestBody中的非法参数
        rewrite_by_lua_file conf/conf/checkSqlInject.lua;
        proxy_pass <http://localhost:8001>;
    }
}

2. location层处理 RequestBody 入参

-- rewrite_by_lua_file Your_conf_pos/checkSqlInject.lua;
-- 声明读取body内容
ngx.req.read_body()
-- 获取body内容
local body = ngx.req.get_body_data()
-- 判定请求类型(只处理post请求)
if ngx.var.request_method == "POST" and body ~= nil then
    -- 声明正则
    local regex = "(.*?((union)|(insert)|(drop)|(truncate)|(update)|(from)|(grant)|(exec)|(where)|(select)|(chr)|(mid)|(like)|(iframe)|(script)|(alert)|(webscan)|(dbappsecurity)|(style)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?){1,}"
    -- 使用body进行正则匹配
    local m = ngx.re.match(body, regex)

    if m then
        -- 匹配成功，说明请求体中包含敏感内容，返回403
        ngx.log(ngx.ERR,"this request body contain the sql inject，this is dangerous! body = " .. body)
        ngx.exit(ngx.HTTP_FORBIDDEN)
    end
end

三、测试结果

1. 测试脚本

#!/bin/sh
export CURL_HOME=/usr/bin

# GET - requestParam - Right
get_right(){
    $CURL_HOME/curl -X GET 'localhost:7777/provider/testRight?name=eric&age=23'
    # $CURL_HOME/curl -X GET 'www.baidu.com'
    exit 1
}

# GET - requestParam - Wrong
get_wrong(){
    $CURL_HOME/curl -X GET 'localhost:7777/provider/testRight?name=eric&age=23%illegal=fdaas ; drop assd; fdsa'
}

# POST - requestBody - Right
post_right(){
    $CURL_HOME/curl -X POST -d '{"name":"eric","age":89}' -H 'content-type:application/json;charset:utf-8' 'localhost:7777/provider/testPostRight'
}

post_wrong(){
    $CURL_HOME/curl -X POST -d '{"name":"eric","age":89,"illegal":"asdf; drop asdf; ert"}' -H 'content-type:application/json;charset:utf-8' 'localhost:7777/provider/testPostRight'
}

usage(){
    echo "Usage: \\n sh curlX.sh [get_right|get_wrong|post_right|post_wrong]"
    exit 1
}

# 根据入参内容，调用不同的执行函数，输入不对（执行说明函数）
case "$1" in
    "get_right")
        get_right
        ;;
    "get_wrong")
        get_wrong
        ;;
    "post_right")
        post_right
        ;;
    "post_wrong")
        post_wrong
        ;;
    *)
        usage
        ;;
esac
exit 0

2. HTTP-GET-RIGHT

./curlX.sh get_right

port: 8001, this is test-provider, OK.

3. HTTP-GET-WRONG

./curlX.sh get_wrong

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>openresty/1.19.9.1</center>
</body>
</html>

4. HTTP-POST-RIGHT

./curlX.sh post_right
port: 8001, this is test-provider, OK.

5. HTTP-POST-WRONG

./curlX.sh post_wrong

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>openresty/1.19.9.1</center>
</body>
</html>

四、扩展：OpenResty-Lua执行节点

注意：lua脚本的执行时机 & nginx原生指令的执行时机！
可能导致lua脚本失去执行机会

这里附上一个OpenResty的文档和学习地址：https://moonbingbing.gitbooks.io/openresty-best-practices/content/index.html