WebMvcConfig.java
registry.addInterceptor(new SqlInjectInterceptor()).addPathPatterns("/**");
SqlInjectInterceptor.java
@Component
public class SqlInjectInterceptor implements HandlerInterceptor{
@Override
public void afterCompletion(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, Exception arg3)
throws Exception {
// TODO Auto-generated method stub
}
@Override
public void postHandle(HttpServletRequest arg0, HttpServletResponse arg1, Object arg2, ModelAndView arg3)
throws Exception {
// TODO Auto-generated method stub
}
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object arg2) throws Exception {
//按登录用户选择性使用拦截器
Session session = SecurityUtils.getSubject().getSession();
User user = (User) session.getAttribute(Constant.LOGIN_USER);
//测试
/*if(user==null || (user.getId()!= 2841 && user.getId()!= 2847)){
return true;
}*/
//线上
if(user==null || (user.getId()!= 3410 && user.getId()!= 3533)){
return true;
}
//sql注入拦截
Enumeration<String> names = request.getParameterNames();
while(names.hasMoreElements()){
String name = names.nextElement();
String[] values = request.getParameterValues(name);
for(String value: values){
//sql注入直接拦截
if(judgeSQLInject(value.toLowerCase())){
response.reset();
response.setContentType("application/json;charset=UTF-8");
response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
PrintWriter pw = response.getWriter();
Map<String, Object> errorMap = new HashMap();
errorMap.put("status", 0);
Map<String, Object> statusInfo = new HashMap();
statusInfo.put("global", "参数含有非法攻击字符,已禁止继续访问!");
errorMap.put("statusInfo", statusInfo);
pw.write(JSON.toJSONString(errorMap));
pw.flush();
pw.close();
return false;
}
//跨站xss清理
clearXss(value);
}
}
return true;
}
/**
* 判断参数是否含有攻击串
* @param value
* @return
*/
public boolean judgeSQLInject(String value){
if(value == null || "".equals(value)){
return false;
}
//String xssStr = "and|or|select|update|delete|drop|truncate|%20|=|-|--|;|'|%|#|+|,|//|/| |\\|!=|(|)";
String xssStr = "and|select|update|delete|drop|truncate|%20|=|--|;|'|%|#|+|//|/| |\\|!=|(|)";
String[] xssArr = xssStr.split("\\|");
for(int i=0;i<xssArr.length;i++){
if(value.indexOf(xssArr[i])>-1){
return true;
}
}
return false;
}
/**
* 处理跨站xss字符转义
*
* @param value
* @return
*/
private String clearXss(String value) {
if (value == null || "".equals(value)) {
return value;
}
value = value.replaceAll("<", "<").replaceAll(">", ">");
value = value.replaceAll("\\(", "(").replace("\\)", ")");
value = value.replaceAll("'", "'");
value = value.replaceAll("eval\\((.*)\\)", "");
value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']",
"\"\"");
value = value.replace("script", "");
return value;
}
}