lbqms.git - Gitblit

疯狂的狮子Li

2024-09-13 fc72b670908bc0d9b00a8e9aa7e36499055e792d

update 优化 全局开启xss过滤 提高安全性 与cloud版本保持一致

已修改4个文件

	ruoyi-admin/src/main/resources/application.yml	7 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/config/FilterConfig.java	11 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/config/properties/XssProperties.java	16 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史
	ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssFilter.java	11 ●●●●● 补丁 \| 查看 \| 原始文档 \| blame \| 历史

 ruoyi-admin/src/main/resources/application.yml

@@ -223,9 +223,10 @@
  # 过滤开关
  enabled: true
  # 排除链接（多个用逗号分隔）
  excludes: /system/notice
  # 匹配链接
  urlPatterns: /system/*,/monitor/*,/tool/*
  excludeUrls:
    - /system/notice
    - /workflow/model/save
    - /workflow/model/editModelXml

# 全局线程池相关配置
# 如使用JDK21请直接使用虚拟线程 不要开启此配置

 ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/config/FilterConfig.java

@@ -1,18 +1,14 @@
package org.dromara.common.web.config;

import org.dromara.common.core.utils.StringUtils;
import jakarta.servlet.DispatcherType;
import org.dromara.common.web.config.properties.XssProperties;
import org.dromara.common.web.filter.RepeatableFilter;
import org.dromara.common.web.filter.XssFilter;
import jakarta.servlet.DispatcherType;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;

import java.util.HashMap;
import java.util.Map;

/**
 * Filter配置
@@ -30,12 +26,9 @@
        FilterRegistrationBean registration = new FilterRegistrationBean();
        registration.setDispatcherTypes(DispatcherType.REQUEST);
        registration.setFilter(new XssFilter());
        registration.addUrlPatterns(StringUtils.split(xssProperties.getUrlPatterns(), StringUtils.SEPARATOR));
        registration.addUrlPatterns("/*");
        registration.setName("xssFilter");
        registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);
        Map<String, String> initParameters = new HashMap<>();
        initParameters.put("excludes", xssProperties.getExcludes());
        registration.setInitParameters(initParameters);
        return registration;
    }


 ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/config/properties/XssProperties.java

@@ -3,6 +3,9 @@
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;

import java.util.ArrayList;
import java.util.List;

/**
 * xss过滤 配置属性
 *
@@ -13,18 +16,13 @@
public class XssProperties {

    /**
     * 过滤开关
     * Xss开关
     */
    private String enabled;
    private Boolean enabled;

    /**
     * 排除链接（多个用逗号分隔）
     * 排除路径
     */
    private String excludes;

    /**
     * 匹配链接
     */
    private String urlPatterns;
    private List<String> excludeUrls = new ArrayList<>();

}

 ruoyi-common/ruoyi-common-web/src/main/java/org/dromara/common/web/filter/XssFilter.java

@@ -1,6 +1,8 @@
package org.dromara.common.web.filter;

import org.dromara.common.core.utils.SpringUtils;
import org.dromara.common.core.utils.StringUtils;
import org.dromara.common.web.config.properties.XssProperties;
import org.springframework.http.HttpMethod;

import jakarta.servlet.*;
@@ -23,13 +25,8 @@

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        String tempExcludes = filterConfig.getInitParameter("excludes");
        if (StringUtils.isNotEmpty(tempExcludes)) {
            String[] url = tempExcludes.split(StringUtils.SEPARATOR);
            for (int i = 0; url != null && i < url.length; i++) {
                excludes.add(url[i]);
            }
        }
        XssProperties properties = SpringUtils.getBean(XssProperties.class);
        excludes.addAll(properties.getExcludeUrls());
    }

    @Override

			@@ -223,9 +223,10 @@
			# 过滤开关
			enabled: true
			# 排除链接（多个用逗号分隔）
			excludes: /system/notice
			# 匹配链接
			urlPatterns: /system/,/monitor/,/tool/*
			excludeUrls:
			- /system/notice
			- /workflow/model/save
			- /workflow/model/editModelXml

			# 全局线程池相关配置
			# 如使用JDK21请直接使用虚拟线程不要开启此配置

			@@ -1,18 +1,14 @@
			package org.dromara.common.web.config;

			import org.dromara.common.core.utils.StringUtils;
			import jakarta.servlet.DispatcherType;
			import org.dromara.common.web.config.properties.XssProperties;
			import org.dromara.common.web.filter.RepeatableFilter;
			import org.dromara.common.web.filter.XssFilter;
			import jakarta.servlet.DispatcherType;
			import org.springframework.boot.autoconfigure.AutoConfiguration;
			import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
			import org.springframework.boot.context.properties.EnableConfigurationProperties;
			import org.springframework.boot.web.servlet.FilterRegistrationBean;
			import org.springframework.context.annotation.Bean;

			import java.util.HashMap;
			import java.util.Map;

			/**
			* Filter配置
			@@ -30,12 +26,9 @@
			FilterRegistrationBean registration = new FilterRegistrationBean();
			registration.setDispatcherTypes(DispatcherType.REQUEST);
			registration.setFilter(new XssFilter());
			registration.addUrlPatterns(StringUtils.split(xssProperties.getUrlPatterns(), StringUtils.SEPARATOR));
			registration.addUrlPatterns("/*");
			registration.setName("xssFilter");
			registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);
			Map<String, String> initParameters = new HashMap<>();
			initParameters.put("excludes", xssProperties.getExcludes());
			registration.setInitParameters(initParameters);
			return registration;
			}

			@@ -3,6 +3,9 @@
			import lombok.Data;
			import org.springframework.boot.context.properties.ConfigurationProperties;

			import java.util.ArrayList;
			import java.util.List;

			/**
			* xss过滤配置属性
			*
			@@ -13,18 +16,13 @@
			public class XssProperties {

			/**
			* 过滤开关
			* Xss开关
			*/
			private String enabled;
			private Boolean enabled;

			/**
			* 排除链接（多个用逗号分隔）
			* 排除路径
			*/
			private String excludes;

			/**
			* 匹配链接
			*/
			private String urlPatterns;
			private List<String> excludeUrls = new ArrayList<>();

			}

			@@ -1,6 +1,8 @@
			package org.dromara.common.web.filter;

			import org.dromara.common.core.utils.SpringUtils;
			import org.dromara.common.core.utils.StringUtils;
			import org.dromara.common.web.config.properties.XssProperties;
			import org.springframework.http.HttpMethod;

			import jakarta.servlet.*;
			@@ -23,13 +25,8 @@

			@Override
			public void init(FilterConfig filterConfig) throws ServletException {
			String tempExcludes = filterConfig.getInitParameter("excludes");
			if (StringUtils.isNotEmpty(tempExcludes)) {
			String[] url = tempExcludes.split(StringUtils.SEPARATOR);
			for (int i = 0; url != null && i < url.length; i++) {
			excludes.add(url[i]);
			}
			}
			XssProperties properties = SpringUtils.getBean(XssProperties.class);
			excludes.addAll(properties.getExcludeUrls());
			}

			@Override