From 6b5dd4d2be69759a8a2452195d0fb0b0ef52e72a Mon Sep 17 00:00:00 2001
From: RuoYi <yzz_ivy@163.com>
Date: 星期三, 28 七月 2021 16:04:59 +0800
Subject: [PATCH] 优化XSS跨站脚本过滤
---
ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java | 40 ++++++++++++++++++++
ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java | 2
ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java | 33 ++--------------
ruoyi-framework/src/main/java/com/ruoyi/framework/config/FilterConfig.java | 6 +--
ruoyi-admin/src/main/resources/application.yml | 2
5 files changed, 49 insertions(+), 34 deletions(-)
diff --git a/ruoyi-admin/src/main/resources/application.yml b/ruoyi-admin/src/main/resources/application.yml
index 918d354..088a28e 100644
--- a/ruoyi-admin/src/main/resources/application.yml
+++ b/ruoyi-admin/src/main/resources/application.yml
@@ -115,6 +115,6 @@
# 杩囨护寮�鍏�
enabled: true
# 鎺掗櫎閾炬帴锛堝涓敤閫楀彿鍒嗛殧锛�
- excludes: /system/notice/*
+ excludes: /system/notice
# 鍖归厤閾炬帴
urlPatterns: /system/*,/monitor/*,/tool/*
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java b/ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java
index 7504f02..08cf151 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/core/domain/entity/SysUser.java
@@ -201,7 +201,7 @@
this.avatar = avatar;
}
- @JsonIgnore
+ @JsonIgnore
@JsonProperty
public String getPassword()
{
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
index 1495412..703ce9a 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/filter/XssFilter.java
@@ -3,8 +3,6 @@
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
@@ -27,16 +25,10 @@
*/
public List<String> excludes = new ArrayList<>();
- /**
- * xss杩囨护寮�鍏�
- */
- public boolean enabled = false;
-
@Override
public void init(FilterConfig filterConfig) throws ServletException
{
String tempExcludes = filterConfig.getInitParameter("excludes");
- String tempEnabled = filterConfig.getInitParameter("enabled");
if (StringUtils.isNotEmpty(tempExcludes))
{
String[] url = tempExcludes.split(",");
@@ -44,10 +36,6 @@
{
excludes.add(url[i]);
}
- }
- if (StringUtils.isNotEmpty(tempEnabled))
- {
- enabled = Boolean.valueOf(tempEnabled);
}
}
@@ -68,25 +56,14 @@
private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response)
{
- if (!enabled)
+ String url = request.getServletPath();
+ String method = request.getMethod();
+ // GET DELETE 涓嶈繃婊�
+ if (method == null || method.matches("GET") || method.matches("DELETE"))
{
return true;
}
- if (excludes == null || excludes.isEmpty())
- {
- return false;
- }
- String url = request.getServletPath();
- for (String pattern : excludes)
- {
- Pattern p = Pattern.compile("^" + pattern);
- Matcher m = p.matcher(url);
- if (m.find())
- {
- return true;
- }
- }
- return false;
+ return StringUtils.matches(url, excludes);
}
@Override
diff --git a/ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java b/ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java
index 72ddb56..ca12798 100644
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/StringUtils.java
@@ -6,6 +6,7 @@
import java.util.List;
import java.util.Map;
import java.util.Set;
+import org.springframework.util.AntPathMatcher;
import com.ruoyi.common.constant.Constants;
import com.ruoyi.common.core.text.StrFormatter;
@@ -463,6 +464,45 @@
return sb.toString();
}
+ /**
+ * 鏌ユ壘鎸囧畾瀛楃涓叉槸鍚﹀尮閰嶆寚瀹氬瓧绗︿覆鍒楄〃涓殑浠绘剰涓�涓瓧绗︿覆
+ *
+ * @param str 鎸囧畾瀛楃涓�
+ * @param strs 闇�瑕佹鏌ョ殑瀛楃涓叉暟缁�
+ * @return 鏄惁鍖归厤
+ */
+ public static boolean matches(String str, List<String> strs)
+ {
+ if (isEmpty(str) || isEmpty(strs))
+ {
+ return false;
+ }
+ for (String pattern : strs)
+ {
+ if (isMatch(pattern, str))
+ {
+ return true;
+ }
+ }
+ return false;
+ }
+
+ /**
+ * 鍒ゆ柇url鏄惁涓庤鍒欓厤缃�:
+ * ? 琛ㄧず鍗曚釜瀛楃;
+ * * 琛ㄧず涓�灞傝矾寰勫唴鐨勪换鎰忓瓧绗︿覆锛屼笉鍙法灞傜骇;
+ * ** 琛ㄧず浠绘剰灞傝矾寰�;
+ *
+ * @param pattern 鍖归厤瑙勫垯
+ * @param url 闇�瑕佸尮閰嶇殑url
+ * @return
+ */
+ public static boolean isMatch(String pattern, String url)
+ {
+ AntPathMatcher matcher = new AntPathMatcher();
+ return matcher.match(pattern, url);
+ }
+
@SuppressWarnings("unchecked")
public static <T> T cast(Object obj)
{
diff --git a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FilterConfig.java b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FilterConfig.java
index 8b17834..ab12e41 100644
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FilterConfig.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/FilterConfig.java
@@ -4,6 +4,7 @@
import java.util.Map;
import javax.servlet.DispatcherType;
import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@@ -17,11 +18,9 @@
* @author ruoyi
*/
@Configuration
+@ConditionalOnProperty(value = "xss.enabled", havingValue = "true")
public class FilterConfig
{
- @Value("${xss.enabled}")
- private String enabled;
-
@Value("${xss.excludes}")
private String excludes;
@@ -40,7 +39,6 @@
registration.setOrder(FilterRegistrationBean.HIGHEST_PRECEDENCE);
Map<String, String> initParameters = new HashMap<String, String>();
initParameters.put("excludes", excludes);
- initParameters.put("enabled", enabled);
registration.setInitParameters(initParameters);
return registration;
}
--
Gitblit v1.9.3