package org.demo.monitor;
import com.ctrip.framework.apollo.model.ConfigChangeEvent;
import com.ctrip.framework.apollo.spring.annotation.ApolloConfigChangeListener;
import lombok.extern.slf4j.Slf4j;
import org.springframework.context.EnvironmentAware;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
@WebFilter(filterName = "xssAndSqlFilter", urlPatterns = {"/*"})
@Slf4j
@Component
public class XssAndSqlFilter implements Filter, EnvironmentAware {
private Pattern paramPattern;
private Pattern urlPattern;
protected Environment environment;
//filter是否启用的总开关(ON/OFF)
protected String flag;
protected String nameListType;
// 白名单
protected List<String> whiteList;
// 黑名单
protected List<String> blackList;
public XssAndSqlFilter() {
}
public void init(FilterConfig filterConfig) {
}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
boolean directFlag = this.safeProtectFilter(request, response);
if (directFlag) {
try {
((HttpServletResponse) response).sendError(500, "illegal request parameter from smy filter");
return;
} catch (Exception var6) {
log.error("sendError fail, e:{}.", var6.getMessage(), var6);
}
}
chain.doFilter(request, response);
}
public boolean safeProtectFilter(ServletRequest request, ServletResponse response) throws IOException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String uri = httpRequest.getRequestURI();
if (this.supports(uri)) {
if (this.urlPattern != null) {
uri = URLDecoder.decode(uri, "utf-8");
if (this.urlPattern.matcher(uri).find()) {
return true;
}
}
if (this.paramPattern != null) {
Enumeration allParam = request.getParameterNames();
while (allParam.hasMoreElements()) {
String pName = (String) allParam.nextElement();
String pValue = request.getParameter(pName);
if (pValue != null) {
pValue = pValue.toLowerCase();
if (this.paramPattern.matcher(pValue).find()) {
return true;
}
}
}
}
}
return false;
}
public boolean supports(String uri) {
if (!"ON".equalsIgnoreCase(this.flag)) {
return false;
} else if ("white".equalsIgnoreCase(this.nameListType)) {
return !this.matchList(this.whiteList, uri);
} else {
return "black".equalsIgnoreCase(this.nameListType) ? this.matchList(this.blackList, uri) : false;
}
}
private boolean matchList(List<String> list, String uri) {
Iterator var3 = list.iterator();
String item;
do {
if (!var3.hasNext()) {
return false;
}
item = (String) var3.next();
} while (item == null || item.length() <= 0 || !uri.contains(item));
return true;
}
public void setEnvironment(Environment environment) {
this.environment = environment;
this.refreshProp();
}
// 监听apollo配置变化
@ApolloConfigChangeListener
private void onChange(ConfigChangeEvent changeEvent) {
this.refreshProp();
}
private void refreshProp() {
try {
this.refreshPropInternal();
} catch (Exception var2) {
log.error("refreshProp error, e:{}.", var2.getMessage(), var2);
this.flag = "OFF";
}
}
void refreshPropInternal() {
this.flag = this.environment.getProperty("xss.sql.filter.flag", "OFF");
this.nameListType = this.environment.getProperty("xss.sql.filter.name.list.type", "white");
this.whiteList = Arrays.asList(this.environment.getProperty("xss.sql.filter.white.list", "").split(","));
this.blackList = Arrays.asList(this.environment.getProperty("xss.sql.filter.black.list", "").split(","));
// 检查requestParam的正则
String paramReg = this.environment.getProperty("xss.sql.filter.request.param.reg", "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|(\\b(select|update|union|and|or|delete|insert|truncate|char|into|substr|ascii|declare|exec|count|master|drop|execute)\\b)");
this.paramPattern = Pattern.compile(paramReg, 2);
String urlReg = this.environment.getProperty("xss.sql.filter.request.url.reg", "<[\\s\\x00]*script|<textarea|<applet|<object|<embed|<noscript|<style|alert[\\s\\x00]*\\(");
this.urlPattern = Pattern.compile(urlReg, 2);
}
}
开关,白名单等参数使用apollo动态配置
依赖:
<!-- https://mvnrepository.com/artifact/com.ctrip.framework.apollo/apollo-client -->
<dependency>
<groupId>com.ctrip.framework.apollo</groupId>
<artifactId>apollo-client</artifactId>
<version>1.8.0</version>
</dependency>