Tabla de contenido
Objetivo
Cree un interceptor en Springboot para interceptar todas las solicitudes de tipo GET, obtenga parámetros de solicitud para verificar la legalidad del contenido y evitar la inyección de SQL (este método solo es adecuado para interceptar solicitudes de tipo GET, los parámetros de solicitud de tipo POST están en el cuerpo, por lo que lo siguiente método no es aplicable).
metodo central
1. Interceptar http://127.0.0.1:8088/api/checkTechCertInfoCancel?name=ljh tipo:
Map<String, String[]> parameterMap = request.getParameterMap();2. Interceptar http://127.0.0.1:8088/api/checkTechCertInfoCancel/ljh tipo:
Map<String, String> pathVariables = (Map<String, String>) request.getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE);código completo
crear interceptor
import com.alibaba.fastjson.JSON;
import com.boc.ljh.utils.Result;
import com.boc.ljh.utils.status.AppErrorCode;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.HandlerMapping;
import org.springframework.web.servlet.ModelAndView;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;
/**
* @Author: ljh
* @ClassName SqlInterceptor
* @Description 拦截器 用于拦截GET请求校验参数内容
* @date 2023/8/9 10:12
* @Version 1.0
*/
@Component
public class SqlInterceptor implements HandlerInterceptor {
/**
* @Author: ljh
* @Description: 在controller前拦截请求
* @DateTime: 10:38 2023/8/9
* @Params:
* @Return
*/
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
System.err.println(request.getMethod());
if (request.getMethod().equals("GET") && request.getRequestURI().contains("?")) {
//获取EGT请求中的参数,例如http://127.0.0.1:8088/api/checkTechCertInfoCancel?name=ljh 请求中的参数ljh
Map<String, String[]> parameterMap = request.getParameterMap();
for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
String[] value = entry.getValue();
for (String s : value) {
//校验参数值是否合法
if (verifySql(s)) {
response.setContentType("application/json;charset=utf-8");
Result result = new Result();
result.setMessage("请求参数中含有非法字符!请检查重新输入");
result.setStatus(500);
response.getWriter().write(JSON.toJSONString(result));
return false;
}
}
}
} else {
//获取EGT请求中的参数,例如http://127.0.0.1:8088/api/checkTechCertInfoCancel/ljh 请求中的参数ljh
Map<String, String> pathVariables = (Map<String, String>) request.getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE);
for (String key : pathVariables.keySet()) {
//校验参数值是否合法
if (verifySql(pathVariables.get(key))) {
//返回错误提示
response.setContentType("application/json;charset=utf-8");
Result result = new Result();
result.setMessage("请求参数中含有非法字符!请检查重新输入");
result.setStatus(500);
response.getWriter().write(JSON.toJSONString(result));
return false;
}
}
}
return true;
}
//处理请求完成后视图渲染之前的处理操作
@Override
public void postHandle(HttpServletRequest request,
HttpServletResponse response, Object handler,
ModelAndView modelAndView) throws Exception {
// TODO Auto-generated method stub
}
//视图渲染之后的操作
@Override
public void afterCompletion(HttpServletRequest request,
HttpServletResponse response, Object handler, Exception ex)
throws Exception {
// TODO Auto-generated method stub
}
/**
* @Author: ljh
* @Description: 校验非法字符
* @DateTime: 11:15 2023/8/9
* @Params:
* @Return
*/
public boolean verifySql(String parameter) {
String s = parameter.toLowerCase();
// 过滤掉的sql关键字,特殊字符前面需要加\\进行转义
String badStr =
"select|update|and|or|delete|insert|truncate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|table|" +
"char|declare|sitename|xp_cmdshell|like|from|grant|use|group_concat|column_name|" +
"information_schema.columns|table_schema|union|where|order|by|" +
"'\\*|\\;|\\-|\\--|\\+|\\,|\\//|\\/|\\%|\\#";
//使用正则表达式进行匹配
boolean matches = s.matches(badStr);
return matches;
}interceptor de registro
/**
* @Author: ljh
* @ClassName MvcInterceptorConfig
* @Description 注册SqlInterceptor拦截器到容器中
* @date 2023/8/9 10:21
* @Version 1.0
*/
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class MvcInterceptorConfig implements WebMvcConfigurer {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new SqlInterceptor()) //需要注册到容器中的拦截器
.addPathPatterns("/**"); //所有请求都被拦截,静态资源也被拦截
// .excludePathPatterns("/", "/login", "/css/**", "/fonts/**", "/images/**", "/js/**"); // 放行的请求
}
}efecto de prueba
El contenido de la solicitud es legal:
El contenido de la solicitud es ilegal:
Springboot usa filtros para verificar el contenido del parámetro de solicitud de tipo PSOT
https://blog.csdn.net/weixin_45151960/article/details/132187495?spm=1001.2014.3001.5501