想请教一个问题,关于@Filter可以过滤掉前端传过来的非法sql注入和前端代码注入问题吗?
16 回复
@wendal 我在主模块modules上打上了@ChainBy(args = "config/chain/nutzwk-mvc-chain.json")
var chain={
"default" : {
"ps" : [
"cn.wizzer.app.web.commons.processor.LogTimeProcessor",
"cn.wizzer.app.web.commons.processor.GlobalsSettingProcessor",
"org.nutz.mvc.impl.processor.UpdateRequestAttributesProcessor",
"org.nutz.mvc.impl.processor.EncodingProcessor",
"org.nutz.mvc.impl.processor.ModuleProcessor",
"cn.wizzer.app.web.commons.processor.NutShiroProcessor",
"cn.wizzer.app.web.commons.processor.XssSqlFilterProcessor",
"org.nutz.mvc.impl.processor.ActionFiltersProcessor",
"org.nutz.mvc.impl.processor.AdaptorProcessor",
"org.nutz.mvc.impl.processor.MethodInvokeProcessor",
"org.nutz.mvc.impl.processor.ViewProcessor"
],
"error" : 'org.nutz.mvc.impl.processor.FailProcessor'
}
};
但是在新增角色时输入sql关键字并未被屏蔽掉,难道还要在SysRoleController中打上@ChainBy或者@Chain注解?
@Wizzercn 代码这个位置有个bug,应该用(" " + inj_stra[j] + " ").contains(value),不然iserror标志不会被置为true,
protected boolean checkParams(ActionContext ac) {
HttpServletRequest req = ac.getRequest();
Iterator<String[]> values = req.getParameterMap().values().iterator();// 获取所有的表单参数
Iterator<String[]> values2 = req.getParameterMap().values().iterator();// 因为是游标所以要重新获取
boolean isError = false;
String regEx_sql = "select|update|and|or|delete|insert|trancate|char|chr|into|substr|ascii|declare|exec|count|master|drop|execute";
String regEx_xss = "script|iframe";
//SQL过滤
while (values.hasNext()) {
String[] valueArray = (String[]) values.next();
for (int i = 0; i < valueArray.length; i++) {
String value = valueArray[i].toLowerCase();
//分拆关键字
String[] inj_stra = StringUtils.split(regEx_sql, "|");
for (int j = 0; j < inj_stra.length; j++) {
// 判断如果路径参数值中含有关键字则返回true,并且结束循环
if ("and".equals(inj_stra[j]) || "or".equals(inj_stra[j]) || "into".equals(inj_stra[j])) {
if (value.contains(" " + inj_stra[j] + " ")) {
isError = true;
log.debugf("[%-4s]URI=%s %s", req.getMethod(), req.getRequestURI(), "SQL关键字过滤:" + value);
break;
}
} else {
if (value.contains("" + inj_stra[j] + "")||value.contains(inj_stra[j] + " ")) {
isError = true;
log.debugf("[%-4s]URI=%s %s", req.getMethod(), req.getRequestURI(), "SQL关键字过滤:" + value);
break;
}
}
}
if (isError) {
break;
}
}
if (isError) {
break;
}
}
if (!isError) {
// XSS漏洞过滤
while (values2.hasNext()) {
String[] valueArray = (String[]) values2.next();
for (int i = 0; i < valueArray.length; i++) {
String value = valueArray[i].toLowerCase();
// 分拆关键字
String[] inj_stra = StringUtils.split(regEx_xss, "|");
for (int j = 0; j < inj_stra.length; j++) {
// 判断如果路径参数值中含有关键字则返回true,并且结束循环
if (value.contains("<" + inj_stra[j] + ">")
|| value.contains("<" + inj_stra[j])
|| value.contains(inj_stra[j] + ">")) {
log.debugf("[%-4s]URI=%s %s", req.getMethod(), req.getRequestURI(), "XSS关键字过滤:" + value);
isError = true;
break;
}
}
if (isError) {
break;
}
}
if (isError) {
break;
}
}
}
return isError;
}
添加回复
请先登陆