SpringBootFilter

发表于 | 分类于

关于SpringBoot中Filter的使用,此处以添加XSS注入,SQL注入过滤为demo

可能需要的lib

1
2
3
4
5
6
7
8
9


<dependency>
    <groupId>javax.servlet</groupId>
    <artifactId>javax.servlet-api</artifactId>
    <version>3.1.0</version>
</dependency>


1.创建一个过滤类用来继承Filter如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18


public class XssFilter implements Filter {
    @Override
    public void init(FilterConfig arg0) throws ServletException {}

    @Override
    public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
            throws IOException, ServletException {
        arg2.doFilter(new XssServletRequest((HttpServletRequest) arg0), arg1);
    }
    
    @Override
    public void destroy() {}

}


2.创建XssServletRequest类用来处理相关的xss和sql注入过滤过处理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97


public class XssServletRequest extends HttpServletRequestWrapper {

    XssServletRequest(HttpServletRequest request) {
        super(request);
    }
    
    @Override
    public String getParameter(String name) {
        String value = super.getParameter(name);
        if (StringUtils.isNotBlank(value)) {
            value = escape(value);
        }
        return value;
    }
    
    /**
     * spring的@RequestParam注解通过这个获取的参数值
     */
    @Override
    public String[] getParameterValues(String name) {
        String[] parameters = super.getParameterValues(name);
        if (parameters == null || parameters.length == 0) {
            return parameters;
        }
    
        for (int i = 0; i < parameters.length; i++) {
            parameters[i] = escape(parameters[i]);
        }
        return parameters;
    }
    
    @Override
    public Map<String, String[]> getParameterMap() {
        Map<String, String[]> map = new LinkedHashMap<>();
        Map<String, String[]> parameters = super.getParameterMap();
        for (Map.Entry<String, String[]> entry : parameters.entrySet()) {
            String key = entry.getKey();
            String[] values = entry.getValue();
            for (int i = 0; i < values.length; i++) {
                values[i] = escape(values[i]);
            }
            map.put(key, values);
        }
        return map;
    }
    
    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        if (StringUtils.isNotBlank(value)) {
            value = escape(value);
        }
        return value;
    }
    
    private static String escape(final String str) {
        String result = str;
        // spring HtmlUtils
        result = HtmlUtils.htmlEscape(result);
        // script escape
        result = scriptXSS(result);
        return result;
    }
    
    // eval(...)
    private static final Pattern P_EL = Pattern.compile("eval\\((.*?)\\)",
            Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    // expression(...)
    private static final Pattern P_EXP = Pattern.compile("expression\\((.*?)\\)",
            Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    // javascript:...
    private static final Pattern P_JS = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
    // vbscript:...
    private static final Pattern P_VB = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
    // onload(...)=...
    private static final Pattern P_OL = Pattern.compile("onload(.*?)=",
            Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
    
    private static String scriptXSS(final String str) {
        String result = str;
        result = regexReplace(P_EL, "", result);
        result = regexReplace(P_EXP, "", result);
        result = regexReplace(P_JS, "javascript:", result);
        result = regexReplace(P_VB, "vbscript:", result);
        result = regexReplace(P_OL, "", result);
        return result;
    }
    
    private static String regexReplace(final Pattern pattern, final String replace,
            final String s) {
        Matcher matcher = pattern.matcher(s);
        return matcher.replaceAll(replace);
    }


3.注册XssFilter并配置过滤规则

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18


@Configuration
public class WebMvcConfig {

    /**
     * 过滤器配置文件过滤规则
     */
    @Bean
    public FilterRegistrationBean<XssFilter> xssFilterRegistration() {
        FilterRegistrationBean<XssFilter> registration = new FilterRegistrationBean<>(new XssFilter());
        registration.addUrlPatterns("/*");
        return registration;
    }

}


此时配置Filter配置完成。