main
黄海 10 months ago
parent 00a3782ead
commit fd7acc90c1

@ -1,4 +1,4 @@
package com.dsideal.gw.Const;
package com.dsideal.gw.Bean;
import com.alibaba.fastjson.JSONObject;
import lombok.Getter;

@ -1,7 +1,7 @@
package com.dsideal.gw.Handler;
import com.alibaba.fastjson.JSONObject;
import com.dsideal.gw.Const.RetBean;
import com.dsideal.gw.Bean.RetBean;
import com.dsideal.gw.GwApplication;
import com.dsideal.gw.Util.CommonUtil;
import com.dsideal.gw.Util.JwtUtil;

@ -1,12 +1,11 @@
_______ ______ __ __
/ \ / \ / | _ / |
$$$$$$$ | _______ /$$$$$$ |$$ | / \ $$ |
$$ | $$ | / |$$ | _$$/ $$ |/$ \$$ |
$$ | $$ |/$$$$$$$/ $$ |/ |$$ /$$$ $$ |
$$ | $$ |$$ \ $$ |$$$$ |$$ $$/$$ $$ |
$$ |__$$ | $$$$$$ |$$ \__$$ |$$$$/ $$$$ |
$$ $$/ / $$/ $$ $$/ $$$/ $$$ |
$$$$$$$/ $$$$$$$/ $$$$$$/ $$/ $$/
$$\ $$$$$$\
$$ | $$ __$$\
$$$$$$$ | $$$$$$$\ $$ / \__|$$\ $$\ $$\
$$ __$$ |$$ _____|$$ |$$$$\ $$ | $$ | $$ |
$$ / $$ |\$$$$$$\ $$ |\_$$ |$$ | $$ | $$ |
$$ | $$ | \____$$\ $$ | $$ |$$ | $$ | $$ |
\$$$$$$$ |$$$$$$$ |\$$$$$$ |\$$$$$\$$$$ |
\_______|\_______/ \______/ \_____\____/
power by http://patorjk.com/software/taag/

@ -1,9 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<module version="4">
<component name="AdditionalModuleElements">
<content url="file://$MODULE_DIR$/dsRes" dumb="true">
<sourceFolder url="file://$MODULE_DIR$/dsRes/src/main/java" isTestSource="false" />
<sourceFolder url="file://$MODULE_DIR$/dsRes/src/main/resource" type="java-resource" />
</content>
</component>
</module>

@ -1,36 +0,0 @@
package com.dsideal.resource.Handler;
import com.dsideal.resource.Handler.XssHttpServletRequestWrapper;
import com.jfinal.handler.Handler;
import org.jsoup.internal.StringUtil;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.regex.Pattern;
public class XssHandler extends Handler {
// 排除的url使用的target.startsWith匹配的
private final String excludePattern;
/**
* 使
*/
public XssHandler(String excludePattern) {
// System.out.println("进入xss拦截------------------------------" + new Date());
this.excludePattern = excludePattern;
}
@Override
public void handle(String target, HttpServletRequest request, HttpServletResponse response, boolean[] isHandled) {
Pattern pattern = Pattern.compile(excludePattern);
//带.表示非action请求忽略其实不太严谨如果是伪静态比如.html会被错误地排除匹配excludePattern的忽略
if (!target.contains(".") && !(!StringUtil.isBlank(excludePattern) && pattern.matcher(target).find())
&& !target.contains("addGlobal") && !target.contains("updateGlobalById")) {
request = new XssHttpServletRequestWrapper(request);
}
//别忘了
next.handle(target, request, response, isHandled);
}
}

@ -1,85 +0,0 @@
package com.dsideal.resource.Handler;
import org.jsoup.Jsoup;
import org.jsoup.safety.Safelist;
import javax.servlet.http.HttpServletRequest;
import java.util.HashMap;
import java.util.Map;
/**
* HttpServletRequestWrapperXssHandler
*
* @author ren
* @date 2017518 1:49:26
*/
public class XssHttpServletRequestWrapper extends javax.servlet.http.HttpServletRequestWrapper {
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
* getParameter
*/
@Override
public String getParameter(String name) {
return getBasicHtmlandimage(super.getParameter(name));
}
/**
* getParameterValues
*/
@Override
public String[] getParameterValues(String name) {
String[] values = super.getParameterValues(name);
if (null == values) {
return null;
}
for (int i = 0; i < values.length; i++) {
values[i] = getBasicHtmlandimage(values[i]);
}
return values;
}
/**
* getParameterMap
*/
@Override
public Map<String, String[]> getParameterMap() {
@SuppressWarnings("unchecked")
Map<String, String[]> paraMap = super.getParameterMap();
// 对于paraMap为空的直接return
if (null == paraMap || paraMap.isEmpty()) {
return paraMap;
}
//super.getParameterMap()不允许任何修改,所以只能做深拷贝
Map<String, String[]> paraMapCopy = new HashMap<String, String[]>();
//实际上putAll只对基本类型深拷贝有效如果是自定义类型则要找其他办法
paraMapCopy.putAll(paraMap);
for (Map.Entry<String, String[]> entry : paraMapCopy.entrySet()) {
String[] values = entry.getValue();
if (null == values) {
continue;
}
String[] newValues = new String[values.length];
for (int i = 0; i < values.length; i++) {
newValues[i] = getBasicHtmlandimage(values[i]);
}
entry.setValue(newValues);
}
return paraMapCopy;
}
private static String getBasicHtmlandimage(String html) {
if (html == null)
return null;
html = Jsoup.clean(html, Safelist.basicWithImages());
//再次过滤
return html;
}
}

@ -1,78 +0,0 @@
package com.dsideal.resource.Plugin;
import com.jfinal.log.Log;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
public class Slf4jLog extends Log {
private Logger log;
Slf4jLog(Class<?> clazz) {
log = LoggerFactory.getLogger(clazz);
}
Slf4jLog(String name) {
log = LoggerFactory.getLogger(name);
}
public void info(String message) {
log.info(message);
}
public void info(String message, Throwable t) {
log.info(message, t);
}
public void debug(String message) {
log.debug(message);
}
public void debug(String message, Throwable t) {
log.debug(message, t);
}
public void warn(String message) {
log.warn(message);
}
public void warn(String message, Throwable t) {
log.warn(message, t);
}
public void error(String message) {
log.error(message);
}
public void error(String message, Throwable t) {
log.error(message, t);
}
public void fatal(String message) {
log.error(message);
}
public void fatal(String message, Throwable t) {
log.error(message, t);
}
public boolean isDebugEnabled() {
return log.isDebugEnabled();
}
public boolean isInfoEnabled() {
return log.isInfoEnabled();
}
public boolean isWarnEnabled() {
return log.isWarnEnabled();
}
public boolean isErrorEnabled() {
return log.isErrorEnabled();
}
public boolean isFatalEnabled() {
return log.isErrorEnabled();
}
}

@ -1,17 +0,0 @@
package com.dsideal.resource.Plugin;
import com.jfinal.log.ILogFactory;
import com.jfinal.log.Log;
public class Slf4jLogFactory implements ILogFactory {
@Override
public Log getLog(Class<?> aClass) {
return new Slf4jLog(aClass);
}
@Override
public Log getLog(String name) {
return new Slf4jLog(name);
}
}

@ -1,7 +1,6 @@
package com.dsideal.resource;
import com.dsideal.resource.Controller.IndexController;
import com.dsideal.resource.Handler.XssHandler;
import com.dsideal.resource.Interceptor.*;
import com.dsideal.resource.Plugin.YamlProp;
import com.dsideal.resource.Util.FileUtil;
@ -155,9 +154,6 @@ public class ResApplication extends JFinalConfig {
*/
@Override
public void configHandler(Handlers me) {
//加入统一的XSS处理器
//添加xss 过滤(正则表达式:"/((\\%3C)|<)((\\%2F)|\\/)*[a-z0-9\\%]+((\\%3E)|>)/ix"
me.add(new XssHandler("/((\\%3C)|<)((\\%2F)|\\/)*[a-z0-9\\%]+((\\%3E)|>)/ix"));
}
/**

Loading…
Cancel
Save