SQL注入是常见的系统安全问题之一,用户通过特定方式向系统发送SQL脚本,可直接自定义操作系统数据库,如果系统没有对SQL注入进行拦截,那么用户甚至可以直接对数据库进行增删改查等操作。
XSS全称为Cross Site Script跨站点脚本攻击,和SQL注入类似,都是通过特定方式向系统发送攻击脚本,对系统进行控制和侵害。SQL注入主要以攻击数据库来达到攻击系统的目的,而XSS则是以恶意执行前端脚本来攻击系统。
项目框架中使用mybatis/mybatis-plus数据持久层框架,在使用过程中,已有规避SQL注入的规则和使用方法。但是在实际开发过程中,由于各种原因,开发人员对持久层框架的掌握水平不同,有些特殊业务情况必须从前台传入SQL脚本。这时就需要对系统进行加固,防止特殊情况下引起的系统风险。
在微服务架构下,我们考虑如何实现SQL注入/XSS攻击拦截时,肯定不会在每个微服务都实现一遍SQL注入/XSS攻击拦截。根据我们微服务系统的设计,所有的请求都会经过Gateway网关,所以在实现时就可以参照前面的日志拦截器来实现。在接收到一个请求时,通过拦截器解析请求参数,判断是否有SQL注入/XSS攻击参数,如果有,那么返回异常即可。
我们前面在对微服务Gateway进行自定义扩展时,增加了Gateway插件功能。我们会根据系统需求开发各种Gateway功能扩展插件,并且可以根据系统配置文件来启用/禁用这些插件。下面我们就将防止SQL注入/XSS攻击拦截器作为一个Gateway插件来开发和配置。
判断SQL注入的拦截器
/**
* 防sql注入
* @author GitEgg
*/
@Log4j2
@AllArgsConstructor
public class SqlInjectionFilter implements GlobalFilter, Ordered {
......
// 当返回参数为true时,解析请求参数和返回参数
if (shouldSqlInjection(exchange))
{
MultiValueMap<String, String> queryParams = request.getQueryParams();
boolean chkRetGetParams = SqlInjectionRuleUtils.mapRequestSqlKeyWordsCheck(queryParams);
boolean chkRetJson = false;
boolean chkRetFormData = false;
HttpHeaders headers = request.getHeaders();
MediaType contentType = headers.getContentType();
long length = headers.getContentLength();
if(length > 0 && null != contentType && (contentType.includes(MediaType.APPLICATION_JSON)
||contentType.includes(MediaType.APPLICATION_JSON_UTF8))){
chkRetJson = SqlInjectionRuleUtils.jsonRequestSqlKeyWordsCheck(gatewayContext.getRequestBody());
}
if(length > 0 && null != contentType && contentType.includes(MediaType.APPLICATION_FORM_URLENCODED)){
log.debug("[RequestLogFilter](Request)FormData:{}",gatewayContext.getFormData());
chkRetFormData = SqlInjectionRuleUtils.mapRequestSqlKeyWordsCheck(gatewayContext.getFormData());
}
if (chkRetGetParams || chkRetJson || chkRetFormData)
{
return WebfluxResponseUtils.responseWrite(exchange, "参数中不允许存在sql关键字");
}
return chain.filter(exchange);
}
else {
return chain.filter(exchange);
}
}
......
}- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 判断XSS攻击的拦截器
/**
* 防xss注入
* @author GitEgg
*/
@Log4j2
@AllArgsConstructor
public class XssInjectionFilter implements GlobalFilter, Ordered {
......
// 当返回参数为true时,记录请求参数和返回参数
if (shouldXssInjection(exchange))
{
MultiValueMap<String, String> queryParams = request.getQueryParams();
boolean chkRetGetParams = XssInjectionRuleUtils.mapRequestSqlKeyWordsCheck(queryParams);
boolean chkRetJson = false;
boolean chkRetFormData = false;
HttpHeaders headers = request.getHeaders();
MediaType contentType = headers.getContentType();
long length = headers.getContentLength();
if(length > 0 && null != contentType && (contentType.includes(MediaType.APPLICATION_JSON)
||contentType.includes(MediaType.APPLICATION_JSON_UTF8))){
chkRetJson = XssInjectionRuleUtils.jsonRequestSqlKeyWordsCheck(gatewayContext.getRequestBody());
}
if(length > 0 && null != contentType && contentType.includes(MediaType.APPLICATION_FORM_URLENCODED)){
log.debug("[RequestLogFilter](Request)FormData:{}",gatewayContext.getFormData());
chkRetFormData = XssInjectionRuleUtils.mapRequestSqlKeyWordsCheck(gatewayContext.getFormData());
}
if (chkRetGetParams || chkRetJson || chkRetFormData)
{
return WebfluxResponseUtils.responseWrite(exchange, "参数中不允许存在XSS注入关键字");
}
return chain.filter(exchange);
}
else {
return chain.filter(exchange);
}
}
......
}- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
2、新增SqlInjectionRuleUtils工具类和XssInjectionRuleUtils工具类,通过正则表达式,用于判断参数是否属于SQL注入/XSS攻击脚本。
- 通过正则表达式对参数进行是否有SQL注入风险的判断
/**
* 防sql注入工具类
* @author GitEgg
*/
@Slf4j
public class SqlInjectionRuleUtils {
/**
* SQL的正则表达式
*/
private static String badStrReg = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
/**
* SQL的正则表达式
*/
private static Pattern sqlPattern = Pattern.compile(badStrReg, Pattern.CASE_INSENSITIVE);
/**
* sql注入校验 map
*
* @param map
* @return
*/
public static boolean mapRequestSqlKeyWordsCheck(MultiValueMap<String, String> map) {
//对post请求参数值进行sql注入检验
return map.entrySet().stream().parallel().anyMatch(entry -> {
//这里需要将参数转换为小写来处理
String lowerValue = Optional.ofNullable(entry.getValue())
.map(Object::toString)
.map(String::toLowerCase)
.orElse("");
if (sqlPattern.matcher(lowerValue).find()) {
log.error("参数[{}]中包含不允许sql的关键词", lowerValue);
return true;
}
return false;
});
}
/**
* sql注入校验 json
*
* @param value
* @return
*/
public static boolean jsonRequestSqlKeyWordsCheck(String value) {
if (JSONUtil.isJsonObj(value)) {
JSONObject json = JSONUtil.parseObj(value);
Map<String, Object> map = json;
//对post请求参数值进行sql注入检验
return map.entrySet().stream().parallel().anyMatch(entry -> {
//这里需要将参数转换为小写来处理
String lowerValue = Optional.ofNullable(entry.getValue())
.map(Object::toString)
.map(String::toLowerCase)
.orElse("");
if (sqlPattern.matcher(lowerValue).find()) {
log.error("参数[{}]中包含不允许sql的关键词", lowerValue);
return true;
}
return false;
});
} else {
JSONArray json = JSONUtil.parseArray(value);
List<Object> list = json;
//对post请求参数值进行sql注入检验
return list.stream().parallel().anyMatch(obj -> {
//这里需要将参数转换为小写来处理
String lowerValue = Optional.ofNullable(obj)
.map(Object::toString)
.map(String::toLowerCase)
.orElse("");
if (sqlPattern.matcher(lowerValue).find()) {
log.error("参数[{}]中包含不允许sql的关键词", lowerValue);
return true;
}
return false;
});
}
}
}- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82.
- 83.
- 通过正则表达式对参数进行是否有XSS攻击风险的判断
/**
* XSS注入过滤工具类
* @author GitEgg
*/
public class XssInjectionRuleUtils {
private static final Pattern[] PATTERNS = {
// Avoid anything in a <script> type of expression
Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
// Avoid anything in a src='...' type of expression
Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Remove any lonesome </script> tag
Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
// Avoid anything in a <iframe> type of expression
Pattern.compile("<iframe>(.*?)</iframe>", Pattern.CASE_INSENSITIVE),
// Remove any lonesome <script ...> tag
Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Remove any lonesome <img ...> tag
Pattern.compile("<img(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Avoid eval(...) expressions
Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Avoid expression(...) expressions
Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
// Avoid javascript:... expressions
Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
// Avoid vbscript:... expressions
Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
// Avoid onload= expressions
Pattern.compile("on(load|error|mouseover|submit|reset|focus|click)(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)
};
public static String stripXSS(String value) {
if (StringUtils.isEmpty(value)) {
return value;
}
for (Pattern scriptPattern : PATTERNS) {
value = scriptPattern.matcher(value).replaceAll("");
}
return value;
}
public static boolean hasStripXSS(String value) {
if (!StringUtils.isEmpty(value)) {
for (Pattern scriptPattern : PATTERNS) {
if (scriptPattern.matcher(value).find() == true)
{
return true;
}
}
}
return false;
}
/**
* xss注入校验 map
*
* @param map
* @return
*/
public static boolean mapRequestSqlKeyWordsCheck(MultiValueMap<String, String> map) {
//对post请求参数值进行sql注入检验
return map.entrySet().stream().parallel().anyMatch(entry -> {
//这里需要将参数转换为小写来处理
String lowerValue = Optional.ofNullable(entry.getValue())
.map(Object::toString)
.map(String::toLowerCase)
.orElse("");
if (hasStripXSS(lowerValue)) {
return true;
}
return false;
});
}
/**
* xss注入校验 json
*
* @param value
* @return
*/
public static boolean jsonRequestSqlKeyWordsCheck(String value) {
if (JSONUtil.isJsonObj(value)) {
JSONObject json = JSONUtil.parseObj(value);
Map<String, Object> map = json;
//对post请求参数值进行sql注入检验
return map.entrySet().stream().parallel().anyMatch(entry -> {
//这里需要将参数转换为小写来处理
String lowerValue = Optional.ofNullable(entry.getValue())
.map(Object::toString)
.map(String::toLowerCase)
.orElse("");
if (hasStripXSS(lowerValue)) {
return true;
}
return false;
});
} else {
JSONArray json = JSONUtil.parseArray(value);
List<Object> list = json;
//对post请求参数值进行sql注入检验
return list.stream().parallel().anyMatch(obj -> {
//这里需要将参数转换为小写来处理
String lowerValue = Optional.ofNullable(obj)
.map(Object::toString)
.map(String::toLowerCase)
.orElse("");
if (hasStripXSS(lowerValue)) {
return true;
}
return false;
});
}
}
}- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82.
- 83.
- 84.
- 85.
- 86.
- 87.
- 88.
- 89.
- 90.
- 91.
- 92.
- 93.
- 94.
- 95.
- 96.
- 97.
- 98.
- 99.
- 100.
- 101.
- 102.
- 103.
- 104.
- 105.
- 106.
- 107.
- 108.
- 109.
- 110.
- 111.
- 112.
- 113.
- 114.
- 115.
- 116.
- 117.
- 118.
3、在GatewayRequestContextFilter 中新增判断那些请求需要解析参数。因为出于性能等方面的考虑,网关并不是对所有的参数都进行解析,只有在需要记录日志、防止SQL注入/XSS攻击时才会进行解析。
/**
* check should read request data whether or not
* @return boolean
*/
private boolean shouldReadRequestData(ServerWebExchange exchange){
if(gatewayPluginProperties.getLogRequest().getRequestLog()
&& GatewayLogTypeEnum.ALL.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())){
log.debug("[GatewayContext]Properties Set Read All Request Data");
return true;
}
boolean serviceFlag = false;
boolean pathFlag = false;
boolean lbFlag = false;
List<String> readRequestDataServiceIdList = gatewayPluginProperties.getLogRequest().getServiceIdList();
List<String> readRequestDataPathList = gatewayPluginProperties.getLogRequest().getPathList();
if(!CollectionUtils.isEmpty(readRequestDataPathList)
&& (GatewayLogTypeEnum.PATH.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
|| GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()))){
String requestPath = exchange.getRequest().getPath().pathWithinApplication().value();
for(String path : readRequestDataPathList){
if(ANT_PATH_MATCHER.match(path,requestPath)){
log.debug("[GatewayContext]Properties Set Read Specific Request Data With Request Path:{},Math Pattern:{}", requestPath, path);
pathFlag = true;
break;
}
}
}
Route route = exchange.getAttribute(ServerWebExchangeUtils.GATEWAY_ROUTE_ATTR);
URI routeUri = route.getUri();
if(!"lb".equalsIgnoreCase(routeUri.getScheme())){
lbFlag = true;
}
String routeServiceId = routeUri.getHost().toLowerCase();
if(!CollectionUtils.isEmpty(readRequestDataServiceIdList)
&& (GatewayLogTypeEnum.SERVICE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
|| GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()))){
if(readRequestDataServiceIdList.contains(routeServiceId)){
log.debug("[GatewayContext]Properties Set Read Specific Request Data With ServiceId:{}",routeServiceId);
serviceFlag = true;
}
}
if (GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
&& serviceFlag && pathFlag && !lbFlag)
{
return true;
}
else if (GatewayLogTypeEnum.SERVICE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
&& serviceFlag && !lbFlag)
{
return true;
}
else if (GatewayLogTypeEnum.PATH.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
&& pathFlag)
{
return true;
}
return false;
}- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
4、在GatewayPluginProperties中新增配置,用于读取Gateway过滤器的系统配置,判断开启新增的防止SQL注入/XSS攻击插件。
@Slf4j
@Getter
@Setter
@ToString
public class GatewayPluginProperties implements InitializingBean {
public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX = "spring.cloud.gateway.plugin.config";
public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_LOG_REQUEST = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".logRequest";
public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_SQL_INJECTION = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".sqlInjection";
public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_XSS_INJECTION = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".xssInjection";
/**
* Enable Or Disable
*/
private Boolean enable = false;
/**
* LogProperties
*/
private LogProperties logRequest;
/**
* SqlInjectionProperties
*/
private SqlInjectionProperties sqlInjection;
/**
* XssInjectionProperties
*/
private XssInjectionProperties xssInjection;
@Override
public void afterPropertiesSet() {
log.info("Gateway plugin logRequest enable:", logRequest.enable);
log.info("Gateway plugin sqlInjection enable:", sqlInjection.enable);
log.info("Gateway plugin xssInjection enable:", xssInjection.enable);
}
/**
* 日志记录相关配置
*/
@Getter
@Setter
@ToString
public static class LogProperties implements InitializingBean{
/**
* Enable Or Disable Log Request Detail
*/
private Boolean enable = false;
/**
* Enable Or Disable Read Request Data
*/
private Boolean requestLog = false;
/**
* Enable Or Disable Read Response Data
*/
private Boolean responseLog = false;
/**
* logType
* all: 所有日志
* configure:serviceId和pathList交集
* serviceId: 只记录serviceId配置列表
* pathList:只记录pathList配置列表
*/
private String logType = "all";
/**
* Enable Read Request Data When use discover route by serviceId
*/
private List<String> serviceIdList = Collections.emptyList();
/**
* Enable Read Request Data by specific path
*/
private List<String> pathList = Collections.emptyList();
@Override
public void afterPropertiesSet() throws Exception {
if(!CollectionUtils.isEmpty(serviceIdList)){
serviceIdList = serviceIdList.stream().map(String::toLowerCase).collect(Collectors.toList());
}
if(!CollectionUtils.isEmpty(pathList)){
pathList = pathList.stream().map(String::toLowerCase).collect(Collectors.toList());
}
}
}
/**
* sql注入拦截相关配置
*/
@Getter
@Setter
@ToString
public static class SqlInjectionProperties implements InitializingBean{
/**
* Enable Or Disable
*/
private Boolean enable = false;
/**
* Enable Read Request Data When use discover route by serviceId
*/
private List<String> serviceIdList = Collections.emptyList();
/**
* Enable Read Request Data by specific path
*/
private List<String> pathList = Collections.emptyList();
@Override
public void afterPropertiesSet() {
if(!CollectionUtils.isEmpty(serviceIdList)){
serviceIdList = serviceIdList.stream().map(String::toLowerCase).collect(Collectors.toList());
}
if(!CollectionUtils.isEmpty(pathList)){
pathList = pathList.stream().map(String::toLowerCase).collect(Collectors.toList());
}
}
}
/**
* xss注入拦截相关配置
*/
@Getter
@Setter
@ToString
public static class XssInjectionProperties implements InitializingBean{
/**
* Enable Or Disable
*/
private Boolean enable = false;
/**
* Enable Read Request Data When use discover route by serviceId
*/
private List<String> serviceIdList = Collections.emptyList();
/**
* Enable Read Request Data by specific path
*/
private List<String> pathList = Collections.emptyList();
@Override
public void afterPropertiesSet() {
if(!CollectionUtils.isEmpty(serviceIdList)){
serviceIdList = serviceIdList.stream().map(String::toLowerCase).collect(Collectors.toList());
}
if(!CollectionUtils.isEmpty(pathList)){
pathList = pathList.stream().map(String::toLowerCase).collect(Collectors.toList());
}
}
}
}- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82.
- 83.
- 84.
- 85.
- 86.
- 87.
- 88.
- 89.
- 90.
- 91.
- 92.
- 93.
- 94.
- 95.
- 96.
- 97.
- 98.
- 99.
- 100.
- 101.
- 102.
- 103.
- 104.
- 105.
- 106.
- 107.
- 108.
- 109.
- 110.
- 111.
- 112.
- 113.
- 114.
- 115.
- 116.
- 117.
- 118.
- 119.
- 120.
- 121.
- 122.
- 123.
- 124.
- 125.
- 126.
- 127.
- 128.
- 129.
- 130.
- 131.
- 132.
- 133.
- 134.
- 135.
- 136.
- 137.
- 138.
- 139.
- 140.
- 141.
- 142.
- 143.
- 144.
- 145.
- 146.
- 147.
- 148.
- 149.
- 150.
- 151.
- 152.
- 153.
- 154.
- 155.
- 156.
- 157.
- 158.
- 159.
- 160.
- 161.
- 162.
5、GatewayPluginConfig 配置过滤器在启动时动态判断是否启用某些Gateway插件。在这里我们将新增的SQL注入拦截插件和XSS攻击拦截插件配置进来,可以根据配置文件动态判断是否启用SQL注入拦截插件和XSS攻击拦截插件。
@Slf4j
@Configuration
@ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "enable"}, havingValue = "true")
public class GatewayPluginConfig {
/**
* Gateway插件是否生效
* @return
*/
@Bean
@ConditionalOnMissingBean(GatewayPluginProperties.class)
@ConfigurationProperties(GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX)
public GatewayPluginProperties gatewayPluginProperties(){
return new GatewayPluginProperties();
}
......
/**
* sql注入拦截插件
* @return
*/
@Bean
@ConditionalOnMissingBean(SqlInjectionFilter.class)
@ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "sqlInjection.enable" },havingValue = "true")
public SqlInjectionFilter sqlInjectionFilter(@Autowired GatewayPluginProperties gatewayPluginProperties){
SqlInjectionFilter sqlInjectionFilter = new SqlInjectionFilter(gatewayPluginProperties);
log.debug("Load SQL Injection Filter Config Bean");
return sqlInjectionFilter;
}
/**
* xss注入拦截插件
* @return
*/
@Bean
@ConditionalOnMissingBean(XssInjectionFilter.class)
@ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "xssInjection.enable" },havingValue = "true")
public XssInjectionFilter xssInjectionFilter(@Autowired GatewayPluginProperties gatewayPluginProperties){
XssInjectionFilter xssInjectionFilter = new XssInjectionFilter(gatewayPluginProperties);
log.debug("Load XSS Injection Filter Config Bean");
return xssInjectionFilter;
}
......
}- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
在日常开发过程中很多业务需求都不会从前端传入SQL脚本和XSS脚本,所以很多的开发框架都不去识别前端参数是否有安全风险,然后直接禁止掉所有前端传入的的脚本,这样就强制规避了SQL注入和XSS攻击的风险。但是在某些特殊业务情况下,尤其是传统行业系统,需要通过前端配置执行脚本,然后由业务系统去执行这些配置的脚本,这个时候就需要通过配置来进行识别和判断,然后对容易引起安全性风险的脚本进转换和配置,在保证业务正常运行的情况下完成脚本配置。
源码地址:
Gitee:
https://gitee.com/wmz1930/GitEgg
GitHub:
https://github.com/wmz1930/GitEgg
