SpringBoot 之SpringMVC 常用配置SQL注入分析

不点 阅读:343 2021-03-31 17:01:04 评论:0

应用场景:SpringMVC 发送get 请求方式,进行参数的sql 注入攻击清理,如果是post 的请求方式,这段代码是无法正常使用。

拦截器作用:
        拦截器Interceptor实现对每一个请求处理前后进行相关的业务处理。类似于Servlet的Filter。
第一种方式:可以让普通的bean实现HandlerInterceptor接口或者继承HandlerInterceptorAdapter类来实现自定义拦截器。
①继承HandlerInterceptorAdapter类来实现自定义拦截器
重写preHandle:在请求发生前执行、postHandle在请求完后执行。
 

SQL拦截器源码:

package com.digipower.ucas.interceptor; 
 
import org.springframework.web.servlet.HandlerInterceptor; 
import org.springframework.web.servlet.ModelAndView; 
 
import javax.servlet.http.HttpServletRequest; 
import javax.servlet.http.HttpServletResponse; 
import java.util.Enumeration; 
 
/** 
 * 防止SQL注入的拦截器 
 * 
 * @author tyee.noprom@qq.com 
 * @time 2/13/16 8:22 PM. 
 */ 
public class SqlInjectInterceptor implements HandlerInterceptor { 
 
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object o) throws Exception { 
        Enumeration<String> names = request.getParameterNames(); 
        while (names.hasMoreElements()) { 
            String name = names.nextElement(); 
            String[] values = request.getParameterValues(name); 
            for (String value : values) { 
                value = clearXss(value); 
            } 
        } 
        return true; 
    } 
 
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object o, ModelAndView modelAndView) throws Exception { 
 
    } 
 
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object o, Exception e) throws Exception { 
 
    } 
 
    /** 
     * 处理字符转义 
     * 
     * @param value 
     * @return 
     */ 
    private String clearXss(String value) { 
        if (value == null || "".equals(value)) { 
            return value; 
        } 
        value = value.replaceAll("<", "<").replaceAll(">", ">"); 
        value = value.replaceAll("\\(", "(").replace("\\)", ")"); 
        value = value.replaceAll("'", "'"); 
        value = value.replaceAll("eval\\((.*)\\)", ""); 
        value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", 
                "\"\""); 
        value = value.replace("script", ""); 
        return value; 
    } 
}

SpringBoot 配置SpringMVC的拦截器

package com.digipower.ucas.config; 
 
import java.util.ArrayList; 
import java.util.List; 
 
import org.springframework.context.annotation.Bean; 
import org.springframework.context.annotation.Configuration; 
import org.springframework.http.converter.HttpMessageConverter; 
import org.springframework.web.servlet.config.annotation.EnableWebMvc; 
import org.springframework.web.servlet.config.annotation.InterceptorRegistry; 
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry; 
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter; 
 
import io.swagger.annotations.ApiOperation; 
import springfox.documentation.builders.ApiInfoBuilder; 
import springfox.documentation.builders.ParameterBuilder; 
import springfox.documentation.builders.PathSelectors; 
import springfox.documentation.builders.RequestHandlerSelectors; 
import springfox.documentation.schema.ModelRef; 
import springfox.documentation.service.ApiInfo; 
import springfox.documentation.service.Contact; 
import springfox.documentation.service.Parameter; 
import springfox.documentation.spi.DocumentationType; 
import springfox.documentation.spring.web.plugins.Docket; 
import springfox.documentation.swagger2.annotations.EnableSwagger2; 
 
@Configuration 
@EnableSwagger2 
@EnableWebMvc 
public class SwaggerConfig extends WebMvcConfigurerAdapter { 
 
	@Override 
	public void addResourceHandlers(ResourceHandlerRegistry registry) { 
		registry.addResourceHandler("swagger-ui.html").addResourceLocations("classpath:/META-INF/resources/"); 
		registry.addResourceHandler("/webjars/**").addResourceLocations("classpath:/META-INF/resources/webjars/"); 
	} 
	 
	// 定义json 转换器 
	@Override 
	public void configureMessageConverters(List<HttpMessageConverter<?>> converters) { 
		// TODO Auto-generated method stub 
		super.configureMessageConverters(converters); 
	} 
 
	@Bean 
	public Docket buildDocket() { 
 
		ParameterBuilder tokenPar = new ParameterBuilder(); 
		List<Parameter> pars = new ArrayList<Parameter>(); 
		tokenPar.name("X-CSRF-TOKEN").description("令牌").modelRef(new ModelRef("string")).parameterType("header") 
				.required(false).build(); 
		pars.add(tokenPar.build()); 
 
		return new Docket(DocumentationType.SWAGGER_2).select() 
				.apis(RequestHandlerSelectors.withMethodAnnotation(ApiOperation.class)).paths(PathSelectors.any()) 
				.build().globalOperationParameters(pars).apiInfo(buildApiInf()); 
	} 
 
	 
 
	private ApiInfo buildApiInf() { 
		return new ApiInfoBuilder().title("深圳市世纪伟图科技开发有限公司 - 城建档案系统").termsOfServiceUrl("http://www.digipower.cn/") 
				.description("API接口") 
				.contact(new Contact("digipower", "http://www.digipower.cn/", "digiservices@digipower.com")) 
				.version("2.0").build(); 
 
	} 
	 
	    //拦截器 
		@Bean 
		public SqlInjectInterceptor  sqlInjectInterceptor () { 
			return new SqlInjectInterceptor(); 
		} 
	  
		@Override 
		public void addInterceptors(InterceptorRegistry registry) {// 2 
			registry.addInterceptor(sqlInjectInterceptor()); 
		} 
}

 

声明

1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,请转载时务必注明文章作者和来源,不尊重原创的行为我们将追究责任;3.作者投稿可能会经我们编辑修改或补充。

发表评论
搜索
KIKK导航

KIKK导航

排行榜
关注我们

一个IT知识分享的公众号