Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
老丢丢
SpringBoot2Demo
提交
75b1f225
S
SpringBoot2Demo
项目概览
老丢丢
/
SpringBoot2Demo
通知
3
Star
1
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
S
SpringBoot2Demo
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
75b1f225
编写于
11月 06, 2020
作者:
Q
qinxiaodong@pannk.com
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
更新
上级
86c78781
变更
14
隐藏空白更改
内联
并排
Showing
14 changed file
with
944 addition
and
8 deletion
+944
-8
mms-font/src/api/user.js
mms-font/src/api/user.js
+3
-4
mms-font/src/store/modules/user.js
mms-font/src/store/modules/user.js
+4
-2
mms-font/src/views/dashboard/index.vue
mms-font/src/views/dashboard/index.vue
+1
-0
mms-font/src/views/login/index.vue
mms-font/src/views/login/index.vue
+2
-2
mms/pom.xml
mms/pom.xml
+10
-0
mms/src/main/java/com/pannk/mms/common/config/FilterConfig.java
...c/main/java/com/pannk/mms/common/config/FilterConfig.java
+38
-0
mms/src/main/java/com/pannk/mms/common/config/ShiroConfig.java
...rc/main/java/com/pannk/mms/common/config/ShiroConfig.java
+66
-0
mms/src/main/java/com/pannk/mms/common/filters/HTMLFilter.java
...rc/main/java/com/pannk/mms/common/filters/HTMLFilter.java
+530
-0
mms/src/main/java/com/pannk/mms/common/filters/SQLFilter.java
...src/main/java/com/pannk/mms/common/filters/SQLFilter.java
+36
-0
mms/src/main/java/com/pannk/mms/common/filters/XssFilter.java
...src/main/java/com/pannk/mms/common/filters/XssFilter.java
+26
-0
mms/src/main/java/com/pannk/mms/common/filters/XssHttpServletRequestWrapper.java
...annk/mms/common/filters/XssHttpServletRequestWrapper.java
+131
-0
mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Filter.java
...c/main/java/com/pannk/mms/common/oauth2/OAuth2Filter.java
+46
-0
mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Realm.java
...rc/main/java/com/pannk/mms/common/oauth2/OAuth2Realm.java
+25
-0
mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Token.java
...rc/main/java/com/pannk/mms/common/oauth2/OAuth2Token.java
+26
-0
未找到文件。
mms-font/src/api/user.js
浏览文件 @
75b1f225
...
...
@@ -8,11 +8,10 @@ export function login(data) {
})
}
export
function
getInfo
(
token
)
{
export
function
getInfo
()
{
return
request
({
url
:
'
/vue-element-admin/user/info
'
,
method
:
'
get
'
,
params
:
{
token
}
url
:
'
/sys/user/info/
'
,
method
:
'
get
'
})
}
...
...
mms-font/src/store/modules/user.js
浏览文件 @
75b1f225
...
...
@@ -35,8 +35,9 @@ const actions = {
return
new
Promise
((
resolve
,
reject
)
=>
{
login
({
userName
:
userName
.
trim
(),
password
:
password
}).
then
(
response
=>
{
const
{
data
}
=
response
commit
(
'
SET_TOKEN
'
,
data
.
token
)
setToken
(
data
.
token
)
commit
(
'
SET_TOKEN
'
,
data
)
console
.
log
(
data
)
setToken
(
data
)
resolve
()
}).
catch
(
error
=>
{
reject
(
error
)
...
...
@@ -46,6 +47,7 @@ const actions = {
// get user info
getInfo
({
commit
,
state
})
{
console
.
log
(
state
)
return
new
Promise
((
resolve
,
reject
)
=>
{
getInfo
(
state
.
token
).
then
(
response
=>
{
const
{
data
}
=
response
...
...
mms-font/src/views/dashboard/index.vue
浏览文件 @
75b1f225
...
...
@@ -3,6 +3,7 @@
</
template
>
<
script
>
export
default
{
name
:
'
Dashboard
'
,
components
:
{
},
...
...
mms-font/src/views/login/index.vue
浏览文件 @
75b1f225
...
...
@@ -88,8 +88,8 @@ export default {
}
return
{
loginForm
:
{
userName
:
'
admin
'
,
password
:
'
1
11111
'
userName
:
'
qxd
'
,
password
:
'
1
23456
'
},
loginRules
:
{
password
:
[
...
...
mms/pom.xml
浏览文件 @
75b1f225
...
...
@@ -105,6 +105,16 @@
<artifactId>
shiro-spring
</artifactId>
<version>
${shiro.version}
</version>
</dependency>
<dependency>
<groupId>
commons-io
</groupId>
<artifactId>
commons-io
</artifactId>
<version>
${commons.io.version}
</version>
</dependency>
<dependency>
<groupId>
commons-lang
</groupId>
<artifactId>
commons-lang
</artifactId>
<version>
${commons.lang.version}
</version>
</dependency>
<dependency>
<groupId>
com.alibaba
</groupId>
<artifactId>
druid-spring-boot-starter
</artifactId>
...
...
mms/src/main/java/com/pannk/mms/common/config/FilterConfig.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.config
;
import
com.pannk.mms.common.filters.XssFilter
;
import
org.springframework.boot.web.servlet.FilterRegistrationBean
;
import
org.springframework.context.annotation.Bean
;
import
org.springframework.context.annotation.Configuration
;
import
org.springframework.web.filter.DelegatingFilterProxy
;
import
javax.servlet.DispatcherType
;
/**
* Created by wolf on 20-11-6.
*/
@Configuration
public
class
FilterConfig
{
@Bean
public
FilterRegistrationBean
shiroFilterRegistration
(){
FilterRegistrationBean
registration
=
new
FilterRegistrationBean
();
registration
.
setFilter
(
new
DelegatingFilterProxy
(
"shiroFilter"
));
registration
.
addInitParameter
(
"targetFilterLifecycle"
,
"true"
);
registration
.
setEnabled
(
true
);
registration
.
setOrder
(
Integer
.
MAX_VALUE
-
1
);
registration
.
addUrlPatterns
(
"/*"
);
return
registration
;
}
@Bean
public
FilterRegistrationBean
xssFilterRegistration
(){
FilterRegistrationBean
registrationBean
=
new
FilterRegistrationBean
();
registrationBean
.
setDispatcherTypes
(
DispatcherType
.
REQUEST
);
registrationBean
.
setFilter
(
new
XssFilter
());
registrationBean
.
addUrlPatterns
(
"/*"
);
registrationBean
.
setName
(
"xssFilter"
);
registrationBean
.
setOrder
(
Integer
.
MAX_VALUE
);
return
registrationBean
;
}
}
mms/src/main/java/com/pannk/mms/common/config/ShiroConfig.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.config
;
import
com.pannk.mms.common.oauth2.OAuth2Filter
;
import
com.pannk.mms.common.oauth2.OAuth2Realm
;
import
org.apache.shiro.mgt.SecurityManager
;
import
org.apache.shiro.spring.LifecycleBeanPostProcessor
;
import
org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor
;
import
org.apache.shiro.spring.web.ShiroFilterFactoryBean
;
import
org.apache.shiro.web.mgt.DefaultWebSecurityManager
;
import
org.springframework.context.annotation.Bean
;
import
org.springframework.context.annotation.Configuration
;
import
javax.servlet.Filter
;
import
java.util.HashMap
;
import
java.util.LinkedHashMap
;
import
java.util.Map
;
/**
* Created by wolf on 20-11-6.
*/
@Configuration
public
class
ShiroConfig
{
@Bean
public
SecurityManager
securityManager
(
OAuth2Realm
oAuth2Realm
){
DefaultWebSecurityManager
securityManager
=
new
DefaultWebSecurityManager
();
securityManager
.
setRealm
(
oAuth2Realm
);
securityManager
.
setRememberMeManager
(
null
);
return
securityManager
;
}
@Bean
public
AuthorizationAttributeSourceAdvisor
authorizationAttributeSourceAdvisor
(
SecurityManager
securityManager
){
AuthorizationAttributeSourceAdvisor
advisor
=
new
AuthorizationAttributeSourceAdvisor
();
advisor
.
setSecurityManager
(
securityManager
);
return
advisor
;
}
@Bean
(
"shiroFilter"
)
public
ShiroFilterFactoryBean
shiroFilter
(
SecurityManager
securityManager
){
ShiroFilterFactoryBean
shiroFilterFactoryBean
=
new
ShiroFilterFactoryBean
();
shiroFilterFactoryBean
.
setSecurityManager
(
securityManager
);
Map
<
String
,
Filter
>
filters
=
new
HashMap
<>();
filters
.
put
(
"oauth2"
,
new
OAuth2Filter
());
shiroFilterFactoryBean
.
setFilters
(
filters
);
Map
<
String
,
String
>
filterMap
=
new
LinkedHashMap
<>();
filterMap
.
put
(
"/webjars/**"
,
"anon"
);
filterMap
.
put
(
"/durid/**"
,
"anon"
);
filterMap
.
put
(
"/sys/log"
,
"anon"
);
filterMap
.
put
(
"/swagger/**"
,
"anon"
);
filterMap
.
put
(
"v2/api-docs"
,
"anon"
);
filterMap
.
put
(
"/swagger-ui.html"
,
"anon"
);
filterMap
.
put
(
"/swagger-resources/**"
,
"anon"
);
shiroFilterFactoryBean
.
setFilterChainDefinitionMap
(
filterMap
);
return
shiroFilterFactoryBean
;
}
@Bean
(
"lifecycleBeanPostProcessor"
)
public
LifecycleBeanPostProcessor
lifecycleBeanPostProcessor
(){
return
new
LifecycleBeanPostProcessor
();
}
}
mms/src/main/java/com/pannk/mms/common/filters/HTMLFilter.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.filters
;
import
java.util.*
;
import
java.util.concurrent.ConcurrentHashMap
;
import
java.util.concurrent.ConcurrentMap
;
import
java.util.logging.Logger
;
import
java.util.regex.Matcher
;
import
java.util.regex.Pattern
;
/**
*
* HTML filtering utility for protecting against XSS (Cross Site Scripting).
*
* This code is licensed LGPLv3
*
* This code is a Java port of the original work in PHP by Cal Hendersen.
* http://code.iamcal.com/php/lib_filter/
*
* The trickiest part of the translation was handling the differences in regex handling
* between PHP and Java. These resources were helpful in the process:
*
* http://java.sun.com/j2se/1.4.2/docs/api/java/util/regex/Pattern.html
* http://us2.php.net/manual/en/reference.pcre.pattern.modifiers.php
* http://www.regular-expressions.info/modifiers.html
*
* A note on naming conventions: instance variables are prefixed with a "v"; global
* constants are in all caps.
*
* Sample use:
* String input = ...
* String clean = new HTMLFilter().filter( input );
*
* The class is not thread safe. Create a new instance if in doubt.
*
* If you find bugs or have suggestions on improvement (especially regarding
* performance), please contact us. The latest version of this
* source, and our contact details, can be found at http://xss-html-filter.sf.net
*
* @author Joseph O'Connell
* @author Cal Hendersen
* @author Michael Semb Wever
*/
public
final
class
HTMLFilter
{
/** regex flag union representing /si modifiers in php **/
private
static
final
int
REGEX_FLAGS_SI
=
Pattern
.
CASE_INSENSITIVE
|
Pattern
.
DOTALL
;
private
static
final
Pattern
P_COMMENTS
=
Pattern
.
compile
(
"<!--(.*?)-->"
,
Pattern
.
DOTALL
);
private
static
final
Pattern
P_COMMENT
=
Pattern
.
compile
(
"^!--(.*)--$"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_TAGS
=
Pattern
.
compile
(
"<(.*?)>"
,
Pattern
.
DOTALL
);
private
static
final
Pattern
P_END_TAG
=
Pattern
.
compile
(
"^/([a-z0-9]+)"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_START_TAG
=
Pattern
.
compile
(
"^([a-z0-9]+)(.*?)(/?)$"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_QUOTED_ATTRIBUTES
=
Pattern
.
compile
(
"([a-z0-9]+)=([\"'])(.*?)\\2"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_UNQUOTED_ATTRIBUTES
=
Pattern
.
compile
(
"([a-z0-9]+)(=)([^\"\\s']+)"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_PROTOCOL
=
Pattern
.
compile
(
"^([^:]+):"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_ENTITY
=
Pattern
.
compile
(
"&#(\\d+);?"
);
private
static
final
Pattern
P_ENTITY_UNICODE
=
Pattern
.
compile
(
"&#x([0-9a-f]+);?"
);
private
static
final
Pattern
P_ENCODE
=
Pattern
.
compile
(
"%([0-9a-f]{2});?"
);
private
static
final
Pattern
P_VALID_ENTITIES
=
Pattern
.
compile
(
"&([^&;]*)(?=(;|&|$))"
);
private
static
final
Pattern
P_VALID_QUOTES
=
Pattern
.
compile
(
"(>|^)([^<]+?)(<|$)"
,
Pattern
.
DOTALL
);
private
static
final
Pattern
P_END_ARROW
=
Pattern
.
compile
(
"^>"
);
private
static
final
Pattern
P_BODY_TO_END
=
Pattern
.
compile
(
"<([^>]*?)(?=<|$)"
);
private
static
final
Pattern
P_XML_CONTENT
=
Pattern
.
compile
(
"(^|>)([^<]*?)(?=>)"
);
private
static
final
Pattern
P_STRAY_LEFT_ARROW
=
Pattern
.
compile
(
"<([^>]*?)(?=<|$)"
);
private
static
final
Pattern
P_STRAY_RIGHT_ARROW
=
Pattern
.
compile
(
"(^|>)([^<]*?)(?=>)"
);
private
static
final
Pattern
P_AMP
=
Pattern
.
compile
(
"&"
);
private
static
final
Pattern
P_QUOTE
=
Pattern
.
compile
(
"<"
);
private
static
final
Pattern
P_LEFT_ARROW
=
Pattern
.
compile
(
"<"
);
private
static
final
Pattern
P_RIGHT_ARROW
=
Pattern
.
compile
(
">"
);
private
static
final
Pattern
P_BOTH_ARROWS
=
Pattern
.
compile
(
"<>"
);
// @xxx could grow large... maybe use sesat's ReferenceMap
private
static
final
ConcurrentMap
<
String
,
Pattern
>
P_REMOVE_PAIR_BLANKS
=
new
ConcurrentHashMap
<
String
,
Pattern
>();
private
static
final
ConcurrentMap
<
String
,
Pattern
>
P_REMOVE_SELF_BLANKS
=
new
ConcurrentHashMap
<
String
,
Pattern
>();
/** set of allowed html elements, along with allowed attributes for each element **/
private
final
Map
<
String
,
List
<
String
>>
vAllowed
;
/** counts of open tags for each (allowable) html element **/
private
final
Map
<
String
,
Integer
>
vTagCounts
=
new
HashMap
<>();
/** html elements which must always be self-closing (e.g. "<img />") **/
private
final
String
[]
vSelfClosingTags
;
/** html elements which must always have separate opening and closing tags (e.g. "<b></b>") **/
private
final
String
[]
vNeedClosingTags
;
/** set of disallowed html elements **/
private
final
String
[]
vDisallowed
;
/** attributes which should be checked for valid protocols **/
private
final
String
[]
vProtocolAtts
;
/** allowed protocols **/
private
final
String
[]
vAllowedProtocols
;
/** tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />") **/
private
final
String
[]
vRemoveBlanks
;
/** entities allowed within html markup **/
private
final
String
[]
vAllowedEntities
;
/** flag determining whether comments are allowed in input String. */
private
final
boolean
stripComment
;
private
final
boolean
encodeQuotes
;
private
boolean
vDebug
=
false
;
/**
* flag determining whether to try to make tags when presented with "unbalanced"
* angle brackets (e.g. "<b text </b>" becomes "<b> text </b>"). If set to false,
* unbalanced angle brackets will be html escaped.
*/
private
final
boolean
alwaysMakeTags
;
/** Default constructor.
*
*/
public
HTMLFilter
()
{
vAllowed
=
new
HashMap
<>();
final
ArrayList
<
String
>
a_atts
=
new
ArrayList
<>();
a_atts
.
add
(
"href"
);
a_atts
.
add
(
"target"
);
vAllowed
.
put
(
"a"
,
a_atts
);
final
ArrayList
<
String
>
img_atts
=
new
ArrayList
<>();
img_atts
.
add
(
"src"
);
img_atts
.
add
(
"width"
);
img_atts
.
add
(
"height"
);
img_atts
.
add
(
"alt"
);
vAllowed
.
put
(
"img"
,
img_atts
);
final
ArrayList
<
String
>
no_atts
=
new
ArrayList
<>();
vAllowed
.
put
(
"b"
,
no_atts
);
vAllowed
.
put
(
"strong"
,
no_atts
);
vAllowed
.
put
(
"i"
,
no_atts
);
vAllowed
.
put
(
"em"
,
no_atts
);
vSelfClosingTags
=
new
String
[]{
"img"
};
vNeedClosingTags
=
new
String
[]{
"a"
,
"b"
,
"strong"
,
"i"
,
"em"
};
vDisallowed
=
new
String
[]{};
vAllowedProtocols
=
new
String
[]{
"http"
,
"mailto"
,
"https"
};
// no ftp.
vProtocolAtts
=
new
String
[]{
"src"
,
"href"
};
vRemoveBlanks
=
new
String
[]{
"a"
,
"b"
,
"strong"
,
"i"
,
"em"
};
vAllowedEntities
=
new
String
[]{
"amp"
,
"gt"
,
"lt"
,
"quot"
};
stripComment
=
true
;
encodeQuotes
=
true
;
alwaysMakeTags
=
true
;
}
/** Set debug flag to true. Otherwise use default settings. See the default constructor.
*
* @param debug turn debug on with a true argument
*/
public
HTMLFilter
(
final
boolean
debug
)
{
this
();
vDebug
=
debug
;
}
/** Map-parameter configurable constructor.
*
* @param conf map containing configuration. keys match field names.
*/
@SuppressWarnings
(
"unchecked"
)
public
HTMLFilter
(
final
Map
<
String
,
Object
>
conf
)
{
assert
conf
.
containsKey
(
"vAllowed"
)
:
"configuration requires vAllowed"
;
assert
conf
.
containsKey
(
"vSelfClosingTags"
)
:
"configuration requires vSelfClosingTags"
;
assert
conf
.
containsKey
(
"vNeedClosingTags"
)
:
"configuration requires vNeedClosingTags"
;
assert
conf
.
containsKey
(
"vDisallowed"
)
:
"configuration requires vDisallowed"
;
assert
conf
.
containsKey
(
"vAllowedProtocols"
)
:
"configuration requires vAllowedProtocols"
;
assert
conf
.
containsKey
(
"vProtocolAtts"
)
:
"configuration requires vProtocolAtts"
;
assert
conf
.
containsKey
(
"vRemoveBlanks"
)
:
"configuration requires vRemoveBlanks"
;
assert
conf
.
containsKey
(
"vAllowedEntities"
)
:
"configuration requires vAllowedEntities"
;
vAllowed
=
Collections
.
unmodifiableMap
((
HashMap
<
String
,
List
<
String
>>)
conf
.
get
(
"vAllowed"
));
vSelfClosingTags
=
(
String
[])
conf
.
get
(
"vSelfClosingTags"
);
vNeedClosingTags
=
(
String
[])
conf
.
get
(
"vNeedClosingTags"
);
vDisallowed
=
(
String
[])
conf
.
get
(
"vDisallowed"
);
vAllowedProtocols
=
(
String
[])
conf
.
get
(
"vAllowedProtocols"
);
vProtocolAtts
=
(
String
[])
conf
.
get
(
"vProtocolAtts"
);
vRemoveBlanks
=
(
String
[])
conf
.
get
(
"vRemoveBlanks"
);
vAllowedEntities
=
(
String
[])
conf
.
get
(
"vAllowedEntities"
);
stripComment
=
conf
.
containsKey
(
"stripComment"
)
?
(
Boolean
)
conf
.
get
(
"stripComment"
)
:
true
;
encodeQuotes
=
conf
.
containsKey
(
"encodeQuotes"
)
?
(
Boolean
)
conf
.
get
(
"encodeQuotes"
)
:
true
;
alwaysMakeTags
=
conf
.
containsKey
(
"alwaysMakeTags"
)
?
(
Boolean
)
conf
.
get
(
"alwaysMakeTags"
)
:
true
;
}
private
void
reset
()
{
vTagCounts
.
clear
();
}
private
void
debug
(
final
String
msg
)
{
if
(
vDebug
)
{
Logger
.
getAnonymousLogger
().
info
(
msg
);
}
}
//---------------------------------------------------------------
// my versions of some PHP library functions
public
static
String
chr
(
final
int
decimal
)
{
return
String
.
valueOf
((
char
)
decimal
);
}
public
static
String
htmlSpecialChars
(
final
String
s
)
{
String
result
=
s
;
result
=
regexReplace
(
P_AMP
,
"&"
,
result
);
result
=
regexReplace
(
P_QUOTE
,
"""
,
result
);
result
=
regexReplace
(
P_LEFT_ARROW
,
"<"
,
result
);
result
=
regexReplace
(
P_RIGHT_ARROW
,
">"
,
result
);
return
result
;
}
//---------------------------------------------------------------
/**
* given a user submitted input String, filter out any invalid or restricted
* html.
*
* @param input text (i.e. submitted by a user) than may contain html
* @return "clean" version of input, with only valid, whitelisted html elements allowed
*/
public
String
filter
(
final
String
input
)
{
reset
();
String
s
=
input
;
debug
(
"************************************************"
);
debug
(
" INPUT: "
+
input
);
s
=
escapeComments
(
s
);
debug
(
" escapeComments: "
+
s
);
s
=
balanceHTML
(
s
);
debug
(
" balanceHTML: "
+
s
);
s
=
checkTags
(
s
);
debug
(
" checkTags: "
+
s
);
s
=
processRemoveBlanks
(
s
);
debug
(
"processRemoveBlanks: "
+
s
);
s
=
validateEntities
(
s
);
debug
(
" validateEntites: "
+
s
);
debug
(
"************************************************\n\n"
);
return
s
;
}
public
boolean
isAlwaysMakeTags
(){
return
alwaysMakeTags
;
}
public
boolean
isStripComments
(){
return
stripComment
;
}
private
String
escapeComments
(
final
String
s
)
{
final
Matcher
m
=
P_COMMENTS
.
matcher
(
s
);
final
StringBuffer
buf
=
new
StringBuffer
();
if
(
m
.
find
())
{
final
String
match
=
m
.
group
(
1
);
//(.*?)
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
"<!--"
+
htmlSpecialChars
(
match
)
+
"-->"
));
}
m
.
appendTail
(
buf
);
return
buf
.
toString
();
}
private
String
balanceHTML
(
String
s
)
{
if
(
alwaysMakeTags
)
{
//
// try and form html
//
s
=
regexReplace
(
P_END_ARROW
,
""
,
s
);
s
=
regexReplace
(
P_BODY_TO_END
,
"<$1>"
,
s
);
s
=
regexReplace
(
P_XML_CONTENT
,
"$1<$2"
,
s
);
}
else
{
//
// escape stray brackets
//
s
=
regexReplace
(
P_STRAY_LEFT_ARROW
,
"<$1"
,
s
);
s
=
regexReplace
(
P_STRAY_RIGHT_ARROW
,
"$1$2><"
,
s
);
//
// the last regexp causes '<>' entities to appear
// (we need to do a lookahead assertion so that the last bracket can
// be used in the next pass of the regexp)
//
s
=
regexReplace
(
P_BOTH_ARROWS
,
""
,
s
);
}
return
s
;
}
private
String
checkTags
(
String
s
)
{
Matcher
m
=
P_TAGS
.
matcher
(
s
);
final
StringBuffer
buf
=
new
StringBuffer
();
while
(
m
.
find
())
{
String
replaceStr
=
m
.
group
(
1
);
replaceStr
=
processTag
(
replaceStr
);
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
replaceStr
));
}
m
.
appendTail
(
buf
);
s
=
buf
.
toString
();
// these get tallied in processTag
// (remember to reset before subsequent calls to filter method)
for
(
String
key
:
vTagCounts
.
keySet
())
{
for
(
int
ii
=
0
;
ii
<
vTagCounts
.
get
(
key
);
ii
++)
{
s
+=
"</"
+
key
+
">"
;
}
}
return
s
;
}
private
String
processRemoveBlanks
(
final
String
s
)
{
String
result
=
s
;
for
(
String
tag
:
vRemoveBlanks
)
{
if
(!
P_REMOVE_PAIR_BLANKS
.
containsKey
(
tag
)){
P_REMOVE_PAIR_BLANKS
.
putIfAbsent
(
tag
,
Pattern
.
compile
(
"<"
+
tag
+
"(\\s[^>]*)?></"
+
tag
+
">"
));
}
result
=
regexReplace
(
P_REMOVE_PAIR_BLANKS
.
get
(
tag
),
""
,
result
);
if
(!
P_REMOVE_SELF_BLANKS
.
containsKey
(
tag
)){
P_REMOVE_SELF_BLANKS
.
putIfAbsent
(
tag
,
Pattern
.
compile
(
"<"
+
tag
+
"(\\s[^>]*)?/>"
));
}
result
=
regexReplace
(
P_REMOVE_SELF_BLANKS
.
get
(
tag
),
""
,
result
);
}
return
result
;
}
private
static
String
regexReplace
(
final
Pattern
regex_pattern
,
final
String
replacement
,
final
String
s
)
{
Matcher
m
=
regex_pattern
.
matcher
(
s
);
return
m
.
replaceAll
(
replacement
);
}
private
String
processTag
(
final
String
s
)
{
// ending tags
Matcher
m
=
P_END_TAG
.
matcher
(
s
);
if
(
m
.
find
())
{
final
String
name
=
m
.
group
(
1
).
toLowerCase
();
if
(
allowed
(
name
))
{
if
(!
inArray
(
name
,
vSelfClosingTags
))
{
if
(
vTagCounts
.
containsKey
(
name
))
{
vTagCounts
.
put
(
name
,
vTagCounts
.
get
(
name
)
-
1
);
return
"</"
+
name
+
">"
;
}
}
}
}
// starting tags
m
=
P_START_TAG
.
matcher
(
s
);
if
(
m
.
find
())
{
final
String
name
=
m
.
group
(
1
).
toLowerCase
();
final
String
body
=
m
.
group
(
2
);
String
ending
=
m
.
group
(
3
);
//debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
if
(
allowed
(
name
))
{
String
params
=
""
;
final
Matcher
m2
=
P_QUOTED_ATTRIBUTES
.
matcher
(
body
);
final
Matcher
m3
=
P_UNQUOTED_ATTRIBUTES
.
matcher
(
body
);
final
List
<
String
>
paramNames
=
new
ArrayList
<>();
final
List
<
String
>
paramValues
=
new
ArrayList
<>();
while
(
m2
.
find
())
{
paramNames
.
add
(
m2
.
group
(
1
));
//([a-z0-9]+)
paramValues
.
add
(
m2
.
group
(
3
));
//(.*?)
}
while
(
m3
.
find
())
{
paramNames
.
add
(
m3
.
group
(
1
));
//([a-z0-9]+)
paramValues
.
add
(
m3
.
group
(
3
));
//([^\"\\s']+)
}
String
paramName
,
paramValue
;
for
(
int
ii
=
0
;
ii
<
paramNames
.
size
();
ii
++)
{
paramName
=
paramNames
.
get
(
ii
).
toLowerCase
();
paramValue
=
paramValues
.
get
(
ii
);
// debug( "paramName='" + paramName + "'" );
// debug( "paramValue='" + paramValue + "'" );
// debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
if
(
allowedAttribute
(
name
,
paramName
))
{
if
(
inArray
(
paramName
,
vProtocolAtts
))
{
paramValue
=
processParamProtocol
(
paramValue
);
}
params
+=
" "
+
paramName
+
"=\""
+
paramValue
+
"\""
;
}
}
if
(
inArray
(
name
,
vSelfClosingTags
))
{
ending
=
" /"
;
}
if
(
inArray
(
name
,
vNeedClosingTags
))
{
ending
=
""
;
}
if
(
ending
==
null
||
ending
.
length
()
<
1
)
{
if
(
vTagCounts
.
containsKey
(
name
))
{
vTagCounts
.
put
(
name
,
vTagCounts
.
get
(
name
)
+
1
);
}
else
{
vTagCounts
.
put
(
name
,
1
);
}
}
else
{
ending
=
" /"
;
}
return
"<"
+
name
+
params
+
ending
+
">"
;
}
else
{
return
""
;
}
}
// comments
m
=
P_COMMENT
.
matcher
(
s
);
if
(!
stripComment
&&
m
.
find
())
{
return
"<"
+
m
.
group
()
+
">"
;
}
return
""
;
}
private
String
processParamProtocol
(
String
s
)
{
s
=
decodeEntities
(
s
);
final
Matcher
m
=
P_PROTOCOL
.
matcher
(
s
);
if
(
m
.
find
())
{
final
String
protocol
=
m
.
group
(
1
);
if
(!
inArray
(
protocol
,
vAllowedProtocols
))
{
// bad protocol, turn into local anchor link instead
s
=
"#"
+
s
.
substring
(
protocol
.
length
()
+
1
,
s
.
length
());
if
(
s
.
startsWith
(
"#//"
))
{
s
=
"#"
+
s
.
substring
(
3
,
s
.
length
());
}
}
}
return
s
;
}
private
String
decodeEntities
(
String
s
)
{
StringBuffer
buf
=
new
StringBuffer
();
Matcher
m
=
P_ENTITY
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
match
=
m
.
group
(
1
);
final
int
decimal
=
Integer
.
decode
(
match
).
intValue
();
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
chr
(
decimal
)));
}
m
.
appendTail
(
buf
);
s
=
buf
.
toString
();
buf
=
new
StringBuffer
();
m
=
P_ENTITY_UNICODE
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
match
=
m
.
group
(
1
);
final
int
decimal
=
Integer
.
valueOf
(
match
,
16
).
intValue
();
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
chr
(
decimal
)));
}
m
.
appendTail
(
buf
);
s
=
buf
.
toString
();
buf
=
new
StringBuffer
();
m
=
P_ENCODE
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
match
=
m
.
group
(
1
);
final
int
decimal
=
Integer
.
valueOf
(
match
,
16
).
intValue
();
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
chr
(
decimal
)));
}
m
.
appendTail
(
buf
);
s
=
buf
.
toString
();
s
=
validateEntities
(
s
);
return
s
;
}
private
String
validateEntities
(
final
String
s
)
{
StringBuffer
buf
=
new
StringBuffer
();
// validate entities throughout the string
Matcher
m
=
P_VALID_ENTITIES
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
one
=
m
.
group
(
1
);
//([^&;]*)
final
String
two
=
m
.
group
(
2
);
//(?=(;|&|$))
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
checkEntity
(
one
,
two
)));
}
m
.
appendTail
(
buf
);
return
encodeQuotes
(
buf
.
toString
());
}
private
String
encodeQuotes
(
final
String
s
){
if
(
encodeQuotes
){
StringBuffer
buf
=
new
StringBuffer
();
Matcher
m
=
P_VALID_QUOTES
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
one
=
m
.
group
(
1
);
//(>|^)
final
String
two
=
m
.
group
(
2
);
//([^<]+?)
final
String
three
=
m
.
group
(
3
);
//(<|$)
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
one
+
regexReplace
(
P_QUOTE
,
"""
,
two
)
+
three
));
}
m
.
appendTail
(
buf
);
return
buf
.
toString
();
}
else
{
return
s
;
}
}
private
String
checkEntity
(
final
String
preamble
,
final
String
term
)
{
return
";"
.
equals
(
term
)
&&
isValidEntity
(
preamble
)
?
'&'
+
preamble
:
"&"
+
preamble
;
}
private
boolean
isValidEntity
(
final
String
entity
)
{
return
inArray
(
entity
,
vAllowedEntities
);
}
private
static
boolean
inArray
(
final
String
s
,
final
String
[]
array
)
{
for
(
String
item
:
array
)
{
if
(
item
!=
null
&&
item
.
equals
(
s
))
{
return
true
;
}
}
return
false
;
}
private
boolean
allowed
(
final
String
name
)
{
return
(
vAllowed
.
isEmpty
()
||
vAllowed
.
containsKey
(
name
))
&&
!
inArray
(
name
,
vDisallowed
);
}
private
boolean
allowedAttribute
(
final
String
name
,
final
String
paramName
)
{
return
allowed
(
name
)
&&
(
vAllowed
.
isEmpty
()
||
vAllowed
.
get
(
name
).
contains
(
paramName
));
}
}
mms/src/main/java/com/pannk/mms/common/filters/SQLFilter.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.filters
;
import
com.pannk.mms.common.exception.BaseException
;
import
org.apache.commons.lang.StringUtils
;
/**
* Created by wolf on 20-11-6.
*/
public
class
SQLFilter
{
public
static
String
sqlInject
(
String
str
){
if
(
StringUtils
.
isBlank
(
str
)){
return
null
;
}
//去掉'|"|;|\字符
str
=
StringUtils
.
replace
(
str
,
"'"
,
""
);
str
=
StringUtils
.
replace
(
str
,
"\""
,
""
);
str
=
StringUtils
.
replace
(
str
,
";"
,
""
);
str
=
StringUtils
.
replace
(
str
,
"\\"
,
""
);
//转换为小写
str
=
str
.
toLowerCase
();
//非法字符
String
[]
keywords
=
{
"master"
,
"truncate"
,
"insert"
,
"select"
,
"delete"
,
"update"
,
"declare"
,
"alter"
,
"drop"
};
//判断是否包含非法字符
for
(
String
keyword
:
keywords
)
{
if
(
str
.
indexOf
(
keyword
)
!=
-
1
)
{
throw
new
BaseException
(
"包含非法字符"
);
}
}
return
str
;
}
}
mms/src/main/java/com/pannk/mms/common/filters/XssFilter.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.filters
;
import
javax.servlet.*
;
import
javax.servlet.http.HttpServletRequest
;
import
java.io.IOException
;
/**
* Created by wolf on 20-11-6.
*/
public
class
XssFilter
implements
Filter
{
@Override
public
void
init
(
FilterConfig
filterConfig
)
throws
ServletException
{
}
@Override
public
void
doFilter
(
ServletRequest
servletRequest
,
ServletResponse
servletResponse
,
FilterChain
filterChain
)
throws
IOException
,
ServletException
{
XssHttpServletRequestWrapper
xssHttpServletRequestWrapper
=
new
XssHttpServletRequestWrapper
((
HttpServletRequest
)
servletRequest
);
filterChain
.
doFilter
(
xssHttpServletRequestWrapper
,
servletResponse
);
}
@Override
public
void
destroy
()
{
}
}
mms/src/main/java/com/pannk/mms/common/filters/XssHttpServletRequestWrapper.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.filters
;
import
com.baomidou.mybatisplus.core.toolkit.StringUtils
;
import
org.apache.commons.io.IOUtils
;
import
org.apache.commons.lang.StringEscapeUtils
;
import
org.springframework.http.HttpHeaders
;
import
org.springframework.http.MediaType
;
import
javax.servlet.ReadListener
;
import
javax.servlet.ServletInputStream
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletRequestWrapper
;
import
java.io.ByteArrayInputStream
;
import
java.io.IOException
;
import
java.util.LinkedHashMap
;
import
java.util.Map
;
/**
* Created by wolf on 20-11-6.
*/
public
class
XssHttpServletRequestWrapper
extends
HttpServletRequestWrapper
{
HttpServletRequest
oriRequest
;
private
final
static
HTMLFilter
HTML_FILTER
=
new
HTMLFilter
();
public
XssHttpServletRequestWrapper
(
HttpServletRequest
request
)
{
super
(
request
);
this
.
oriRequest
=
request
;
}
@Override
public
ServletInputStream
getInputStream
()
throws
IOException
{
if
(!
MediaType
.
APPLICATION_JSON_VALUE
.
equalsIgnoreCase
(
super
.
getHeader
(
HttpHeaders
.
CONTENT_TYPE
))){
return
super
.
getInputStream
();
}
String
json
=
IOUtils
.
toString
(
super
.
getInputStream
(),
"UTF-8"
);
if
(
StringUtils
.
isBlank
(
json
)){
return
super
.
getInputStream
();
}
json
=
xssEncode
(
json
);
final
ByteArrayInputStream
bis
=
new
ByteArrayInputStream
(
json
.
getBytes
(
"UTF-8"
));
return
new
ServletInputStream
()
{
@Override
public
boolean
isFinished
()
{
return
true
;
}
@Override
public
boolean
isReady
()
{
return
true
;
}
@Override
public
void
setReadListener
(
ReadListener
listener
)
{
}
@Override
public
int
read
()
throws
IOException
{
return
bis
.
read
();
}
};
}
@Override
public
String
getParameter
(
String
name
)
{
String
value
=
super
.
getParameter
(
xssEncode
(
name
));
if
(
StringUtils
.
isNotBlank
(
value
)){
value
=
xssEncode
(
value
);
}
value
=
SQLFilter
.
sqlInject
(
value
);
return
StringEscapeUtils
.
unescapeHtml
(
value
);
}
@Override
public
String
[]
getParameterValues
(
String
name
)
{
String
[]
parameters
=
super
.
getParameterValues
(
name
);
if
(
parameters
==
null
||
parameters
.
length
==
0
){
return
null
;
}
for
(
int
i
=
0
;
i
<
parameters
.
length
;
i
++)
{
parameters
[
i
]
=
xssEncode
(
parameters
[
i
]);
parameters
[
i
]
=
SQLFilter
.
sqlInject
(
parameters
[
i
]);
parameters
[
i
]
=
StringEscapeUtils
.
unescapeHtml
(
parameters
[
i
]);
}
return
parameters
;
}
@Override
public
Map
<
String
,
String
[]>
getParameterMap
()
{
Map
<
String
,
String
[]>
map
=
new
LinkedHashMap
<>();
Map
<
String
,
String
[]>
parameters
=
super
.
getParameterMap
();
for
(
String
key:
parameters
.
keySet
()){
String
[]
values
=
parameters
.
get
(
key
);
for
(
int
i
=
0
;
i
<
values
.
length
;
i
++)
{
values
[
i
]
=
xssEncode
(
values
[
i
]);
values
[
i
]
=
SQLFilter
.
sqlInject
(
values
[
i
]);
values
[
i
]
=
StringEscapeUtils
.
unescapeHtml
(
values
[
i
]);
}
map
.
put
(
key
,
values
);
}
return
map
;
}
@Override
public
String
getHeader
(
String
name
)
{
String
value
=
super
.
getHeader
(
xssEncode
(
name
));
if
(
StringUtils
.
isNotBlank
(
value
)){
value
=
xssEncode
(
value
);
}
value
=
SQLFilter
.
sqlInject
(
value
);
return
StringEscapeUtils
.
unescapeHtml
(
value
);
}
private
String
xssEncode
(
String
json
)
{
return
HTML_FILTER
.
filter
(
json
);
}
public
HttpServletRequest
getOriRequest
()
{
return
oriRequest
;
}
public
static
HttpServletRequest
getOriRequest
(
HttpServletRequest
request
){
if
(
request
instanceof
XssHttpServletRequestWrapper
){
return
((
XssHttpServletRequestWrapper
)
request
).
getOriRequest
();
}
return
request
;
}
}
mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Filter.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.oauth2
;
import
com.alibaba.fastjson.JSON
;
import
com.pannk.mms.common.base.Result
;
import
org.apache.shiro.authc.AuthenticationToken
;
import
org.apache.shiro.web.filter.authc.AuthenticatingFilter
;
import
org.junit.platform.commons.util.StringUtils
;
import
org.springframework.http.HttpStatus
;
import
javax.servlet.ServletRequest
;
import
javax.servlet.ServletResponse
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletResponse
;
/**
* Created by wolf on 20-11-6.
*/
public
class
OAuth2Filter
extends
AuthenticatingFilter
{
@Override
protected
AuthenticationToken
createToken
(
ServletRequest
servletRequest
,
ServletResponse
servletResponse
)
throws
Exception
{
String
token
=
getToken
(
servletRequest
);
if
(
StringUtils
.
isBlank
(
token
))
{
return
null
;
}
return
new
OAuth2Token
(
token
);
}
@Override
protected
boolean
onAccessDenied
(
ServletRequest
servletRequest
,
ServletResponse
servletResponse
)
throws
Exception
{
String
token
=
getToken
(
servletRequest
);
if
(
StringUtils
.
isBlank
(
token
))
{
HttpServletResponse
httpServletResponse
=
(
HttpServletResponse
)
servletResponse
;
httpServletResponse
.
setHeader
(
"Access-Control-Allow-Credentials"
,
"true"
);
httpServletResponse
.
setHeader
(
"Access-Control-Allow-Origin"
,
((
HttpServletRequest
)
servletRequest
).
getHeader
(
"Origin"
));
String
responJson
=
JSON
.
toJSONString
(
Result
.
error
(
HttpStatus
.
FORBIDDEN
.
value
(),
HttpStatus
.
FORBIDDEN
.
getReasonPhrase
()));
httpServletResponse
.
getWriter
().
print
(
responJson
);
return
false
;
}
return
executeLogin
(
servletRequest
,
servletResponse
);
}
private
String
getToken
(
ServletRequest
request
)
{
return
((
HttpServletRequest
)
request
).
getHeader
(
"X-Token"
);
}
}
mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Realm.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.oauth2
;
import
org.apache.shiro.authc.AuthenticationException
;
import
org.apache.shiro.authc.AuthenticationInfo
;
import
org.apache.shiro.authc.AuthenticationToken
;
import
org.apache.shiro.authz.AuthorizationInfo
;
import
org.apache.shiro.realm.AuthorizingRealm
;
import
org.apache.shiro.subject.PrincipalCollection
;
import
org.springframework.stereotype.Component
;
/**
* Created by wolf on 20-11-6.
*/
@Component
public
class
OAuth2Realm
extends
AuthorizingRealm
{
@Override
protected
AuthorizationInfo
doGetAuthorizationInfo
(
PrincipalCollection
principalCollection
)
{
return
null
;
}
@Override
protected
AuthenticationInfo
doGetAuthenticationInfo
(
AuthenticationToken
authenticationToken
)
throws
AuthenticationException
{
return
null
;
}
}
mms/src/main/java/com/pannk/mms/common/oauth2/OAuth2Token.java
0 → 100644
浏览文件 @
75b1f225
package
com.pannk.mms.common.oauth2
;
import
org.apache.shiro.authc.AuthenticationToken
;
/**
* Created by wolf on 20-11-6.
*/
public
class
OAuth2Token
implements
AuthenticationToken
{
private
String
token
;
public
OAuth2Token
(
String
token
){
this
.
token
=
token
;
}
@Override
public
Object
getPrincipal
()
{
return
token
;
}
@Override
public
Object
getCredentials
()
{
return
token
;
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录