Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
wjsqjg
EasyAdmin
提交
d7790090
E
EasyAdmin
项目概览
wjsqjg
/
EasyAdmin
与 Fork 源项目一致
Fork自
lakernote / EasyAdmin
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
E
EasyAdmin
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
d7790090
编写于
9月 03, 2021
作者:
lakernote
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
(bugfix)[整体](增加waf防火墙)
上级
e8f2548f
变更
37
隐藏空白更改
内联
并排
Showing
37 changed file
with
1013 addition
and
50 deletion
+1013
-50
README.md
README.md
+25
-4
src/main/java/com/laker/admin/config/LakerConfig.java
src/main/java/com/laker/admin/config/LakerConfig.java
+35
-0
src/main/java/com/laker/admin/config/WafConfig.java
src/main/java/com/laker/admin/config/WafConfig.java
+39
-0
src/main/java/com/laker/admin/framework/ext/DefaultUncaughtErrorControllor.java
...r/admin/framework/ext/DefaultUncaughtErrorControllor.java
+2
-2
src/main/java/com/laker/admin/framework/ext/mybatis/LakerDataPermissionHandler.java
...min/framework/ext/mybatis/LakerDataPermissionHandler.java
+1
-1
src/main/java/com/laker/admin/framework/ext/satoken/SaTokenExtActionImpl.java
...ker/admin/framework/ext/satoken/SaTokenExtActionImpl.java
+1
-1
src/main/java/com/laker/admin/framework/ext/stomp/EasyPrincipalHandshakeHandler.java
...in/framework/ext/stomp/EasyPrincipalHandshakeHandler.java
+1
-1
src/main/java/com/laker/admin/framework/handler/GlobalExceptionHandler.java
...laker/admin/framework/handler/GlobalExceptionHandler.java
+1
-1
src/main/java/com/laker/admin/framework/model/PageResponse.java
...in/java/com/laker/admin/framework/model/PageResponse.java
+1
-1
src/main/java/com/laker/admin/framework/model/Response.java
src/main/java/com/laker/admin/framework/model/Response.java
+1
-1
src/main/java/com/laker/admin/framework/model/ResultTable.java
...ain/java/com/laker/admin/framework/model/ResultTable.java
+1
-1
src/main/java/com/laker/admin/framework/model/ResultTree.java
...main/java/com/laker/admin/framework/model/ResultTree.java
+1
-1
src/main/java/com/laker/admin/framework/utils/EasyAdminSecurityUtils.java
...m/laker/admin/framework/utils/EasyAdminSecurityUtils.java
+2
-1
src/main/java/com/laker/admin/framework/utils/PageDtoUtil.java
...ain/java/com/laker/admin/framework/utils/PageDtoUtil.java
+1
-1
src/main/java/com/laker/admin/framework/utils/SpringUtils.java
...ain/java/com/laker/admin/framework/utils/SpringUtils.java
+1
-1
src/main/java/com/laker/admin/framework/waf/WafFilter.java
src/main/java/com/laker/admin/framework/waf/WafFilter.java
+92
-0
src/main/java/com/laker/admin/framework/waf/WafRequestWrapper.java
...java/com/laker/admin/framework/waf/WafRequestWrapper.java
+192
-0
src/main/java/com/laker/admin/framework/waf/attack/HTMLFilter.java
...java/com/laker/admin/framework/waf/attack/HTMLFilter.java
+570
-0
src/main/java/com/laker/admin/framework/waf/attack/SqlFilter.java
.../java/com/laker/admin/framework/waf/attack/SqlFilter.java
+10
-0
src/main/java/com/laker/admin/module/ext/controller/ExtLeaveController.java
...laker/admin/module/ext/controller/ExtLeaveController.java
+3
-3
src/main/java/com/laker/admin/module/ext/controller/ExtLogController.java
...m/laker/admin/module/ext/controller/ExtLogController.java
+2
-2
src/main/java/com/laker/admin/module/flow/SnakerflowFacetsController.java
...m/laker/admin/module/flow/SnakerflowFacetsController.java
+2
-2
src/main/java/com/laker/admin/module/sys/controller/IndexController.java
...om/laker/admin/module/sys/controller/IndexController.java
+1
-2
src/main/java/com/laker/admin/module/sys/controller/LoginController.java
...om/laker/admin/module/sys/controller/LoginController.java
+3
-3
src/main/java/com/laker/admin/module/sys/controller/NginxController.java
...om/laker/admin/module/sys/controller/NginxController.java
+1
-1
src/main/java/com/laker/admin/module/sys/controller/StatisticsController.java
...ker/admin/module/sys/controller/StatisticsController.java
+1
-1
src/main/java/com/laker/admin/module/sys/controller/SysDeptController.java
.../laker/admin/module/sys/controller/SysDeptController.java
+3
-3
src/main/java/com/laker/admin/module/sys/controller/SysDictController.java
.../laker/admin/module/sys/controller/SysDictController.java
+2
-2
src/main/java/com/laker/admin/module/sys/controller/SysMenuController.java
.../laker/admin/module/sys/controller/SysMenuController.java
+1
-1
src/main/java/com/laker/admin/module/sys/controller/SysRoleController.java
.../laker/admin/module/sys/controller/SysRoleController.java
+3
-3
src/main/java/com/laker/admin/module/sys/controller/SysUserController.java
.../laker/admin/module/sys/controller/SysUserController.java
+2
-2
src/main/java/com/laker/admin/module/task/TaskManagerController.java
...va/com/laker/admin/module/task/TaskManagerController.java
+2
-2
src/main/java/com/laker/admin/module/task/TaskManagerMonitorController.java
...laker/admin/module/task/TaskManagerMonitorController.java
+1
-1
src/main/java/com/laker/admin/module/task/controller/SysTasklogController.java
...er/admin/module/task/controller/SysTasklogController.java
+1
-1
src/main/java/com/laker/admin/module/task/core/CoreProcessor.java
.../java/com/laker/admin/module/task/core/CoreProcessor.java
+1
-1
src/main/resources/application.yaml
src/main/resources/application.yaml
+5
-1
src/main/resources/templates/controller.java.ftl
src/main/resources/templates/controller.java.ftl
+2
-2
未找到文件。
README.md
浏览文件 @
d7790090
...
...
@@ -140,7 +140,7 @@ admin:
2.
在
`web/admin/index.html`
处,如下图示例操作,点击图标就可以在浏览器访问了
![
输入图片说明
](
https://images.gitee.com/uploads/images/2021/0816/001751_ef56d4c9_709188.png
"屏幕截图.png"
)
![
](
https://img-blog.csdnimg.cn/6cd054be980542ff87399212d0b06a1a.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbGFrZXJub3Rl,size_20,color_FFFFFF,t_70,g_se,x_16
)
#### 代码生成
...
...
@@ -191,7 +191,7 @@ ext_log // 影响前端代码生成路径D:\JT\easy-admin/web/admin/view/ext/
</td>
</tr>
<tr>
<td
style=
"font-size: 12px;font-weight: bolder;"
>
<td
style=
"font-size: 12px;font-weight: bolder;"
>
<center>
已办任务
<img
src=
"https://img-blog.csdnimg.cn/cd77ef0d500844dc914a32670e4e32d0.png"
></center>
</td>
<td
style=
"font-size: 12px;font-weight: bolder;"
>
...
...
@@ -256,6 +256,7 @@ ext_log // 影响前端代码生成路径D:\JT\easy-admin/web/admin/view/ext/
</tr>
</table>
#### 部署教程
**整体部署规划结构如下:**
...
...
@@ -263,7 +264,7 @@ ext_log // 影响前端代码生成路径D:\JT\easy-admin/web/admin/view/ext/
![](
https://im
ages.gitee.com/uploads/images/2021/0812/141324_9e6528a0_709188.png
"屏幕截图.png"
)
![](
https://im
g-blog.csdnimg.cn/b60db081da7b400daa5fc9c307098c19.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbGFrZXJub3Rl,size_20,color_FFFFFF,t_70,g_se,x_16
)
##### 服务端
...
...
@@ -289,13 +290,24 @@ spring:
nohup
java
-jar
easy-admin-1.0.0.jar &
```
> 由于验证码涉及到java安全协议,建议使用脚本启动 `sh run.sh start`
##### 前端
**首先修改配置**
`web/admin/config/pear.config.yml`
,填写你自己服务器实际ip、port
```
javascript
##
配置服务端地址
admin
:
server
:
http
:
//localhost:8080
```
**按照相对位置放即可**
(或者自己弄个nginx丢进去)
```
easy-admin.jar
application.yml
run.sh
web
--admin
----admin
...
...
@@ -312,6 +324,15 @@ web
### ☎️联系方式☎️
**微信公众号**
:
**Java大厂面试官**
,
**个人微信: lakernote**
**个人微信: lakernote**
(进群加我拉你)
![](
https://img-blog.csdnimg.cn/cf8ed2c013614143b346a453a9082232.jpg?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAbGFrZXJub3Rl,size_10,color_FFFFFF,t_70,g_se,x_16#pic_center
)
------------------------------------------------
**微信公众号**
:
**Java大厂面试官**
![
img
](
https://img-blog.csdnimg.cn/2020110915544650.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2FidTkzNTAwOTA2Ng==,size_16,color_FFFFFF,t_70#pic_center
)
src/main/java/com/laker/admin/config/LakerConfig.java
浏览文件 @
d7790090
...
...
@@ -23,4 +23,39 @@ public class LakerConfig {
*/
private
String
defaultPwd
=
"lakernote"
;
/**
* 防火墙
*/
private
Waf
waf
=
new
Waf
();
public
static
class
Waf
{
private
boolean
xssEnabled
=
true
;
private
boolean
sqlEnabled
=
true
;
private
String
excludes
=
""
;
public
boolean
isXssEnabled
()
{
return
xssEnabled
;
}
public
void
setXssEnabled
(
boolean
xssEnabled
)
{
this
.
xssEnabled
=
xssEnabled
;
}
public
boolean
isSqlEnabled
()
{
return
sqlEnabled
;
}
public
void
setSqlEnabled
(
boolean
sqlEnabled
)
{
this
.
sqlEnabled
=
sqlEnabled
;
}
public
String
getExcludes
()
{
return
excludes
;
}
public
void
setExcludes
(
String
excludes
)
{
this
.
excludes
=
excludes
;
}
}
}
\ No newline at end of file
src/main/java/com/laker/admin/config/WafConfig.java
0 → 100644
浏览文件 @
d7790090
package
com.laker.admin.config
;
import
com.laker.admin.framework.waf.WafFilter
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.boot.web.servlet.FilterRegistrationBean
;
import
org.springframework.context.annotation.Bean
;
import
org.springframework.context.annotation.Configuration
;
import
org.springframework.core.Ordered
;
import
javax.servlet.DispatcherType
;
import
java.util.HashMap
;
import
java.util.Map
;
@Configuration
public
class
WafConfig
{
@Autowired
LakerConfig
lakerConfig
;
/**
* 要在 cachefilter后边
*
* @return
*/
@Bean
public
FilterRegistrationBean
xssFilterRegistration
()
{
FilterRegistrationBean
registration
=
new
FilterRegistrationBean
();
registration
.
setDispatcherTypes
(
DispatcherType
.
REQUEST
);
registration
.
setFilter
(
new
WafFilter
());
registration
.
addUrlPatterns
(
"/*"
);
registration
.
setName
(
"wafFilter"
);
registration
.
setOrder
(
Ordered
.
HIGHEST_PRECEDENCE
+
1
);
Map
<
String
,
String
>
initParameters
=
new
HashMap
<
String
,
String
>();
initParameters
.
put
(
"excludes"
,
lakerConfig
.
getWaf
().
getExcludes
());
initParameters
.
put
(
"xssEnabled"
,
lakerConfig
.
getWaf
().
isXssEnabled
()
+
""
);
initParameters
.
put
(
"sqlEnabled"
,
lakerConfig
.
getWaf
().
isSqlEnabled
()
+
""
);
registration
.
setInitParameters
(
initParameters
);
return
registration
;
}
}
src/main/java/com/laker/admin/framework/DefaultUncaughtErrorControllor.java
→
src/main/java/com/laker/admin/framework/
ext/
DefaultUncaughtErrorControllor.java
浏览文件 @
d7790090
package
com.laker.admin.framework
;
package
com.laker.admin.framework
.ext
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
Response
;
import
lombok.extern.slf4j.Slf4j
;
import
org.springframework.boot.web.servlet.error.ErrorController
;
import
org.springframework.http.HttpStatus
;
...
...
src/main/java/com/laker/admin/framework/ext/mybatis/LakerDataPermissionHandler.java
浏览文件 @
d7790090
...
...
@@ -2,7 +2,7 @@ package com.laker.admin.framework.ext.mybatis;
import
cn.hutool.core.util.StrUtil
;
import
com.baomidou.mybatisplus.extension.plugins.handler.DataPermissionHandler
;
import
com.laker.admin.framework.EasyAdminSecurityUtils
;
import
com.laker.admin.framework.
utils.
EasyAdminSecurityUtils
;
import
lombok.SneakyThrows
;
import
lombok.extern.slf4j.Slf4j
;
import
net.sf.jsqlparser.expression.Expression
;
...
...
src/main/java/com/laker/admin/framework/ext/satoken/SaTokenExtActionImpl.java
浏览文件 @
d7790090
...
...
@@ -3,7 +3,7 @@ package com.laker.admin.framework.ext.satoken;
import
cn.dev33.satoken.action.SaTokenActionDefaultImpl
;
import
cn.dev33.satoken.annotation.SaCheckLogin
;
import
cn.dev33.satoken.stp.StpUtil
;
import
com.laker.admin.framework.EasyAdminSecurityUtils
;
import
com.laker.admin.framework.
utils.
EasyAdminSecurityUtils
;
import
com.laker.admin.framework.ext.mybatis.UserInfoAndPowers
;
import
com.laker.admin.module.enums.DataFilterTypeEnum
;
import
org.springframework.stereotype.Component
;
...
...
src/main/java/com/laker/admin/framework/ext/stomp/EasyPrincipalHandshakeHandler.java
浏览文件 @
d7790090
...
...
@@ -2,7 +2,7 @@ package com.laker.admin.framework.ext.stomp;
import
cn.dev33.satoken.stp.StpUtil
;
import
cn.hutool.core.util.StrUtil
;
import
com.laker.admin.framework.EasyAdminSecurityUtils
;
import
com.laker.admin.framework.
utils.
EasyAdminSecurityUtils
;
import
com.laker.admin.utils.IP2CityUtil
;
import
com.laker.admin.utils.http.HttpServletRequestUtil
;
import
lombok.extern.slf4j.Slf4j
;
...
...
src/main/java/com/laker/admin/framework/handler/GlobalExceptionHandler.java
浏览文件 @
d7790090
...
...
@@ -4,7 +4,7 @@ package com.laker.admin.framework.handler;
import
cn.dev33.satoken.exception.NotLoginException
;
import
cn.dev33.satoken.exception.SaTokenException
;
import
cn.hutool.core.lang.Dict
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.exception.BusinessException
;
import
com.laker.admin.utils.http.HttpServletRequestUtil
;
import
lombok.extern.slf4j.Slf4j
;
...
...
src/main/java/com/laker/admin/framework/PageResponse.java
→
src/main/java/com/laker/admin/framework/
model/
PageResponse.java
浏览文件 @
d7790090
package
com.laker.admin.framework
;
package
com.laker.admin.framework
.model
;
import
io.swagger.annotations.ApiModel
;
import
io.swagger.annotations.ApiModelProperty
;
...
...
src/main/java/com/laker/admin/framework/Response.java
→
src/main/java/com/laker/admin/framework/
model/
Response.java
浏览文件 @
d7790090
package
com.laker.admin.framework
;
package
com.laker.admin.framework
.model
;
import
cn.hutool.core.util.StrUtil
;
import
io.swagger.annotations.ApiModel
;
...
...
src/main/java/com/laker/admin/framework/ResultTable.java
→
src/main/java/com/laker/admin/framework/
model/
ResultTable.java
浏览文件 @
d7790090
package
com.laker.admin.framework
;
package
com.laker.admin.framework
.model
;
import
lombok.Data
;
...
...
src/main/java/com/laker/admin/framework/ResultTree.java
→
src/main/java/com/laker/admin/framework/
model/
ResultTree.java
浏览文件 @
d7790090
package
com.laker.admin.framework
;
package
com.laker.admin.framework
.model
;
import
lombok.Data
;
...
...
src/main/java/com/laker/admin/framework/EasyAdminSecurityUtils.java
→
src/main/java/com/laker/admin/framework/
utils/
EasyAdminSecurityUtils.java
浏览文件 @
d7790090
package
com.laker.admin.framework
;
package
com.laker.admin.framework
.utils
;
import
cn.dev33.satoken.stp.StpUtil
;
import
com.laker.admin.framework.EasyAdminConstants
;
import
com.laker.admin.framework.ext.mybatis.UserInfoAndPowers
;
/**
...
...
src/main/java/com/laker/admin/framework/PageDtoUtil.java
→
src/main/java/com/laker/admin/framework/
utils/
PageDtoUtil.java
浏览文件 @
d7790090
package
com.laker.admin.framework
;
package
com.laker.admin.framework
.utils
;
import
cn.hutool.core.util.PageUtil
;
import
lombok.Data
;
...
...
src/main/java/com/laker/admin/framework/SpringUtils.java
→
src/main/java/com/laker/admin/framework/
utils/
SpringUtils.java
浏览文件 @
d7790090
package
com.laker.admin.framework
;
package
com.laker.admin.framework
.utils
;
import
cn.hutool.core.lang.TypeReference
;
import
cn.hutool.core.util.ArrayUtil
;
...
...
src/main/java/com/laker/admin/framework/waf/WafFilter.java
0 → 100644
浏览文件 @
d7790090
package
com.laker.admin.framework.waf
;
import
cn.hutool.core.util.StrUtil
;
import
lombok.extern.slf4j.Slf4j
;
import
javax.servlet.*
;
import
javax.servlet.http.HttpServletRequest
;
import
java.io.IOException
;
import
java.util.ArrayList
;
import
java.util.List
;
import
java.util.regex.Matcher
;
import
java.util.regex.Pattern
;
/**
* web防火墙
*/
@Slf4j
public
class
WafFilter
implements
Filter
{
/**
* 排除链接
*/
public
List
<
String
>
excludes
=
new
ArrayList
<>();
/**
* 开启XSS脚本过滤
*/
private
static
boolean
xssEnabled
=
true
;
/**
* 开启SQL注入过滤
*/
private
static
boolean
sqlEnabled
=
true
;
@Override
public
void
init
(
FilterConfig
config
)
throws
ServletException
{
String
excludesUrls
=
config
.
getInitParameter
(
"excludes"
);
excludes
=
StrUtil
.
split
(
excludesUrls
,
','
);
xssEnabled
=
getParamConfig
(
config
.
getInitParameter
(
"xssEnabled"
));
sqlEnabled
=
getParamConfig
(
config
.
getInitParameter
(
"sqlEnabled"
));
}
@Override
public
void
doFilter
(
ServletRequest
request
,
ServletResponse
response
,
FilterChain
chain
)
throws
IOException
,
ServletException
{
HttpServletRequest
req
=
(
HttpServletRequest
)
request
;
// HttpServletResponse res = (HttpServletResponse) response;
if
(
handle
(
req
))
{
try
{
//Request请求过滤
chain
.
doFilter
(
new
WafRequestWrapper
(
req
,
xssEnabled
,
sqlEnabled
),
response
);
}
catch
(
Exception
e
)
{
log
.
error
(
" WafFilter exception , requestURL: "
+
req
.
getRequestURL
());
}
return
;
}
chain
.
doFilter
(
request
,
response
);
}
@Override
public
void
destroy
()
{
log
.
warn
(
" WafFilter destroy ."
);
}
private
boolean
handle
(
HttpServletRequest
request
)
{
if
(!
xssEnabled
&&
!
sqlEnabled
)
{
return
false
;
}
if
(
excludes
==
null
||
excludes
.
isEmpty
())
{
return
true
;
}
String
url
=
request
.
getServletPath
();
for
(
String
pattern
:
excludes
)
{
Pattern
p
=
Pattern
.
compile
(
"^"
+
pattern
);
Matcher
m
=
p
.
matcher
(
url
);
if
(
m
.
find
())
{
return
true
;
}
}
return
false
;
}
private
boolean
getParamConfig
(
String
value
)
{
if
(
value
==
null
||
""
.
equals
(
value
.
trim
()))
{
//未配置默认 True
return
true
;
}
return
new
Boolean
(
value
);
}
}
src/main/java/com/laker/admin/framework/waf/WafRequestWrapper.java
0 → 100644
浏览文件 @
d7790090
package
com.laker.admin.framework.waf
;
import
cn.hutool.core.io.IoUtil
;
import
cn.hutool.core.util.StrUtil
;
import
com.laker.admin.framework.waf.attack.HTMLFilter
;
import
com.laker.admin.framework.waf.attack.SqlFilter
;
import
org.springframework.http.HttpHeaders
;
import
org.springframework.http.MediaType
;
import
javax.servlet.ReadListener
;
import
javax.servlet.ServletInputStream
;
import
javax.servlet.http.Cookie
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletRequestWrapper
;
import
java.io.ByteArrayInputStream
;
import
java.io.IOException
;
import
java.util.HashMap
;
import
java.util.Map
;
/**
* Request请求过滤包装
* <p>
*
* @author hubin
* @since 2014-5-8
*/
public
class
WafRequestWrapper
extends
HttpServletRequestWrapper
{
private
boolean
filterXSS
=
true
;
private
boolean
filterSQL
=
true
;
public
WafRequestWrapper
(
HttpServletRequest
request
,
boolean
filterXSS
,
boolean
filterSQL
)
{
super
(
request
);
this
.
filterXSS
=
filterXSS
;
this
.
filterSQL
=
filterSQL
;
}
public
WafRequestWrapper
(
HttpServletRequest
request
)
{
this
(
request
,
true
,
true
);
}
/**
* @param parameter 过滤参数
* @return
* @since 数组参数过滤
*/
@Override
public
String
[]
getParameterValues
(
String
parameter
)
{
String
[]
values
=
super
.
getParameterValues
(
parameter
);
if
(
values
==
null
)
{
return
null
;
}
int
count
=
values
.
length
;
String
[]
encodedValues
=
new
String
[
count
];
for
(
int
i
=
0
;
i
<
count
;
i
++)
{
encodedValues
[
i
]
=
filterParamString
(
values
[
i
]);
}
return
encodedValues
;
}
@Override
public
Map
getParameterMap
()
{
Map
<
String
,
String
[]>
primary
=
super
.
getParameterMap
();
Map
<
String
,
String
[]>
result
=
new
HashMap
<
String
,
String
[]>(
primary
.
size
());
for
(
Map
.
Entry
<
String
,
String
[]>
entry
:
primary
.
entrySet
())
{
result
.
put
(
entry
.
getKey
(),
filterEntryString
(
entry
.
getValue
()));
}
return
result
;
}
/**
* @param parameter 过滤参数
* @return
* @since 参数过滤
*/
@Override
public
String
getParameter
(
String
parameter
)
{
return
filterParamString
(
super
.
getParameter
(
parameter
));
}
@Override
public
ServletInputStream
getInputStream
()
throws
IOException
{
// 非json类型,直接返回
if
(!
isJsonRequest
())
{
return
super
.
getInputStream
();
}
// 为空,直接返回
String
json
=
IoUtil
.
read
(
super
.
getInputStream
(),
"utf-8"
);
if
(
StrUtil
.
isBlank
(
json
))
{
return
super
.
getInputStream
();
}
// xss过滤
json
=
filterParamString
(
json
).
trim
();
System
.
out
.
println
(
"web防火墙处理后的结果如下:"
);
System
.
out
.
println
(
json
);
final
ByteArrayInputStream
bis
=
new
ByteArrayInputStream
(
json
.
getBytes
(
"utf-8"
));
return
new
ServletInputStream
()
{
@Override
public
boolean
isFinished
()
{
return
true
;
}
@Override
public
boolean
isReady
()
{
return
true
;
}
@Override
public
void
setReadListener
(
ReadListener
readListener
)
{
}
@Override
public
int
read
()
throws
IOException
{
return
bis
.
read
();
}
};
}
/**
* 是否是Json请求
*/
private
boolean
isJsonRequest
()
{
String
header
=
super
.
getHeader
(
HttpHeaders
.
CONTENT_TYPE
);
return
MediaType
.
APPLICATION_JSON_VALUE
.
equalsIgnoreCase
(
header
)
||
MediaType
.
APPLICATION_JSON_UTF8_VALUE
.
equalsIgnoreCase
(
header
);
}
/**
* @param name 过滤内容
* @return
* @since 请求头过滤
*/
@Override
public
String
getHeader
(
String
name
)
{
return
filterParamString
(
super
.
getHeader
(
name
));
}
/**
* @return
* @since Cookie内容过滤
*/
@Override
public
Cookie
[]
getCookies
()
{
Cookie
[]
existingCookies
=
super
.
getCookies
();
if
(
existingCookies
!=
null
)
{
for
(
int
i
=
0
;
i
<
existingCookies
.
length
;
++
i
)
{
Cookie
cookie
=
existingCookies
[
i
];
cookie
.
setValue
(
filterParamString
(
cookie
.
getValue
()));
}
}
return
existingCookies
;
}
protected
String
[]
filterEntryString
(
String
[]
rawValue
)
{
for
(
int
i
=
0
;
i
<
rawValue
.
length
;
i
++)
{
rawValue
[
i
]
=
filterParamString
(
rawValue
[
i
]);
}
return
rawValue
;
}
/**
* @param rawValue 待处理内容
* @return
* @since 过滤字符串内容
*/
protected
String
filterParamString
(
String
rawValue
)
{
if
(
rawValue
==
null
)
{
return
null
;
}
String
tmpStr
=
rawValue
;
if
(
this
.
filterXSS
)
{
tmpStr
=
SqlFilter
.
strip
(
rawValue
);
}
if
(
this
.
filterSQL
)
{
tmpStr
=
HTMLFilter
.
htmlSpecialChars
(
tmpStr
);
}
return
tmpStr
;
}
}
src/main/java/com/laker/admin/framework/waf/attack/HTMLFilter.java
0 → 100644
浏览文件 @
d7790090
package
com.laker.admin.framework.waf.attack
;
import
java.util.ArrayList
;
import
java.util.Collections
;
import
java.util.HashMap
;
import
java.util.List
;
import
java.util.Map
;
import
java.util.concurrent.ConcurrentHashMap
;
import
java.util.concurrent.ConcurrentMap
;
import
java.util.regex.Matcher
;
import
java.util.regex.Pattern
;
/**
* HTML过滤器,用于去除XSS漏洞隐患。
*
* @author ruoyi
*/
public
final
class
HTMLFilter
{
/**
* regex flag union representing /si modifiers in php
**/
private
static
final
int
REGEX_FLAGS_SI
=
Pattern
.
CASE_INSENSITIVE
|
Pattern
.
DOTALL
;
private
static
final
Pattern
P_COMMENTS
=
Pattern
.
compile
(
"<!--(.*?)-->"
,
Pattern
.
DOTALL
);
private
static
final
Pattern
P_COMMENT
=
Pattern
.
compile
(
"^!--(.*)--$"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_TAGS
=
Pattern
.
compile
(
"<(.*?)>"
,
Pattern
.
DOTALL
);
private
static
final
Pattern
P_END_TAG
=
Pattern
.
compile
(
"^/([a-z0-9]+)"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_START_TAG
=
Pattern
.
compile
(
"^([a-z0-9]+)(.*?)(/?)$"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_QUOTED_ATTRIBUTES
=
Pattern
.
compile
(
"([a-z0-9]+)=([\"'])(.*?)\\2"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_UNQUOTED_ATTRIBUTES
=
Pattern
.
compile
(
"([a-z0-9]+)(=)([^\"\\s']+)"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_PROTOCOL
=
Pattern
.
compile
(
"^([^:]+):"
,
REGEX_FLAGS_SI
);
private
static
final
Pattern
P_ENTITY
=
Pattern
.
compile
(
"&#(\\d+);?"
);
private
static
final
Pattern
P_ENTITY_UNICODE
=
Pattern
.
compile
(
"&#x([0-9a-f]+);?"
);
private
static
final
Pattern
P_ENCODE
=
Pattern
.
compile
(
"%([0-9a-f]{2});?"
);
private
static
final
Pattern
P_VALID_ENTITIES
=
Pattern
.
compile
(
"&([^&;]*)(?=(;|&|$))"
);
private
static
final
Pattern
P_VALID_QUOTES
=
Pattern
.
compile
(
"(>|^)([^<]+?)(<|$)"
,
Pattern
.
DOTALL
);
private
static
final
Pattern
P_END_ARROW
=
Pattern
.
compile
(
"^>"
);
private
static
final
Pattern
P_BODY_TO_END
=
Pattern
.
compile
(
"<([^>]*?)(?=<|$)"
);
private
static
final
Pattern
P_XML_CONTENT
=
Pattern
.
compile
(
"(^|>)([^<]*?)(?=>)"
);
private
static
final
Pattern
P_STRAY_LEFT_ARROW
=
Pattern
.
compile
(
"<([^>]*?)(?=<|$)"
);
private
static
final
Pattern
P_STRAY_RIGHT_ARROW
=
Pattern
.
compile
(
"(^|>)([^<]*?)(?=>)"
);
private
static
final
Pattern
P_AMP
=
Pattern
.
compile
(
"&"
);
private
static
final
Pattern
P_QUOTE
=
Pattern
.
compile
(
"\""
);
private
static
final
Pattern
P_LEFT_ARROW
=
Pattern
.
compile
(
"<"
);
private
static
final
Pattern
P_RIGHT_ARROW
=
Pattern
.
compile
(
">"
);
private
static
final
Pattern
P_BOTH_ARROWS
=
Pattern
.
compile
(
"<>"
);
// @xxx could grow large... maybe use sesat's ReferenceMap
private
static
final
ConcurrentMap
<
String
,
Pattern
>
P_REMOVE_PAIR_BLANKS
=
new
ConcurrentHashMap
<>();
private
static
final
ConcurrentMap
<
String
,
Pattern
>
P_REMOVE_SELF_BLANKS
=
new
ConcurrentHashMap
<>();
/**
* set of allowed html elements, along with allowed attributes for each element
**/
private
final
Map
<
String
,
List
<
String
>>
vAllowed
;
/**
* counts of open tags for each (allowable) html element
**/
private
final
Map
<
String
,
Integer
>
vTagCounts
=
new
HashMap
<>();
/**
* html elements which must always be self-closing (e.g. "<img />")
**/
private
final
String
[]
vSelfClosingTags
;
/**
* html elements which must always have separate opening and closing tags (e.g. "<b></b>")
**/
private
final
String
[]
vNeedClosingTags
;
/**
* set of disallowed html elements
**/
private
final
String
[]
vDisallowed
;
/**
* attributes which should be checked for valid protocols
**/
private
final
String
[]
vProtocolAtts
;
/**
* allowed protocols
**/
private
final
String
[]
vAllowedProtocols
;
/**
* tags which should be removed if they contain no content (e.g. "<b></b>" or "<b />")
**/
private
final
String
[]
vRemoveBlanks
;
/**
* entities allowed within html markup
**/
private
final
String
[]
vAllowedEntities
;
/**
* flag determining whether comments are allowed in input String.
*/
private
final
boolean
stripComment
;
private
final
boolean
encodeQuotes
;
/**
* flag determining whether to try to make tags when presented with "unbalanced" angle brackets (e.g. "<b text </b>"
* becomes "<b> text </b>"). If set to false, unbalanced angle brackets will be html escaped.
*/
private
final
boolean
alwaysMakeTags
;
/**
* Default constructor.
*/
public
HTMLFilter
()
{
vAllowed
=
new
HashMap
<>();
final
ArrayList
<
String
>
a_atts
=
new
ArrayList
<>();
a_atts
.
add
(
"href"
);
a_atts
.
add
(
"target"
);
vAllowed
.
put
(
"a"
,
a_atts
);
final
ArrayList
<
String
>
img_atts
=
new
ArrayList
<>();
img_atts
.
add
(
"src"
);
img_atts
.
add
(
"width"
);
img_atts
.
add
(
"height"
);
img_atts
.
add
(
"alt"
);
vAllowed
.
put
(
"img"
,
img_atts
);
final
ArrayList
<
String
>
no_atts
=
new
ArrayList
<>();
vAllowed
.
put
(
"b"
,
no_atts
);
vAllowed
.
put
(
"strong"
,
no_atts
);
vAllowed
.
put
(
"i"
,
no_atts
);
vAllowed
.
put
(
"em"
,
no_atts
);
vSelfClosingTags
=
new
String
[]
{
"img"
};
vNeedClosingTags
=
new
String
[]
{
"a"
,
"b"
,
"strong"
,
"i"
,
"em"
};
vDisallowed
=
new
String
[]
{};
vAllowedProtocols
=
new
String
[]
{
"http"
,
"mailto"
,
"https"
};
// no ftp.
vProtocolAtts
=
new
String
[]
{
"src"
,
"href"
};
vRemoveBlanks
=
new
String
[]
{
"a"
,
"b"
,
"strong"
,
"i"
,
"em"
};
vAllowedEntities
=
new
String
[]
{
"amp"
,
"gt"
,
"lt"
,
"quot"
};
stripComment
=
true
;
encodeQuotes
=
true
;
alwaysMakeTags
=
false
;
}
/**
* Map-parameter configurable constructor.
*
* @param conf map containing configuration. keys match field names.
*/
@SuppressWarnings
(
"unchecked"
)
public
HTMLFilter
(
final
Map
<
String
,
Object
>
conf
)
{
assert
conf
.
containsKey
(
"vAllowed"
)
:
"configuration requires vAllowed"
;
assert
conf
.
containsKey
(
"vSelfClosingTags"
)
:
"configuration requires vSelfClosingTags"
;
assert
conf
.
containsKey
(
"vNeedClosingTags"
)
:
"configuration requires vNeedClosingTags"
;
assert
conf
.
containsKey
(
"vDisallowed"
)
:
"configuration requires vDisallowed"
;
assert
conf
.
containsKey
(
"vAllowedProtocols"
)
:
"configuration requires vAllowedProtocols"
;
assert
conf
.
containsKey
(
"vProtocolAtts"
)
:
"configuration requires vProtocolAtts"
;
assert
conf
.
containsKey
(
"vRemoveBlanks"
)
:
"configuration requires vRemoveBlanks"
;
assert
conf
.
containsKey
(
"vAllowedEntities"
)
:
"configuration requires vAllowedEntities"
;
vAllowed
=
Collections
.
unmodifiableMap
((
HashMap
<
String
,
List
<
String
>>)
conf
.
get
(
"vAllowed"
));
vSelfClosingTags
=
(
String
[])
conf
.
get
(
"vSelfClosingTags"
);
vNeedClosingTags
=
(
String
[])
conf
.
get
(
"vNeedClosingTags"
);
vDisallowed
=
(
String
[])
conf
.
get
(
"vDisallowed"
);
vAllowedProtocols
=
(
String
[])
conf
.
get
(
"vAllowedProtocols"
);
vProtocolAtts
=
(
String
[])
conf
.
get
(
"vProtocolAtts"
);
vRemoveBlanks
=
(
String
[])
conf
.
get
(
"vRemoveBlanks"
);
vAllowedEntities
=
(
String
[])
conf
.
get
(
"vAllowedEntities"
);
stripComment
=
conf
.
containsKey
(
"stripComment"
)
?
(
Boolean
)
conf
.
get
(
"stripComment"
)
:
true
;
encodeQuotes
=
conf
.
containsKey
(
"encodeQuotes"
)
?
(
Boolean
)
conf
.
get
(
"encodeQuotes"
)
:
true
;
alwaysMakeTags
=
conf
.
containsKey
(
"alwaysMakeTags"
)
?
(
Boolean
)
conf
.
get
(
"alwaysMakeTags"
)
:
true
;
}
private
void
reset
()
{
vTagCounts
.
clear
();
}
// ---------------------------------------------------------------
// my versions of some PHP library functions
public
static
String
chr
(
final
int
decimal
)
{
return
String
.
valueOf
((
char
)
decimal
);
}
public
static
String
htmlSpecialChars
(
final
String
s
)
{
String
result
=
s
;
result
=
regexReplace
(
P_AMP
,
"&"
,
result
);
// result = regexReplace(P_QUOTE, """, result);
result
=
regexReplace
(
P_LEFT_ARROW
,
"<"
,
result
);
result
=
regexReplace
(
P_RIGHT_ARROW
,
">"
,
result
);
return
result
;
}
// ---------------------------------------------------------------
/**
* given a user submitted input String, filter out any invalid or restricted html.
*
* @param input text (i.e. submitted by a user) than may contain html
* @return "clean" version of input, with only valid, whitelisted html elements allowed
*/
public
String
filter
(
final
String
input
)
{
reset
();
String
s
=
input
;
s
=
escapeComments
(
s
);
s
=
balanceHTML
(
s
);
s
=
checkTags
(
s
);
s
=
processRemoveBlanks
(
s
);
// s = validateEntities(s);
return
s
;
}
public
boolean
isAlwaysMakeTags
()
{
return
alwaysMakeTags
;
}
public
boolean
isStripComments
()
{
return
stripComment
;
}
private
String
escapeComments
(
final
String
s
)
{
final
Matcher
m
=
P_COMMENTS
.
matcher
(
s
);
final
StringBuffer
buf
=
new
StringBuffer
();
if
(
m
.
find
())
{
final
String
match
=
m
.
group
(
1
);
// (.*?)
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
"<!--"
+
htmlSpecialChars
(
match
)
+
"-->"
));
}
m
.
appendTail
(
buf
);
return
buf
.
toString
();
}
private
String
balanceHTML
(
String
s
)
{
if
(
alwaysMakeTags
)
{
//
// try and form html
//
s
=
regexReplace
(
P_END_ARROW
,
""
,
s
);
// 不追加结束标签
s
=
regexReplace
(
P_BODY_TO_END
,
"<$1>"
,
s
);
s
=
regexReplace
(
P_XML_CONTENT
,
"$1<$2"
,
s
);
}
else
{
//
// escape stray brackets
//
s
=
regexReplace
(
P_STRAY_LEFT_ARROW
,
"<$1"
,
s
);
s
=
regexReplace
(
P_STRAY_RIGHT_ARROW
,
"$1$2><"
,
s
);
//
// the last regexp causes '<>' entities to appear
// (we need to do a lookahead assertion so that the last bracket can
// be used in the next pass of the regexp)
//
s
=
regexReplace
(
P_BOTH_ARROWS
,
""
,
s
);
}
return
s
;
}
private
String
checkTags
(
String
s
)
{
Matcher
m
=
P_TAGS
.
matcher
(
s
);
final
StringBuffer
buf
=
new
StringBuffer
();
while
(
m
.
find
())
{
String
replaceStr
=
m
.
group
(
1
);
replaceStr
=
processTag
(
replaceStr
);
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
replaceStr
));
}
m
.
appendTail
(
buf
);
// these get tallied in processTag
// (remember to reset before subsequent calls to filter method)
final
StringBuilder
sBuilder
=
new
StringBuilder
(
buf
.
toString
());
for
(
String
key
:
vTagCounts
.
keySet
())
{
for
(
int
ii
=
0
;
ii
<
vTagCounts
.
get
(
key
);
ii
++)
{
sBuilder
.
append
(
"</"
).
append
(
key
).
append
(
">"
);
}
}
s
=
sBuilder
.
toString
();
return
s
;
}
private
String
processRemoveBlanks
(
final
String
s
)
{
String
result
=
s
;
for
(
String
tag
:
vRemoveBlanks
)
{
if
(!
P_REMOVE_PAIR_BLANKS
.
containsKey
(
tag
))
{
P_REMOVE_PAIR_BLANKS
.
putIfAbsent
(
tag
,
Pattern
.
compile
(
"<"
+
tag
+
"(\\s[^>]*)?></"
+
tag
+
">"
));
}
result
=
regexReplace
(
P_REMOVE_PAIR_BLANKS
.
get
(
tag
),
""
,
result
);
if
(!
P_REMOVE_SELF_BLANKS
.
containsKey
(
tag
))
{
P_REMOVE_SELF_BLANKS
.
putIfAbsent
(
tag
,
Pattern
.
compile
(
"<"
+
tag
+
"(\\s[^>]*)?/>"
));
}
result
=
regexReplace
(
P_REMOVE_SELF_BLANKS
.
get
(
tag
),
""
,
result
);
}
return
result
;
}
private
static
String
regexReplace
(
final
Pattern
regex_pattern
,
final
String
replacement
,
final
String
s
)
{
Matcher
m
=
regex_pattern
.
matcher
(
s
);
return
m
.
replaceAll
(
replacement
);
}
private
String
processTag
(
final
String
s
)
{
// ending tags
Matcher
m
=
P_END_TAG
.
matcher
(
s
);
if
(
m
.
find
())
{
final
String
name
=
m
.
group
(
1
).
toLowerCase
();
if
(
allowed
(
name
))
{
if
(
false
==
inArray
(
name
,
vSelfClosingTags
))
{
if
(
vTagCounts
.
containsKey
(
name
))
{
vTagCounts
.
put
(
name
,
vTagCounts
.
get
(
name
)
-
1
);
return
"</"
+
name
+
">"
;
}
}
}
}
// starting tags
m
=
P_START_TAG
.
matcher
(
s
);
if
(
m
.
find
())
{
final
String
name
=
m
.
group
(
1
).
toLowerCase
();
final
String
body
=
m
.
group
(
2
);
String
ending
=
m
.
group
(
3
);
// debug( "in a starting tag, name='" + name + "'; body='" + body + "'; ending='" + ending + "'" );
if
(
allowed
(
name
))
{
final
StringBuilder
params
=
new
StringBuilder
();
final
Matcher
m2
=
P_QUOTED_ATTRIBUTES
.
matcher
(
body
);
final
Matcher
m3
=
P_UNQUOTED_ATTRIBUTES
.
matcher
(
body
);
final
List
<
String
>
paramNames
=
new
ArrayList
<>();
final
List
<
String
>
paramValues
=
new
ArrayList
<>();
while
(
m2
.
find
())
{
paramNames
.
add
(
m2
.
group
(
1
));
// ([a-z0-9]+)
paramValues
.
add
(
m2
.
group
(
3
));
// (.*?)
}
while
(
m3
.
find
())
{
paramNames
.
add
(
m3
.
group
(
1
));
// ([a-z0-9]+)
paramValues
.
add
(
m3
.
group
(
3
));
// ([^\"\\s']+)
}
String
paramName
,
paramValue
;
for
(
int
ii
=
0
;
ii
<
paramNames
.
size
();
ii
++)
{
paramName
=
paramNames
.
get
(
ii
).
toLowerCase
();
paramValue
=
paramValues
.
get
(
ii
);
// debug( "paramName='" + paramName + "'" );
// debug( "paramValue='" + paramValue + "'" );
// debug( "allowed? " + vAllowed.get( name ).contains( paramName ) );
if
(
allowedAttribute
(
name
,
paramName
))
{
if
(
inArray
(
paramName
,
vProtocolAtts
))
{
paramValue
=
processParamProtocol
(
paramValue
);
}
params
.
append
(
' '
).
append
(
paramName
).
append
(
"=\""
).
append
(
paramValue
).
append
(
"\""
);
}
}
if
(
inArray
(
name
,
vSelfClosingTags
))
{
ending
=
" /"
;
}
if
(
inArray
(
name
,
vNeedClosingTags
))
{
ending
=
""
;
}
if
(
ending
==
null
||
ending
.
length
()
<
1
)
{
if
(
vTagCounts
.
containsKey
(
name
))
{
vTagCounts
.
put
(
name
,
vTagCounts
.
get
(
name
)
+
1
);
}
else
{
vTagCounts
.
put
(
name
,
1
);
}
}
else
{
ending
=
" /"
;
}
return
"<"
+
name
+
params
+
ending
+
">"
;
}
else
{
return
""
;
}
}
// comments
m
=
P_COMMENT
.
matcher
(
s
);
if
(!
stripComment
&&
m
.
find
())
{
return
"<"
+
m
.
group
()
+
">"
;
}
return
""
;
}
private
String
processParamProtocol
(
String
s
)
{
s
=
decodeEntities
(
s
);
final
Matcher
m
=
P_PROTOCOL
.
matcher
(
s
);
if
(
m
.
find
())
{
final
String
protocol
=
m
.
group
(
1
);
if
(!
inArray
(
protocol
,
vAllowedProtocols
))
{
// bad protocol, turn into local anchor link instead
s
=
"#"
+
s
.
substring
(
protocol
.
length
()
+
1
);
if
(
s
.
startsWith
(
"#//"
))
{
s
=
"#"
+
s
.
substring
(
3
);
}
}
}
return
s
;
}
private
String
decodeEntities
(
String
s
)
{
StringBuffer
buf
=
new
StringBuffer
();
Matcher
m
=
P_ENTITY
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
match
=
m
.
group
(
1
);
final
int
decimal
=
Integer
.
decode
(
match
).
intValue
();
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
chr
(
decimal
)));
}
m
.
appendTail
(
buf
);
s
=
buf
.
toString
();
buf
=
new
StringBuffer
();
m
=
P_ENTITY_UNICODE
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
match
=
m
.
group
(
1
);
final
int
decimal
=
Integer
.
valueOf
(
match
,
16
).
intValue
();
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
chr
(
decimal
)));
}
m
.
appendTail
(
buf
);
s
=
buf
.
toString
();
buf
=
new
StringBuffer
();
m
=
P_ENCODE
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
match
=
m
.
group
(
1
);
final
int
decimal
=
Integer
.
valueOf
(
match
,
16
).
intValue
();
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
chr
(
decimal
)));
}
m
.
appendTail
(
buf
);
s
=
buf
.
toString
();
s
=
validateEntities
(
s
);
return
s
;
}
private
String
validateEntities
(
final
String
s
)
{
StringBuffer
buf
=
new
StringBuffer
();
// validate entities throughout the string
Matcher
m
=
P_VALID_ENTITIES
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
one
=
m
.
group
(
1
);
// ([^&;]*)
final
String
two
=
m
.
group
(
2
);
// (?=(;|&|$))
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
checkEntity
(
one
,
two
)));
}
m
.
appendTail
(
buf
);
return
encodeQuotes
(
buf
.
toString
());
}
private
String
encodeQuotes
(
final
String
s
)
{
if
(
encodeQuotes
)
{
StringBuffer
buf
=
new
StringBuffer
();
Matcher
m
=
P_VALID_QUOTES
.
matcher
(
s
);
while
(
m
.
find
())
{
final
String
one
=
m
.
group
(
1
);
// (>|^)
final
String
two
=
m
.
group
(
2
);
// ([^<]+?)
final
String
three
=
m
.
group
(
3
);
// (<|$)
// 不替换双引号为",防止json格式无效 regexReplace(P_QUOTE, """, two)
m
.
appendReplacement
(
buf
,
Matcher
.
quoteReplacement
(
one
+
two
+
three
));
}
m
.
appendTail
(
buf
);
return
buf
.
toString
();
}
else
{
return
s
;
}
}
private
String
checkEntity
(
final
String
preamble
,
final
String
term
)
{
return
";"
.
equals
(
term
)
&&
isValidEntity
(
preamble
)
?
'&'
+
preamble
:
"&"
+
preamble
;
}
private
boolean
isValidEntity
(
final
String
entity
)
{
return
inArray
(
entity
,
vAllowedEntities
);
}
private
static
boolean
inArray
(
final
String
s
,
final
String
[]
array
)
{
for
(
String
item
:
array
)
{
if
(
item
!=
null
&&
item
.
equals
(
s
))
{
return
true
;
}
}
return
false
;
}
private
boolean
allowed
(
final
String
name
)
{
return
(
vAllowed
.
isEmpty
()
||
vAllowed
.
containsKey
(
name
))
&&
!
inArray
(
name
,
vDisallowed
);
}
private
boolean
allowedAttribute
(
final
String
name
,
final
String
paramName
)
{
return
allowed
(
name
)
&&
(
vAllowed
.
isEmpty
()
||
vAllowed
.
get
(
name
).
contains
(
paramName
));
}
}
\ No newline at end of file
src/main/java/com/laker/admin/framework/waf/attack/SqlFilter.java
0 → 100644
浏览文件 @
d7790090
package
com.laker.admin.framework.waf.attack
;
public
class
SqlFilter
{
public
static
String
strip
(
String
value
)
{
//剥离SQL注入部分代码
return
value
.
replaceAll
(
"('.+--)|(--)|(\\|)|(%7C)"
,
""
);
}
}
src/main/java/com/laker/admin/module/ext/controller/ExtLeaveController.java
浏览文件 @
d7790090
...
...
@@ -6,9 +6,9 @@ import cn.hutool.core.date.DateUtil;
import
com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper
;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.laker.admin.framework.EasyAdminSecurityUtils
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
utils.
EasyAdminSecurityUtils
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.module.ext.entity.ExtLeave
;
import
com.laker.admin.module.ext.service.IExtLeaveService
;
...
...
src/main/java/com/laker/admin/module/ext/controller/ExtLogController.java
浏览文件 @
d7790090
...
...
@@ -5,8 +5,8 @@ import cn.hutool.core.util.StrUtil;
import
com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper
;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.module.ext.entity.ExtLog
;
import
com.laker.admin.module.ext.mapper.ExtLogMapper
;
...
...
src/main/java/com/laker/admin/module/flow/SnakerflowFacetsController.java
浏览文件 @
d7790090
...
...
@@ -6,8 +6,8 @@ import cn.hutool.core.collection.CollUtil;
import
cn.hutool.core.lang.Dict
;
import
cn.hutool.core.util.StrUtil
;
import
cn.hutool.json.JSONUtil
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.module.flow.process.SnakerEngineFacets
;
import
com.laker.admin.module.flow.process.SnakerHelper
;
...
...
src/main/java/com/laker/admin/module/sys/controller/IndexController.java
浏览文件 @
d7790090
...
...
@@ -2,10 +2,9 @@ package com.laker.admin.module.sys.controller;
import
cn.hutool.core.lang.Dict
;
import
cn.hutool.core.util.IdUtil
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.cache.ICache
;
import
com.wf.captcha.ArithmeticCaptcha
;
import
com.wf.captcha.ChineseGifCaptcha
;
import
lombok.extern.slf4j.Slf4j
;
import
org.springframework.beans.factory.annotation.Autowired
;
import
org.springframework.stereotype.Controller
;
...
...
src/main/java/com/laker/admin/module/sys/controller/LoginController.java
浏览文件 @
d7790090
...
...
@@ -12,9 +12,9 @@ import com.baomidou.mybatisplus.core.toolkit.Wrappers;
import
com.github.xiaoymin.knife4j.annotations.ApiOperationSupport
;
import
com.github.xiaoymin.knife4j.annotations.ApiSupport
;
import
com.laker.admin.framework.EasyAdminConstants
;
import
com.laker.admin.framework.PageDtoUtil
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
utils.
PageDtoUtil
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.framework.cache.ICache
;
import
com.laker.admin.framework.ext.mybatis.UserInfoAndPowers
;
...
...
src/main/java/com/laker/admin/module/sys/controller/NginxController.java
浏览文件 @
d7790090
...
...
@@ -5,7 +5,7 @@ import cn.hutool.core.io.FileUtil;
import
cn.hutool.core.util.StrUtil
;
import
com.github.odiszapc.nginxparser.NgxConfig
;
import
com.github.odiszapc.nginxparser.NgxDumper
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.module.sys.pojo.NginxQo
;
import
com.laker.admin.module.sys.service.ISysDeptService
;
import
org.springframework.beans.factory.annotation.Autowired
;
...
...
src/main/java/com/laker/admin/module/sys/controller/StatisticsController.java
浏览文件 @
d7790090
...
...
@@ -2,7 +2,7 @@ package com.laker.admin.module.sys.controller;
import
cn.dev33.satoken.stp.StpUtil
;
import
cn.hutool.core.lang.Dict
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.module.ext.mapper.ExtLogMapper
;
import
com.laker.admin.module.flow.process.SnakerEngineFacets
;
import
org.snaker.engine.access.QueryFilter
;
...
...
src/main/java/com/laker/admin/module/sys/controller/SysDeptController.java
浏览文件 @
d7790090
...
...
@@ -5,9 +5,9 @@ import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.core.toolkit.Wrappers
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.ResultTable
;
import
com.laker.admin.framework.ResultTree
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.
model.
ResultTable
;
import
com.laker.admin.framework.
model.
ResultTree
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.module.sys.entity.SysDept
;
import
com.laker.admin.module.sys.service.ISysDeptService
;
...
...
src/main/java/com/laker/admin/module/sys/controller/SysDictController.java
浏览文件 @
d7790090
...
...
@@ -5,8 +5,8 @@ import cn.hutool.core.collection.CollUtil;
import
com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper
;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.module.sys.entity.SysDict
;
import
com.laker.admin.module.sys.service.ISysDictService
;
...
...
src/main/java/com/laker/admin/module/sys/controller/SysMenuController.java
浏览文件 @
d7790090
...
...
@@ -5,7 +5,7 @@ import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.core.toolkit.Wrappers
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.module.sys.entity.SysMenu
;
import
com.laker.admin.module.sys.pojo.MenuVo
;
...
...
src/main/java/com/laker/admin/module/sys/controller/SysRoleController.java
浏览文件 @
d7790090
...
...
@@ -5,9 +5,9 @@ import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.core.toolkit.Wrappers
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.ResultTree
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.
model.
ResultTree
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.module.sys.entity.SysMenu
;
import
com.laker.admin.module.sys.entity.SysRole
;
...
...
src/main/java/com/laker/admin/module/sys/controller/SysUserController.java
浏览文件 @
d7790090
...
...
@@ -10,8 +10,8 @@ import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import
com.baomidou.mybatisplus.core.toolkit.Wrappers
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.laker.admin.config.LakerConfig
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.framework.aop.Metrics
;
import
com.laker.admin.module.sys.entity.SysRole
;
import
com.laker.admin.module.sys.entity.SysUser
;
...
...
src/main/java/com/laker/admin/module/task/TaskManagerController.java
浏览文件 @
d7790090
...
...
@@ -5,8 +5,8 @@ import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.github.xiaoymin.knife4j.annotations.ApiSupport
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.module.task.core.CoreProcessor
;
import
com.laker.admin.module.task.entity.SysTask
;
import
com.laker.admin.module.task.service.ISysTaskService
;
...
...
src/main/java/com/laker/admin/module/task/TaskManagerMonitorController.java
浏览文件 @
d7790090
package
com.laker.admin.module.task
;
import
com.github.xiaoymin.knife4j.annotations.ApiSupport
;
import
com.laker.admin.framework.Response
;
import
com.laker.admin.framework.
model.
Response
;
import
com.laker.admin.module.task.core.CoreProcessor
;
import
io.swagger.annotations.Api
;
import
io.swagger.annotations.ApiOperation
;
...
...
src/main/java/com/laker/admin/module/task/controller/SysTasklogController.java
浏览文件 @
d7790090
...
...
@@ -3,7 +3,7 @@ package com.laker.admin.module.task.controller;
import
com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper
;
import
com.baomidou.mybatisplus.core.conditions.query.QueryWrapper
;
import
com.baomidou.mybatisplus.extension.plugins.pagination.Page
;
import
com.laker.admin.framework.PageResponse
;
import
com.laker.admin.framework.
model.
PageResponse
;
import
com.laker.admin.module.task.entity.SysTasklog
;
import
com.laker.admin.module.task.service.ISysTasklogService
;
import
io.swagger.annotations.ApiOperation
;
...
...
src/main/java/com/laker/admin/module/task/core/CoreProcessor.java
浏览文件 @
d7790090
...
...
@@ -6,7 +6,7 @@ import cn.hutool.cache.impl.LFUCache;
import
cn.hutool.core.map.MapUtil
;
import
cn.hutool.core.util.StrUtil
;
import
com.baomidou.mybatisplus.core.toolkit.Wrappers
;
import
com.laker.admin.framework.SpringUtils
;
import
com.laker.admin.framework.
utils.
SpringUtils
;
import
com.laker.admin.module.enums.TaskStateEnum
;
import
com.laker.admin.module.task.entity.SysTask
;
import
com.laker.admin.module.task.service.ISysTaskService
;
...
...
src/main/resources/application.yaml
浏览文件 @
d7790090
...
...
@@ -52,4 +52,8 @@ sa-token:
token-style
:
simple-uuid
# 是否打印操作日志
is-log
:
false
is-print
:
false
\ No newline at end of file
is-print
:
false
laker
:
waf
:
sql-enabled
:
true
xss-enabled
:
true
\ No newline at end of file
src/main/resources/templates/controller.java.ftl
浏览文件 @
d7790090
...
...
@@ -9,8 +9,8 @@ import ${package.Service}.${table.serviceName};
<#
else
>
import
org
.
springframework
.
stereotype
.
Controller
;
</#
if
>
import
com
.
laker
.
admin
.
framework
.
Response
;
import
com
.
laker
.
admin
.
framework
.
PageResponse
;
import
com
.
laker
.
admin
.
framework
.
model
.
Response
;
import
com
.
laker
.
admin
.
framework
.
model
.
PageResponse
;
import
com
.
baomidou
.
mybatisplus
.
core
.
conditions
.
query
.
LambdaQueryWrapper
;
import
com
.
baomidou
.
mybatisplus
.
core
.
conditions
.
query
.
QueryWrapper
;
import
com
.
baomidou
.
mybatisplus
.
extension
.
plugins
.
pagination
.
Page
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录