Merge remote-tracking branch 'origin/master'

bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java

@@ -15,24 +15,17 @@ public class SafeUtil {
      * 安全SQL模式，用于检测SQL注入的正则表达式
      * 包含常见的SQL注入关键字和注释符号
      */
-    public final static String SAFE_SQL_PATTERN = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|"
-            + "(\\b(select|update|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)";
+    public final static String SAFE_SQL_PATTERN =
+            "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|" +
+                    "(\\b(select|update|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|union|from|where|and|or|alter|create|truncate|sys|information_schema|concat|substring|xp_cmdshell)\\b)|" +
+                    "(?:#)|(?:\")|(\\bsp_\\w+\\b)";
 
-    /**
-     * 安全脚本模式，用于检测脚本注入的正则表达式
-     * 由于平台中setfilter中使用多个参数时用到&符号，因此未包含&符号
-     */
-    /*public final static String SAFE_SCRIPT_PATTERN =
-            "(\\||;|\\$|'|\\'|0x0d|0x0a|\\%27|\\%3B" +
-                    "|<>|\\[\\]|\\(\\)|/|\"" +
-                    "|script|alert|svg|confirm|prompt|onload" +
-                    "|%3c|%3e|%2b|@|!|img|src" +
-                    "|%)";*/
     // 危险字符和编码
     public final static String DANGEROUS_CHARS =
-            "(\\||;|\\$|'|\\'|0x0d|0x0a|\\%27|\\%3B" +
-                    "|<>|\\[\\]|\\(\\)|/|\"" +
-                    "|%3c|%3e|%2b|@|!|%)";
+            "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|%|!|\\$|;|\\||/)" +
+                    "|(%3[cdef]|%2[bf2789]|%5[bd]|%3b|%28|%29)" +
+                    "|(\\\\x3[cdef]|\\\\x2[bf27])" +
+                    "|(data:text/html|base64|document\\.|window\\.|location\\.|cookie)";
 
     // JavaScript危险函数（带括号）
     public final static String DANGEROUS_FUNCTIONS =

bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java

@@ -72,6 +72,7 @@ public class XssCheck {
         // 其他特殊字符
         XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
         XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
+        XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
 
         // 十六进制编码
         XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制
@@ -87,6 +88,52 @@ public class XssCheck {
         XSS_PATTERNS.add(Pattern.compile("window\\.", Pattern.CASE_INSENSITIVE));
         XSS_PATTERNS.add(Pattern.compile("location\\.", Pattern.CASE_INSENSITIVE));
         XSS_PATTERNS.add(Pattern.compile("cookie", Pattern.CASE_INSENSITIVE));
+
+        // 1. SQL注释模式
+        XSS_PATTERNS.add(Pattern.compile("--", Pattern.CASE_INSENSITIVE)); // 单行注释
+        XSS_PATTERNS.add(Pattern.compile("/\\*.*?\\*/", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); // 多行注释
+        XSS_PATTERNS.add(Pattern.compile("#", Pattern.CASE_INSENSITIVE)); // MySQL注释
+
+        // 2. 字符串分隔符
+        XSS_PATTERNS.add(Pattern.compile("'", Pattern.CASE_INSENSITIVE)); // 单引号
+        XSS_PATTERNS.add(Pattern.compile("\"", Pattern.CASE_INSENSITIVE)); // 双引号
+
+        // 3. DML操作关键字
+        XSS_PATTERNS.add(Pattern.compile("\\bselect\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\binsert\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bupdate\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bdelete\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bdrop\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\btruncate\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\balter\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bcreate\\b", Pattern.CASE_INSENSITIVE));
+
+        // 4. 系统函数和过程
+        XSS_PATTERNS.add(Pattern.compile("\\bexec\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bexecute\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bdeclare\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bxp_cmdshell\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bsp_\\w+\\b", Pattern.CASE_INSENSITIVE)); // 存储过程
+
+        // 5. 字符串和编码函数
+        XSS_PATTERNS.add(Pattern.compile("\\bchar\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bascii\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bsubstr\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bsubstring\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bconcat\\b", Pattern.CASE_INSENSITIVE));
+
+        // 6. 系统表和信息
+        XSS_PATTERNS.add(Pattern.compile("\\bmaster\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bsys\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\binformation_schema\\b", Pattern.CASE_INSENSITIVE));
+
+        // 7. 联合查询和其他操作
+        XSS_PATTERNS.add(Pattern.compile("\\bunion\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\binto\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bfrom\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bwhere\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\band\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bor\\b", Pattern.CASE_INSENSITIVE));
     }
 
     /**

bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java

@@ -76,6 +76,7 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
         // 其他特殊字符
         XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
         XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
+        XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
 
         // 十六进制编码
         XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制
@@ -91,6 +92,52 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
         XSS_PATTERNS.add(Pattern.compile("window\\.", Pattern.CASE_INSENSITIVE));
         XSS_PATTERNS.add(Pattern.compile("location\\.", Pattern.CASE_INSENSITIVE));
         XSS_PATTERNS.add(Pattern.compile("cookie", Pattern.CASE_INSENSITIVE));
+
+        // 1. SQL注释模式
+        XSS_PATTERNS.add(Pattern.compile("--", Pattern.CASE_INSENSITIVE)); // 单行注释
+        XSS_PATTERNS.add(Pattern.compile("/\\*.*?\\*/", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); // 多行注释
+        XSS_PATTERNS.add(Pattern.compile("#", Pattern.CASE_INSENSITIVE)); // MySQL注释
+
+        // 2. 字符串分隔符
+        XSS_PATTERNS.add(Pattern.compile("'", Pattern.CASE_INSENSITIVE)); // 单引号
+        XSS_PATTERNS.add(Pattern.compile("\"", Pattern.CASE_INSENSITIVE)); // 双引号
+
+        // 3. DML操作关键字
+        XSS_PATTERNS.add(Pattern.compile("\\bselect\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\binsert\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bupdate\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bdelete\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bdrop\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\btruncate\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\balter\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bcreate\\b", Pattern.CASE_INSENSITIVE));
+
+        // 4. 系统函数和过程
+        XSS_PATTERNS.add(Pattern.compile("\\bexec\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bexecute\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bdeclare\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bxp_cmdshell\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bsp_\\w+\\b", Pattern.CASE_INSENSITIVE)); // 存储过程
+
+        // 5. 字符串和编码函数
+        XSS_PATTERNS.add(Pattern.compile("\\bchar\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bascii\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bsubstr\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bsubstring\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bconcat\\b", Pattern.CASE_INSENSITIVE));
+
+        // 6. 系统表和信息
+        XSS_PATTERNS.add(Pattern.compile("\\bmaster\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bsys\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\binformation_schema\\b", Pattern.CASE_INSENSITIVE));
+
+        // 7. 联合查询和其他操作
+        XSS_PATTERNS.add(Pattern.compile("\\bunion\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\binto\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bfrom\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bwhere\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\band\\b", Pattern.CASE_INSENSITIVE));
+        XSS_PATTERNS.add(Pattern.compile("\\bor\\b", Pattern.CASE_INSENSITIVE));
     }
 
     public XssRequestWrapper(HttpServletRequest request) {