diff --git a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java index 8cb21ef..a73d3f7 100644 --- a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java +++ b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java @@ -15,24 +15,17 @@ public class SafeUtil { * 安全SQL模式,用于检测SQL注入的正则表达式 * 包含常见的SQL注入关键字和注释符号 */ - public final static String SAFE_SQL_PATTERN = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|" - + "(\\b(select|update|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)"; + public final static String SAFE_SQL_PATTERN = + "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|" + + "(\\b(select|update|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|union|from|where|and|or|alter|create|truncate|sys|information_schema|concat|substring|xp_cmdshell)\\b)|" + + "(?:#)|(?:\")|(\\bsp_\\w+\\b)"; - /** - * 安全脚本模式,用于检测脚本注入的正则表达式 - * 由于平台中setfilter中使用多个参数时用到&符号,因此未包含&符号 - */ - /*public final static String SAFE_SCRIPT_PATTERN = - "(\\||;|\\$|'|\\'|0x0d|0x0a|\\%27|\\%3B" + - "|<>|\\[\\]|\\(\\)|/|\"" + - "|script|alert|svg|confirm|prompt|onload" + - "|%3c|%3e|%2b|@|!|img|src" + - "|%)";*/ // 危险字符和编码 public final static String DANGEROUS_CHARS = - "(\\||;|\\$|'|\\'|0x0d|0x0a|\\%27|\\%3B" + - "|<>|\\[\\]|\\(\\)|/|\"" + - "|%3c|%3e|%2b|@|!|%)"; + "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|%|!|\\$|;|\\||/)" + + "|(%3[cdef]|%2[bf2789]|%5[bd]|%3b|%28|%29)" + + "|(\\\\x3[cdef]|\\\\x2[bf27])" + + "|(data:text/html|base64|document\\.|window\\.|location\\.|cookie)"; // JavaScript危险函数(带括号) public final static String DANGEROUS_FUNCTIONS = diff --git a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java index 4b25ae2..4738902 100644 --- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java +++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java @@ -72,6 +72,7 @@ public class XssCheck { // 其他特殊字符 XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号 XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号 + XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // % // 十六进制编码 XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制 @@ -87,6 +88,52 @@ public class XssCheck { XSS_PATTERNS.add(Pattern.compile("window\\.", Pattern.CASE_INSENSITIVE)); XSS_PATTERNS.add(Pattern.compile("location\\.", Pattern.CASE_INSENSITIVE)); XSS_PATTERNS.add(Pattern.compile("cookie", Pattern.CASE_INSENSITIVE)); + + // 1. SQL注释模式 + XSS_PATTERNS.add(Pattern.compile("--", Pattern.CASE_INSENSITIVE)); // 单行注释 + XSS_PATTERNS.add(Pattern.compile("/\\*.*?\\*/", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); // 多行注释 + XSS_PATTERNS.add(Pattern.compile("#", Pattern.CASE_INSENSITIVE)); // MySQL注释 + + // 2. 字符串分隔符 + XSS_PATTERNS.add(Pattern.compile("'", Pattern.CASE_INSENSITIVE)); // 单引号 + XSS_PATTERNS.add(Pattern.compile("\"", Pattern.CASE_INSENSITIVE)); // 双引号 + + // 3. DML操作关键字 + XSS_PATTERNS.add(Pattern.compile("\\bselect\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\binsert\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bupdate\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bdelete\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bdrop\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\btruncate\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\balter\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bcreate\\b", Pattern.CASE_INSENSITIVE)); + + // 4. 系统函数和过程 + XSS_PATTERNS.add(Pattern.compile("\\bexec\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bexecute\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bdeclare\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bxp_cmdshell\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bsp_\\w+\\b", Pattern.CASE_INSENSITIVE)); // 存储过程 + + // 5. 字符串和编码函数 + XSS_PATTERNS.add(Pattern.compile("\\bchar\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bascii\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bsubstr\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bsubstring\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bconcat\\b", Pattern.CASE_INSENSITIVE)); + + // 6. 系统表和信息 + XSS_PATTERNS.add(Pattern.compile("\\bmaster\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bsys\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\binformation_schema\\b", Pattern.CASE_INSENSITIVE)); + + // 7. 联合查询和其他操作 + XSS_PATTERNS.add(Pattern.compile("\\bunion\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\binto\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bfrom\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bwhere\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\band\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bor\\b", Pattern.CASE_INSENSITIVE)); } /** diff --git a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java index 45f9f78..d206694 100644 --- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java +++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java @@ -76,6 +76,7 @@ public class XssRequestWrapper extends HttpServletRequestWrapper { // 其他特殊字符 XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号 XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号 + XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // % // 十六进制编码 XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制 @@ -91,6 +92,52 @@ public class XssRequestWrapper extends HttpServletRequestWrapper { XSS_PATTERNS.add(Pattern.compile("window\\.", Pattern.CASE_INSENSITIVE)); XSS_PATTERNS.add(Pattern.compile("location\\.", Pattern.CASE_INSENSITIVE)); XSS_PATTERNS.add(Pattern.compile("cookie", Pattern.CASE_INSENSITIVE)); + + // 1. SQL注释模式 + XSS_PATTERNS.add(Pattern.compile("--", Pattern.CASE_INSENSITIVE)); // 单行注释 + XSS_PATTERNS.add(Pattern.compile("/\\*.*?\\*/", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)); // 多行注释 + XSS_PATTERNS.add(Pattern.compile("#", Pattern.CASE_INSENSITIVE)); // MySQL注释 + + // 2. 字符串分隔符 + XSS_PATTERNS.add(Pattern.compile("'", Pattern.CASE_INSENSITIVE)); // 单引号 + XSS_PATTERNS.add(Pattern.compile("\"", Pattern.CASE_INSENSITIVE)); // 双引号 + + // 3. DML操作关键字 + XSS_PATTERNS.add(Pattern.compile("\\bselect\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\binsert\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bupdate\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bdelete\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bdrop\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\btruncate\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\balter\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bcreate\\b", Pattern.CASE_INSENSITIVE)); + + // 4. 系统函数和过程 + XSS_PATTERNS.add(Pattern.compile("\\bexec\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bexecute\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bdeclare\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bxp_cmdshell\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bsp_\\w+\\b", Pattern.CASE_INSENSITIVE)); // 存储过程 + + // 5. 字符串和编码函数 + XSS_PATTERNS.add(Pattern.compile("\\bchar\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bascii\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bsubstr\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bsubstring\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bconcat\\b", Pattern.CASE_INSENSITIVE)); + + // 6. 系统表和信息 + XSS_PATTERNS.add(Pattern.compile("\\bmaster\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bsys\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\binformation_schema\\b", Pattern.CASE_INSENSITIVE)); + + // 7. 联合查询和其他操作 + XSS_PATTERNS.add(Pattern.compile("\\bunion\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\binto\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bfrom\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bwhere\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\band\\b", Pattern.CASE_INSENSITIVE)); + XSS_PATTERNS.add(Pattern.compile("\\bor\\b", Pattern.CASE_INSENSITIVE)); } public XssRequestWrapper(HttpServletRequest request) {