bonus
/
smart_archives_service
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

非法值校验修改

This commit is contained in:
cwchen 2025-10-09 09:12:06 +08:00
parent db6f3c7cb2
commit 6ae48554ca
3 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java
View File

@ -22,7 +22,7 @@ public class SafeUtil {
// 危险字符和编码
public final static String DANGEROUS_CHARS =
"(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|%|!|\\$|;|\\||/)" +
"(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@.*|%.*|!.*|\\$|;|\\||/)" +
"|(%3[cdef]|%2[bf2789]|%5[bd]|%3b|%28|%29)" +
"|(\\\\x3[cdef]|\\\\x2[bf27])" +
"|(data:text/html|base64|document\\.|window\\.|location\\.|cookie)";

5
bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java
View File

@ -56,6 +56,9 @@ public class XssCheck {
XSS_PATTERNS.add(Pattern.compile("'.*'", Pattern.CASE_INSENSITIVE)); // 单引号
XSS_PATTERNS.add(Pattern.compile("\".*\"", Pattern.CASE_INSENSITIVE)); // 双引号
// 更完善的% 校验 URL编码排除
XSS_PATTERNS.add(Pattern.compile("%(?!(?:[0-9A-Fa-f]{2}|u[0-9A-Fa-f]{4}|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))", Pattern.CASE_INSENSITIVE));
// URL编码模式
XSS_PATTERNS.add(Pattern.compile("%3c", Pattern.CASE_INSENSITIVE)); // < 的URL编码
XSS_PATTERNS.add(Pattern.compile("%3e", Pattern.CASE_INSENSITIVE)); // > 的URL编码
@ -72,7 +75,7 @@ public class XssCheck {
// 其他特殊字符
XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
// XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
// 十六进制编码
XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制

5
bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java
View File

@ -50,7 +50,6 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
// 初始化需要忽略的特殊字符模式
IGNORE_SPECIAL_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号
IGNORE_SPECIAL_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号
IGNORE_SPECIAL_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // %
// 初始化所有XSS模式
XSS_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE));
@ -75,6 +74,8 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
XSS_PATTERNS.add(Pattern.compile("\\(.*\\)", Pattern.CASE_INSENSITIVE)); // 圆括号
XSS_PATTERNS.add(Pattern.compile("'.*'", Pattern.CASE_INSENSITIVE)); // 单引号
XSS_PATTERNS.add(Pattern.compile("\".*\"", Pattern.CASE_INSENSITIVE)); // 双引号
// 更完善的% 校验 URL编码排除
XSS_PATTERNS.add(Pattern.compile("%(?!(?:[0-9A-Fa-f]{2}|u[0-9A-Fa-f]{4}|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))", Pattern.CASE_INSENSITIVE));
// URL编码模式
XSS_PATTERNS.add(Pattern.compile("%3c", Pattern.CASE_INSENSITIVE)); // < 的URL编码
@ -89,7 +90,7 @@ public class XssRequestWrapper extends HttpServletRequestWrapper {
XSS_PATTERNS.add(Pattern.compile("%5b", Pattern.CASE_INSENSITIVE)); // [ 的URL编码
XSS_PATTERNS.add(Pattern.compile("%5d", Pattern.CASE_INSENSITIVE)); // ] 的URL编码
// 注意@!% 这三个模式被移到 IGNORE_SPECIAL_PATTERNS 不在 XSS_PATTERNS
// 注意@! 这三个模式被移到 IGNORE_SPECIAL_PATTERNS 不在 XSS_PATTERNS
// 十六进制编码
XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制