From 6ae48554ca6354e30c9a0b5320beaace4a332822 Mon Sep 17 00:00:00 2001 From: cwchen <1048842385@qq.com> Date: Thu, 9 Oct 2025 09:12:06 +0800 Subject: [PATCH] =?UTF-8?q?=E9=9D=9E=E6=B3=95=E5=80=BC=E6=A0=A1=E9=AA=8C?= =?UTF-8?q?=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/com/bonus/common/utils/SafeUtil.java | 2 +- .../main/java/com/bonus/framework/interceptor/XssCheck.java | 5 ++++- .../com/bonus/framework/interceptor/XssRequestWrapper.java | 5 +++-- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java index a73d3f7..7e66935 100644 --- a/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java +++ b/bonus-common/src/main/java/com/bonus/common/utils/SafeUtil.java @@ -22,7 +22,7 @@ public class SafeUtil { // 危险字符和编码 public final static String DANGEROUS_CHARS = - "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@|%|!|\\$|;|\\||/)" + + "(<.*>|\\[.*\\]|\\(.*\\)|\".*\"|'.*'|@.*|%.*|!.*|\\$|;|\\||/)" + "|(%3[cdef]|%2[bf2789]|%5[bd]|%3b|%28|%29)" + "|(\\\\x3[cdef]|\\\\x2[bf27])" + "|(data:text/html|base64|document\\.|window\\.|location\\.|cookie)"; diff --git a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java index 4738902..8c44601 100644 --- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java +++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssCheck.java @@ -56,6 +56,9 @@ public class XssCheck { XSS_PATTERNS.add(Pattern.compile("'.*'", Pattern.CASE_INSENSITIVE)); // 单引号 XSS_PATTERNS.add(Pattern.compile("\".*\"", Pattern.CASE_INSENSITIVE)); // 双引号 + // 更完善的% 校验 URL编码排除 + XSS_PATTERNS.add(Pattern.compile("%(?!(?:[0-9A-Fa-f]{2}|u[0-9A-Fa-f]{4}|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))", Pattern.CASE_INSENSITIVE)); + // URL编码模式 XSS_PATTERNS.add(Pattern.compile("%3c", Pattern.CASE_INSENSITIVE)); // < 的URL编码 XSS_PATTERNS.add(Pattern.compile("%3e", Pattern.CASE_INSENSITIVE)); // > 的URL编码 @@ -72,7 +75,7 @@ public class XssCheck { // 其他特殊字符 XSS_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号 XSS_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号 - XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // % +// XSS_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // % // 十六进制编码 XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制 diff --git a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java index 61c6083..638e39b 100644 --- a/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java +++ b/bonus-framework/src/main/java/com/bonus/framework/interceptor/XssRequestWrapper.java @@ -50,7 +50,6 @@ public class XssRequestWrapper extends HttpServletRequestWrapper { // 初始化需要忽略的特殊字符模式 IGNORE_SPECIAL_PATTERNS.add(Pattern.compile("@.*", Pattern.CASE_INSENSITIVE)); // @符号 IGNORE_SPECIAL_PATTERNS.add(Pattern.compile("!.*", Pattern.CASE_INSENSITIVE)); // 感叹号 - IGNORE_SPECIAL_PATTERNS.add(Pattern.compile("%", Pattern.CASE_INSENSITIVE)); // % // 初始化所有XSS模式 XSS_PATTERNS.add(Pattern.compile("", Pattern.CASE_INSENSITIVE)); @@ -75,6 +74,8 @@ public class XssRequestWrapper extends HttpServletRequestWrapper { XSS_PATTERNS.add(Pattern.compile("\\(.*\\)", Pattern.CASE_INSENSITIVE)); // 圆括号 XSS_PATTERNS.add(Pattern.compile("'.*'", Pattern.CASE_INSENSITIVE)); // 单引号 XSS_PATTERNS.add(Pattern.compile("\".*\"", Pattern.CASE_INSENSITIVE)); // 双引号 + // 更完善的% 校验 URL编码排除 + XSS_PATTERNS.add(Pattern.compile("%(?!(?:[0-9A-Fa-f]{2}|u[0-9A-Fa-f]{4}|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))", Pattern.CASE_INSENSITIVE)); // URL编码模式 XSS_PATTERNS.add(Pattern.compile("%3c", Pattern.CASE_INSENSITIVE)); // < 的URL编码 @@ -89,7 +90,7 @@ public class XssRequestWrapper extends HttpServletRequestWrapper { XSS_PATTERNS.add(Pattern.compile("%5b", Pattern.CASE_INSENSITIVE)); // [ 的URL编码 XSS_PATTERNS.add(Pattern.compile("%5d", Pattern.CASE_INSENSITIVE)); // ] 的URL编码 - // 注意:@、!、% 这三个模式被移到 IGNORE_SPECIAL_PATTERNS 中,不在 XSS_PATTERNS 中 + // 注意:@、! 这三个模式被移到 IGNORE_SPECIAL_PATTERNS 中,不在 XSS_PATTERNS 中 // 十六进制编码 XSS_PATTERNS.add(Pattern.compile("\\\\x3c", Pattern.CASE_INSENSITIVE)); // < 的十六进制