refactor: 重构防火墙路径遍历符校验,抽离出单独的 hook

This commit is contained in:
click33
2025-02-27 07:39:29 +08:00
parent cce77fbd49
commit 80789607fd
5 changed files with 73 additions and 7 deletions

View File

@@ -18,10 +18,7 @@ package cn.dev33.satoken.strategy;
import cn.dev33.satoken.SaManager;
import cn.dev33.satoken.fun.strategy.SaFirewallCheckFailHandleFunction;
import cn.dev33.satoken.fun.strategy.SaFirewallCheckFunction;
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHook;
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForBlackList;
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForDangerCharacter;
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForWhiteList;
import cn.dev33.satoken.strategy.hooks.*;
import java.util.ArrayList;
import java.util.List;
@@ -48,6 +45,7 @@ public final class SaFirewallStrategy {
checkHooks.add(SaFirewallCheckHookForWhiteList.instance);
checkHooks.add(SaFirewallCheckHookForBlackList.instance);
checkHooks.add(SaFirewallCheckHookForDangerCharacter.instance);
checkHooks.add(SaFirewallCheckHookForDirectoryTraversal.instance);
}
// 注册一个防火墙校验 hook

View File

@@ -42,8 +42,7 @@ public class SaFirewallCheckHookForDangerCharacter implements SaFirewallCheckHoo
"%2f", "%2F", // /
"%5c", "%5C", // \
";", "%3b", "%3B", // ; // 参考资料https://mp.weixin.qq.com/s/77CIDZbgBwRunJeluofPTA
"%25", // 空格
"/.", "\\.", // /. \. 目录遍历符
"%25" // 空格
};
/**

View File

@@ -0,0 +1,50 @@
/*
* Copyright 2020-2099 sa-token.cc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cn.dev33.satoken.strategy.hooks;
import cn.dev33.satoken.context.model.SaRequest;
import cn.dev33.satoken.context.model.SaResponse;
import cn.dev33.satoken.exception.RequestPathInvalidException;
/**
* 防火墙策略校验钩子函数:目录遍历符检测
*
* @author click33
* @since 1.41.0
*/
public class SaFirewallCheckHookForDirectoryTraversal implements SaFirewallCheckHook {
/**
* 默认实例
*/
public static SaFirewallCheckHookForDirectoryTraversal instance = new SaFirewallCheckHookForDirectoryTraversal();
/**
* 执行的方法
*
* @param req 请求对象
* @param res 响应对象
* @param extArg 预留扩展参数
*/
@Override
public void execute(SaRequest req, SaResponse res, Object extArg) {
String requestPath = req.getRequestPath();
if(requestPath.contains("/.") || requestPath.contains("\\.")) {
throw new RequestPathInvalidException("非法请求:" + requestPath, requestPath);
}
}
}

View File

@@ -38,7 +38,10 @@ import cn.dev33.satoken.stp.StpLogic;
import cn.dev33.satoken.stp.StpUtil;
import cn.dev33.satoken.strategy.SaAnnotationStrategy;
import cn.dev33.satoken.temp.SaTempInterface;
import org.noear.solon.annotation.*;
import org.noear.solon.annotation.Bean;
import org.noear.solon.annotation.Condition;
import org.noear.solon.annotation.Configuration;
import org.noear.solon.annotation.Inject;
import java.util.List;
@@ -232,4 +235,5 @@ public class SaBeanInject {
public void setStpLogic(StpLogic stpLogic) {
StpUtil.setStpLogic(stpLogic);
}
}

View File

@@ -16,9 +16,12 @@
package cn.dev33.satoken.solon;
import cn.dev33.satoken.config.SaTokenConfig;
import cn.dev33.satoken.solon.integration.SaFirewallCheckFilterForSolon;
import cn.dev33.satoken.util.SaTokenConsts;
import org.noear.solon.annotation.Bean;
import org.noear.solon.annotation.Configuration;
import org.noear.solon.annotation.Inject;
import org.noear.solon.core.handle.Filter;
/**
* 注册Sa-Token所需要的Bean
@@ -28,6 +31,7 @@ import org.noear.solon.annotation.Inject;
*/
@Configuration
public class SaBeanRegister {
/**
* 获取配置Bean
*
@@ -41,4 +45,15 @@ public class SaBeanRegister {
return config;
}
}
/**
* 防火墙校验过滤器
*
* @return /
*/
@Bean(index = SaTokenConsts.FIREWALL_CHECK_FILTER_ORDER)
public Filter saFirewallCheckFilterForSolon() {
return new SaFirewallCheckFilterForSolon();
}
}