mirror of
https://gitee.com/dromara/sa-token.git
synced 2025-10-07 15:14:23 +08:00
refactor: 重构防火墙路径遍历符校验,抽离出单独的 hook
This commit is contained in:
@@ -18,10 +18,7 @@ package cn.dev33.satoken.strategy;
|
||||
import cn.dev33.satoken.SaManager;
|
||||
import cn.dev33.satoken.fun.strategy.SaFirewallCheckFailHandleFunction;
|
||||
import cn.dev33.satoken.fun.strategy.SaFirewallCheckFunction;
|
||||
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHook;
|
||||
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForBlackList;
|
||||
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForDangerCharacter;
|
||||
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForWhiteList;
|
||||
import cn.dev33.satoken.strategy.hooks.*;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
@@ -48,6 +45,7 @@ public final class SaFirewallStrategy {
|
||||
checkHooks.add(SaFirewallCheckHookForWhiteList.instance);
|
||||
checkHooks.add(SaFirewallCheckHookForBlackList.instance);
|
||||
checkHooks.add(SaFirewallCheckHookForDangerCharacter.instance);
|
||||
checkHooks.add(SaFirewallCheckHookForDirectoryTraversal.instance);
|
||||
}
|
||||
|
||||
// 注册一个防火墙校验 hook
|
||||
|
@@ -42,8 +42,7 @@ public class SaFirewallCheckHookForDangerCharacter implements SaFirewallCheckHoo
|
||||
"%2f", "%2F", // /
|
||||
"%5c", "%5C", // \
|
||||
";", "%3b", "%3B", // ; // 参考资料:https://mp.weixin.qq.com/s/77CIDZbgBwRunJeluofPTA
|
||||
"%25", // 空格
|
||||
"/.", "\\.", // /. \. 目录遍历符
|
||||
"%25" // 空格
|
||||
};
|
||||
|
||||
/**
|
||||
|
@@ -0,0 +1,50 @@
|
||||
/*
|
||||
* Copyright 2020-2099 sa-token.cc
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package cn.dev33.satoken.strategy.hooks;
|
||||
|
||||
import cn.dev33.satoken.context.model.SaRequest;
|
||||
import cn.dev33.satoken.context.model.SaResponse;
|
||||
import cn.dev33.satoken.exception.RequestPathInvalidException;
|
||||
|
||||
/**
|
||||
* 防火墙策略校验钩子函数:目录遍历符检测
|
||||
*
|
||||
* @author click33
|
||||
* @since 1.41.0
|
||||
*/
|
||||
public class SaFirewallCheckHookForDirectoryTraversal implements SaFirewallCheckHook {
|
||||
|
||||
/**
|
||||
* 默认实例
|
||||
*/
|
||||
public static SaFirewallCheckHookForDirectoryTraversal instance = new SaFirewallCheckHookForDirectoryTraversal();
|
||||
|
||||
/**
|
||||
* 执行的方法
|
||||
*
|
||||
* @param req 请求对象
|
||||
* @param res 响应对象
|
||||
* @param extArg 预留扩展参数
|
||||
*/
|
||||
@Override
|
||||
public void execute(SaRequest req, SaResponse res, Object extArg) {
|
||||
String requestPath = req.getRequestPath();
|
||||
if(requestPath.contains("/.") || requestPath.contains("\\.")) {
|
||||
throw new RequestPathInvalidException("非法请求:" + requestPath, requestPath);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
@@ -38,7 +38,10 @@ import cn.dev33.satoken.stp.StpLogic;
|
||||
import cn.dev33.satoken.stp.StpUtil;
|
||||
import cn.dev33.satoken.strategy.SaAnnotationStrategy;
|
||||
import cn.dev33.satoken.temp.SaTempInterface;
|
||||
import org.noear.solon.annotation.*;
|
||||
import org.noear.solon.annotation.Bean;
|
||||
import org.noear.solon.annotation.Condition;
|
||||
import org.noear.solon.annotation.Configuration;
|
||||
import org.noear.solon.annotation.Inject;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
@@ -232,4 +235,5 @@ public class SaBeanInject {
|
||||
public void setStpLogic(StpLogic stpLogic) {
|
||||
StpUtil.setStpLogic(stpLogic);
|
||||
}
|
||||
|
||||
}
|
||||
|
@@ -16,9 +16,12 @@
|
||||
package cn.dev33.satoken.solon;
|
||||
|
||||
import cn.dev33.satoken.config.SaTokenConfig;
|
||||
import cn.dev33.satoken.solon.integration.SaFirewallCheckFilterForSolon;
|
||||
import cn.dev33.satoken.util.SaTokenConsts;
|
||||
import org.noear.solon.annotation.Bean;
|
||||
import org.noear.solon.annotation.Configuration;
|
||||
import org.noear.solon.annotation.Inject;
|
||||
import org.noear.solon.core.handle.Filter;
|
||||
|
||||
/**
|
||||
* 注册Sa-Token所需要的Bean
|
||||
@@ -28,6 +31,7 @@ import org.noear.solon.annotation.Inject;
|
||||
*/
|
||||
@Configuration
|
||||
public class SaBeanRegister {
|
||||
|
||||
/**
|
||||
* 获取配置Bean
|
||||
*
|
||||
@@ -41,4 +45,15 @@ public class SaBeanRegister {
|
||||
return config;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* 防火墙校验过滤器
|
||||
*
|
||||
* @return /
|
||||
*/
|
||||
@Bean(index = SaTokenConsts.FIREWALL_CHECK_FILTER_ORDER)
|
||||
public Filter saFirewallCheckFilterForSolon() {
|
||||
return new SaFirewallCheckFilterForSolon();
|
||||
}
|
||||
|
||||
}
|
||||
|
Reference in New Issue
Block a user