lsm/sa-token
1
0
Fork 0
mirror of https://gitee.com/dromara/sa-token.git synced 2025-10-21 02:57:23 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

refactor: 重构防火墙路径遍历符校验,抽离出单独的 hook

Browse Source
This commit is contained in:
click33
2025-02-27 07:39:29 +08:00
parent cce77fbd49
commit 80789607fd
5 changed files with 73 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
sa-token-core/src/main/java/cn/dev33/satoken/strategy/SaFirewallStrategy.java
View File

@@ -18,10 +18,7 @@ package cn.dev33.satoken.strategy;
import cn.dev33.satoken.SaManager;
import cn.dev33.satoken.fun.strategy.SaFirewallCheckFailHandleFunction;
import cn.dev33.satoken.fun.strategy.SaFirewallCheckFunction;
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHook;
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForBlackList;
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForDangerCharacter;
import cn.dev33.satoken.strategy.hooks.SaFirewallCheckHookForWhiteList;
import cn.dev33.satoken.strategy.hooks.*;
import java.util.ArrayList;
import java.util.List;
@@ -48,6 +45,7 @@ public final class SaFirewallStrategy {
checkHooks.add(SaFirewallCheckHookForWhiteList.instance);
checkHooks.add(SaFirewallCheckHookForBlackList.instance);
checkHooks.add(SaFirewallCheckHookForDangerCharacter.instance);
checkHooks.add(SaFirewallCheckHookForDirectoryTraversal.instance);
}
// 注册一个防火墙校验 hook

3
sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDangerCharacter.java
View File

@@ -42,8 +42,7 @@ public class SaFirewallCheckHookForDangerCharacter implements SaFirewallCheckHoo
"%2f", "%2F", // /
"%5c", "%5C", // \
";", "%3b", "%3B", // ; // 参考资料https://mp.weixin.qq.com/s/77CIDZbgBwRunJeluofPTA
"%25", // 空格
"/.", "\\.", // /. \. 目录遍历符
"%25" // 空格
};
/**

50
sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForDirectoryTraversal.java Normal file
View File

@@ -0,0 +1,50 @@
/*
* Copyright 2020-2099 sa-token.cc
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package cn.dev33.satoken.strategy.hooks;
import cn.dev33.satoken.context.model.SaRequest;
import cn.dev33.satoken.context.model.SaResponse;
import cn.dev33.satoken.exception.RequestPathInvalidException;
/**
* 防火墙策略校验钩子函数:目录遍历符检测
*
* @author click33
* @since 1.41.0
*/
public class SaFirewallCheckHookForDirectoryTraversal implements SaFirewallCheckHook {
/**
* 默认实例
*/
public static SaFirewallCheckHookForDirectoryTraversal instance = new SaFirewallCheckHookForDirectoryTraversal();
/**
* 执行的方法
*
* @param req 请求对象
* @param res 响应对象
* @param extArg 预留扩展参数
*/
@Override
public void execute(SaRequest req, SaResponse res, Object extArg) {
String requestPath = req.getRequestPath();
if(requestPath.contains("/.") || requestPath.contains("\\.")) {
throw new RequestPathInvalidException("非法请求:" + requestPath, requestPath);
}
}
}