lsm/sa-token
1
0
Fork 0
mirror of https://gitee.com/dromara/sa-token.git synced 2025-05-05 13:17:55 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: 增强防火墙 hook 校验能力

Browse Source
This commit is contained in:
click33 2025-02-28 06:13:03 +08:00
parent 8f51d1af8d
commit d1a79ce55e
2 changed files with 24 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForPathBannedCharacter.java
View File

@ -33,6 +33,21 @@ public class SaFirewallCheckHookForPathBannedCharacter implements SaFirewallChec
*/ */
public static SaFirewallCheckHookForPathBannedCharacter instance = new SaFirewallCheckHookForPathBannedCharacter(); public static SaFirewallCheckHookForPathBannedCharacter instance = new SaFirewallCheckHookForPathBannedCharacter();
/**
* 是否严格禁止出现百分号字符 % 默认
*/
public boolean bannedPercentage = false;
/**
* 重载配置
* @param bannedPercentage 是否严格禁止出现百分号字符 % 默认
*/
public void resetConfig(boolean bannedPercentage) {
this.bannedPercentage = bannedPercentage;
}
/** /**
* 执行的方法 * 执行的方法
* *
@ -47,7 +62,9 @@ public class SaFirewallCheckHookForPathBannedCharacter implements SaFirewallChec
if(SaFoxUtil.hasNonPrintableASCII(requestPath)) { if(SaFoxUtil.hasNonPrintableASCII(requestPath)) {
throw new RequestPathInvalidException("请求 path 包含禁止字符:" + requestPath, requestPath); throw new RequestPathInvalidException("请求 path 包含禁止字符:" + requestPath, requestPath);
} }
if(bannedPercentage && requestPath.contains("%")) {
throw new RequestPathInvalidException("请求 path 包含禁止字符 %" + requestPath, requestPath);
}
} }
} }

7
sa-token-core/src/main/java/cn/dev33/satoken/strategy/hooks/SaFirewallCheckHookForPathDangerCharacter.java
View File

@ -42,7 +42,12 @@ public class SaFirewallCheckHookForPathDangerCharacter implements SaFirewallChec
"%2f", "%2F", // / "%2f", "%2F", // /
"%5c", "%5C", // \ "%5c", "%5C", // \
";", "%3b", "%3B", // ; // 参考资料https://mp.weixin.qq.com/s/77CIDZbgBwRunJeluofPTA ";", "%3b", "%3B", // ; // 参考资料https://mp.weixin.qq.com/s/77CIDZbgBwRunJeluofPTA
"%25" // 空格 "%25", // 空格
"\0", "%00", // 空字符
"\n", "%0a", "%0A", // 换行符
"\r", "%0d", "%0D", // 回车符
"\u2028", // 行分隔符
"\u2029" // 段分隔符
}; };
/** /**