精选文章 防SQL攻击(1) : springboot定义切面过滤请求参数

防SQL攻击(1) : springboot定义切面过滤请求参数

作者:Lxinccode 时间: 2019-11-07 06:01:14
Lxinccode 2019-11-07 06:01:14

参考 : 

    https://blog.csdn.net/qq_23184291/article/details/79651093

    https://blog.csdn.net/weixin_39728880/article/details/101029681 


import com.aliyun.et.industry.pangang.api.exception.PangangException;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Pointcut;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import javax.servlet.http.HttpServletRequest;

@Component
@Aspect
public class PreventSQLAttack {

    private static final Logger LOGGER = LoggerFactory.getLogger(PreventSQLAttack.class);

    private static final String badStr = " update | and | or | delete | insert | trancate | char | into | substr | ascii | declare | exec | count | master | drop | execute |'|(|)";


    private static final String[] badStrs = badStr.split("\\|");

    private static final String REQUEST_PARAMETER_ILLEGAL = "请求参数非法";

    /**
     * 定义切入点:拦截controller层所有方法
     */
    @Pointcut("execution(* cn.nordrassil.web.controller..*(..))")
    public void other() {
    }

    /**
     * 定义环绕通知
     *
     * @param joinPoint
     * @throws Throwable
     */
    @Around("other()")
    public Object other(ProceedingJoinPoint joinPoint) throws Throwable {
        try {
            ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
            HttpServletRequest request = attributes.getRequest();
            Object[] args = joinPoint.getArgs();
            for (Object arg : args) {
                for (String str : badStrs) {
                    if (arg.toString().indexOf(str) != -1) {
                        LOGGER.error(REQUEST_PARAMETER_ILLEGAL + "接口路径: " + request.getRequestURL());
                        throw new RuntimeException(REQUEST_PARAMETER_ILLEGAL);
                    }
                }
            }
            Object result = joinPoint.proceed();
            return result;
        } catch (PangangException e) {
            throw new PangangException(e.getpangangResultCodeEnum());
        } catch (Exception e) {
            Object result = joinPoint.proceed();
            return result;
        }

    }

}

 

 

END。

勿删,copyright占位
分享文章到微博
分享文章到朋友圈

上一篇:hive join的优化

下一篇:ThinkPHP5.0 虚拟主机环境部署

CSDN

CSDN

中国开发者社区CSDN (Chinese Software Developer Network) 创立于1999年,致力为中国开发者提供知识传播、在线学习、职业发展等全生命周期服务。