From 8c91d4a26c6f98a3ed7a2b57fb94a7fcd5f63055 Mon Sep 17 00:00:00 2001 From: Charles7c Date: Sat, 30 Mar 2024 21:42:51 +0800 Subject: [PATCH] =?UTF-8?q?refactor(web):=20=E4=BC=98=E5=8C=96=20XSS=20?= =?UTF-8?q?=E8=BF=87=E6=BB=A4=E9=83=A8=E5=88=86=E4=BB=A3=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../core/constant/PropertiesConstants.java | 26 +++---- .../trace/TraceAutoConfiguration.java | 6 +- .../xss/XssAutoConfiguration.java | 12 ++-- .../web/autoconfigure/xss/XssFilter.java | 68 ++++++++----------- .../web/autoconfigure/xss/XssProperties.java | 36 +++++----- .../xss/XssServletRequestWrapper.java | 8 +-- 6 files changed, 76 insertions(+), 80 deletions(-) diff --git a/continew-starter-core/src/main/java/top/charles7c/continew/starter/core/constant/PropertiesConstants.java b/continew-starter-core/src/main/java/top/charles7c/continew/starter/core/constant/PropertiesConstants.java index c1f1ab5d..a8c1d675 100644 --- a/continew-starter-core/src/main/java/top/charles7c/continew/starter/core/constant/PropertiesConstants.java +++ b/continew-starter-core/src/main/java/top/charles7c/continew/starter/core/constant/PropertiesConstants.java @@ -37,7 +37,7 @@ public class PropertiesConstants { /** * 线程池配置 */ - public static final String THREAD_POOL = CONTINEW_STARTER + ".thread-pool"; + public static final String THREAD_POOL = CONTINEW_STARTER + StringConstants.DOT + "thread-pool"; /** * Spring Doc 配置 @@ -47,7 +47,7 @@ public class PropertiesConstants { /** * Spring Doc Swagger UI 配置 */ - public static final String SPRINGDOC_SWAGGER_UI = SPRINGDOC + ".swagger-ui"; + public static final String SPRINGDOC_SWAGGER_UI = SPRINGDOC + StringConstants.DOT + "swagger-ui"; /** * 安全配置 @@ -67,52 +67,52 @@ public class PropertiesConstants { /** * Web 配置 */ - public static final String WEB = CONTINEW_STARTER + ".web"; + public static final String WEB = CONTINEW_STARTER + StringConstants.DOT + "web"; /** * 跨域配置 */ - public static final String CORS = WEB + ".cors"; + public static final String CORS = WEB + StringConstants.DOT + "cors"; /** * 链路配置 */ - public static final String TRACE = WEB + ".trace"; + public static final String TRACE = WEB + StringConstants.DOT + "trace"; /** - * 链路配置 + * XSS 配置 */ - public static final String XSS = WEB + ".xss"; + public static final String XSS = WEB + StringConstants.DOT + "xss"; /** * 日志配置 */ - public static final String LOG = CONTINEW_STARTER + ".log"; + public static final String LOG = CONTINEW_STARTER + StringConstants.DOT + "log"; /** * 存储配置 */ - public static final String STORAGE = CONTINEW_STARTER + ".storage"; + public static final String STORAGE = CONTINEW_STARTER + StringConstants.DOT + "storage"; /** * 本地存储配置 */ - public static final String STORAGE_LOCAL = STORAGE + ".local"; + public static final String STORAGE_LOCAL = STORAGE + StringConstants.DOT + "local"; /** * 验证码配置 */ - public static final String CAPTCHA = CONTINEW_STARTER + ".captcha"; + public static final String CAPTCHA = CONTINEW_STARTER + StringConstants.DOT + "captcha"; /** * 图形验证码配置 */ - public static final String CAPTCHA_GRAPHIC = CAPTCHA + ".graphic"; + public static final String CAPTCHA_GRAPHIC = CAPTCHA + StringConstants.DOT + "graphic"; /** * 行为验证码配置 */ - public static final String CAPTCHA_BEHAVIOR = CAPTCHA + ".behavior"; + public static final String CAPTCHA_BEHAVIOR = CAPTCHA + StringConstants.DOT + "behavior"; private PropertiesConstants() { } diff --git a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/trace/TraceAutoConfiguration.java b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/trace/TraceAutoConfiguration.java index 0eee27b3..a6b2a245 100644 --- a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/trace/TraceAutoConfiguration.java +++ b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/trace/TraceAutoConfiguration.java @@ -25,13 +25,13 @@ import org.slf4j.LoggerFactory; import org.springframework.boot.autoconfigure.AutoConfiguration; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; import org.springframework.boot.context.properties.EnableConfigurationProperties; import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Primary; import org.springframework.core.Ordered; import top.charles7c.continew.starter.core.constant.PropertiesConstants; -import top.charles7c.continew.starter.core.constant.StringConstants; /** * 链路跟踪自动配置 @@ -41,6 +41,7 @@ import top.charles7c.continew.starter.core.constant.StringConstants; * @since 1.3.0 */ @AutoConfiguration +@ConditionalOnWebApplication @EnableConfigurationProperties(TraceProperties.class) @ConditionalOnProperty(prefix = PropertiesConstants.TRACE, name = PropertiesConstants.ENABLED, havingValue = "true") public class TraceAutoConfiguration { @@ -70,10 +71,9 @@ public class TraceAutoConfiguration { * TLog 过滤器配置 */ @Bean - public FilterRegistrationBean filterRegistration() { + public FilterRegistrationBean tLogServletFilter() { FilterRegistrationBean registration = new FilterRegistrationBean<>(); registration.setFilter(new TLogServletFilter(traceProperties)); - registration.addUrlPatterns(StringConstants.PATH_PATTERN_CURRENT_DIR); registration.setOrder(Ordered.HIGHEST_PRECEDENCE); return registration; } diff --git a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssAutoConfiguration.java b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssAutoConfiguration.java index 228f7ec0..3cc8d106 100644 --- a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssAutoConfiguration.java +++ b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssAutoConfiguration.java @@ -25,18 +25,22 @@ import org.springframework.context.annotation.Bean; import top.charles7c.continew.starter.core.constant.PropertiesConstants; /** - * XSS配置 + * XSS 过滤自动配置 * * @author whhya - * @since 1.0.0 + * @since 2.0.0 */ @AutoConfiguration @ConditionalOnWebApplication -@ConditionalOnProperty(prefix = PropertiesConstants.XSS, name = PropertiesConstants.ENABLED, havingValue = "true") @EnableConfigurationProperties(XssProperties.class) +@ConditionalOnProperty(prefix = PropertiesConstants.XSS, name = PropertiesConstants.ENABLED, havingValue = "true") public class XssAutoConfiguration { + + /** + * XSS 过滤器配置 + */ @Bean - public FilterRegistrationBean XssFilter(XssProperties xssProperties) { + public FilterRegistrationBean xssFilter(XssProperties xssProperties) { FilterRegistrationBean registrationBean = new FilterRegistrationBean<>(); registrationBean.setFilter(new XssFilter(xssProperties)); return registrationBean; diff --git a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssFilter.java b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssFilter.java index e467e0f4..3dac5d9c 100644 --- a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssFilter.java +++ b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssFilter.java @@ -29,10 +29,10 @@ import java.io.IOException; import java.util.List; /** - * xss过滤器 + * XSS 过滤器 * * @author whhya - * @since 1.0.0 + * @since 2.0.0 */ public class XssFilter implements Filter { @@ -53,58 +53,46 @@ public class XssFilter implements Filter { public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { - HttpServletRequest req = (HttpServletRequest) servletRequest; - //未开启xss过滤,则直接跳过 - if (!xssProperties.isEnabled()) { - filterChain.doFilter(req, servletResponse); + // 未开启 XSS 过滤,则直接跳过 + if (servletRequest instanceof HttpServletRequest request && xssProperties.isEnabled()) { + // 放行路由:忽略 XSS 过滤() + List excludePatterns = xssProperties.getExcludePatterns(); + if (CollectionUtil.isNotEmpty(excludePatterns) && isMatchPath(request.getServletPath(), excludePatterns)) { + filterChain.doFilter(request, servletResponse); + return; + } + // 拦截路由:执行 XSS 过滤 + List includePatterns = xssProperties.getIncludePatterns(); + if (CollectionUtil.isNotEmpty(includePatterns)) { + if (isMatchPath(request.getServletPath(), includePatterns)) { + filterChain.doFilter(new XssServletRequestWrapper(request), servletResponse); + } else { + filterChain.doFilter(request, servletResponse); + } + return; + } + // 默认:执行 XSS 过滤 + filterChain.doFilter(new XssServletRequestWrapper(request), servletResponse); return; } - - //限定url地址 - List pathPatterns = xssProperties.getPathPatterns(); - - //判断是否匹配需要忽略地址 - List pathExcludePatterns = xssProperties.getPathExcludePatterns(); - if (CollectionUtil.isNotEmpty(pathPatterns)) { - if (isMatchPath(req.getServletPath(), pathExcludePatterns)) { - filterChain.doFilter(req, servletResponse); - return; - } - } - - //如果存在则限定path拦截 - if (CollectionUtil.isNotEmpty(pathPatterns)) { - //未匹配上限定地址,则直接不过滤 - if (isMatchPath(req.getServletPath(), pathPatterns)) { - filterChain.doFilter(new XssServletRequestWrapper(req), servletResponse); - return; - } else { - filterChain.doFilter(req, servletResponse); - return; - } - } - - //默认拦截 - filterChain.doFilter(new XssServletRequestWrapper((HttpServletRequest) servletRequest), servletResponse); + filterChain.doFilter(servletRequest, servletResponse); } /** * 判断数组中是否存在匹配的路径 * - * @param requestURL 请求地址 + * @param requestUrl 请求地址 * @param pathPatterns 指定匹配路径 - * @return true 匹配 false 不匹配 + * @return true:匹配;false:不匹配 */ - private static boolean isMatchPath(String requestURL, List pathPatterns) { + private static boolean isMatchPath(String requestUrl, List pathPatterns) { for (String pattern : pathPatterns) { PathPattern pathPattern = PathPatternParser.defaultInstance.parse(pattern); - PathContainer pathContainer = PathContainer.parsePath(requestURL); - boolean matches = pathPattern.matches(pathContainer); - if (matches) { + PathContainer pathContainer = PathContainer.parsePath(requestUrl); + if (pathPattern.matches(pathContainer)) { return true; } } return false; } - } diff --git a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssProperties.java b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssProperties.java index 63f3940b..0c4e7df3 100644 --- a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssProperties.java +++ b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssProperties.java @@ -23,27 +23,32 @@ import java.util.ArrayList; import java.util.List; /** - * xss配置属性 + * XSS 过滤配置属性 * * @author whhya - * @since 1.0.0 + * @since 2.0.0 */ @ConfigurationProperties(PropertiesConstants.XSS) public class XssProperties { + /** - * 是否启用Xss + * 是否启用 XSS 过滤 */ private boolean enabled = true; /** - * 拦截的路由,默认为空 + * 拦截路由(默认为空) + * + *

+ * 当拦截的路由配置不为空,则根据该配置执行过滤 + *

*/ - private List pathPatterns = new ArrayList<>(); + private List includePatterns = new ArrayList<>(); /** - * 放行的路由,默认为空 + * 放行路由(默认为空) */ - private List pathExcludePatterns = new ArrayList<>(); + private List excludePatterns = new ArrayList<>(); public boolean isEnabled() { return enabled; @@ -53,20 +58,19 @@ public class XssProperties { this.enabled = enabled; } - public List getPathPatterns() { - return pathPatterns; + public List getIncludePatterns() { + return includePatterns; } - public void setPathPatterns(List pathPatterns) { - this.pathPatterns = pathPatterns; + public void setIncludePatterns(List includePatterns) { + this.includePatterns = includePatterns; } - public List getPathExcludePatterns() { - return pathExcludePatterns; + public List getExcludePatterns() { + return excludePatterns; } - public void setPathExcludePatterns(List pathExcludePatterns) { - this.pathExcludePatterns = pathExcludePatterns; + public void setExcludePatterns(List excludePatterns) { + this.excludePatterns = excludePatterns; } - } diff --git a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssServletRequestWrapper.java b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssServletRequestWrapper.java index d4b2f1aa..b28e7f62 100644 --- a/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssServletRequestWrapper.java +++ b/continew-starter-web/src/main/java/top/charles7c/continew/starter/web/autoconfigure/xss/XssServletRequestWrapper.java @@ -31,10 +31,10 @@ import java.io.IOException; import java.io.StringReader; /** - * 针对XssServletRequest进行过滤的包装类 + * 针对 XssServletRequest 进行过滤的包装类 * * @author whh - * @since 1.0.0 + * @since 2.0.0 */ public class XssServletRequestWrapper extends HttpServletRequestWrapper { @@ -102,6 +102,7 @@ public class XssServletRequestWrapper extends HttpServletRequestWrapper { static ServletInputStream getServletInputStream(String body) { final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(body.getBytes()); return new ServletInputStream() { + @Override public int read() { return byteArrayInputStream.read(); } @@ -118,9 +119,8 @@ public class XssServletRequestWrapper extends HttpServletRequestWrapper { @Override public void setReadListener(ReadListener readListener) { - + // 设置监听器 } - }; } }