spring gateway 集成sql注入过滤

Myth丶恋晨 2023-09-29 17:01 72阅读 0赞

#### spring gateway 集成sql注入过滤 ####

##### 一、创建过滤器 #####

创建一个过滤器实现于GlobalFilter接口。

获取当前url相关信息

//获取URI，以及头部
    ServerHttpRequest serverHttpRequest = exchange.getRequest();
    HttpMethod method = serverHttpRequest.getMethod();
    String contentType = serverHttpRequest.getHeaders().getFirst(HttpHeaders.CONTENT_TYPE);
    URI uri = exchange.getRequest().getURI();
    //1.动态刷新 sql注入的过滤的路径
    String path = serverHttpRequest.getURI().getRawPath();
    String[] matchUrls = this.getSqlinjectionHttpUrls();
    
    if (AuthUtils.isMatchPath(path, matchUrls)) {
        
        logger.error("请求【{}】在sql注入过滤白名单中，直接放行", path);
        return chain.filter(exchange);
    }

##### 二、get、post方法注入检测 #####

分开Get和Post方法进行检测

###### 1）get方法检测 ######

如果为Get方法，代码如下

if (method == HttpMethod.GET) {
        
        String rawQuery = uri.getRawQuery();
        if (StringUtils.isBlank(rawQuery)) {
        
            return chain.filter(exchange);
        }
        logger.debug("请求参数为：{}", rawQuery);
    
        // 执行sql注入校验清理
        boolean chkRet = false;
        try {
        
            chkRet = sqlInjectionRuleUtils.getRequestSqlKeyWordsCheck(rawQuery);
        } catch (UnsupportedEncodingException e) {
        
            e.printStackTrace();
        }
        //如果存在sql注入,直接拦截请求
        if (chkRet) {
        
            logger.error("请求【" + uri.getRawPath() + uri.getRawQuery() + "】参数中包含不允许sql的关键词, 请求拒绝");
            return setUnauthorizedResponse(exchange);
        }
        //透传参数，不对参数做任何处理
        return chain.filter(exchange);
    }

get方法注入检测实现方法getRequestSqlKeyWordsCheck如下

public static boolean getRequestSqlKeyWordsCheck(String value) throws UnsupportedEncodingException {
        
        //参数需要url编码
        //这里需要将参数转换为小写来处理
        //不改变原值
        //value示例 order=asc&pageNum=1&pageSize=100&parentId=0
        String lowerValue = URLDecoder.decode(value, "UTF-8").toLowerCase();
        //获取到请求中所有参数值-取每个key=value组合第一个等号后面的值
        return Stream.of(lowerValue.split("\\&"))
            .map(kp -> kp.substring(kp.indexOf("=") + 1))
            .parallel()
            .anyMatch(param -> {
        
                if (sqlPattern.matcher(param).find()) {
        
                    logger.error("参数中包含不允许sql的关键词");
                    return true;
                }
                return false;
            });
    }

###### 2）post方法检测 ######

如果为Post方法：

//post请求时，如果是文件上传之类的请求，不修改请求消息体
    else if (postFlag) {
        
        return DataBufferUtils.join(serverHttpRequest.getBody()).flatMap(d -> Mono.just(Optional.of(d))).defaultIfEmpty(
            Optional.empty())
            .flatMap(optional -> {
        
                // 取出body中的参数
                String bodyString = "";
                if (optional.isPresent()) {
        
                    byte[] oldBytes = new byte[optional.get().readableByteCount()];
                    optional.get().read(oldBytes);
                    bodyString = new String(oldBytes, StandardCharsets.UTF_8);
                }
                HttpHeaders httpHeaders = serverHttpRequest.getHeaders();
                logger.debug("{} - [{}] 请求参数：{}", method, uri.getPath(), bodyString);
                boolean chkRet = false;
                if (MediaType.APPLICATION_JSON_VALUE.equals(contentType)) {
        
                    //如果MediaType是json才执行json方式验证
                    chkRet = sqlInjectionRuleUtils.postRequestSqlKeyWordsCheck(bodyString);
                } else {
        
                    //form表单方式，需要走get请求
                    try {
        
                        chkRet = sqlInjectionRuleUtils.getRequestSqlKeyWordsCheck(bodyString);
                    } catch (UnsupportedEncodingException e) {
        
                        e.printStackTrace();
                    }
                }
                
                //  如果存在sql注入,直接拦截请求
                if (chkRet) {
        
                    logger.error("{} - [{}] 参数：{}, 包含不允许sql的关键词，请求拒绝", method, uri.getPath(), bodyString);
                    return setUnauthorizedResponse(exchange);
                }
                
                //检验完成后，重新构造post方法发送给相应处理的控制器
                ServerHttpRequest newRequest = serverHttpRequest.mutate().uri(uri).build();
                // 重新构造body
                byte[] newBytes = bodyString.getBytes(StandardCharsets.UTF_8);
                DataBuffer bodyDataBuffer = toDataBuffer(newBytes);
                Flux<DataBuffer> bodyFlux = Flux.just(bodyDataBuffer);
                // 重新构造header
                HttpHeaders headers = new HttpHeaders();
                headers.putAll(httpHeaders);
                // 由于修改了传递参数，需要重新设置CONTENT_LENGTH，长度是字节长度，不是字符串长度
                int length = newBytes.length;
                headers.remove(HttpHeaders.CONTENT_LENGTH);
                headers.setContentLength(length);
                headers.set(HttpHeaders.CONTENT_TYPE, contentType);
                // 重写ServerHttpRequestDecorator，修改了body和header，重写getBody和getHeaders方法
                newRequest = new ServerHttpRequestDecorator(newRequest) {
        
                    @Override
                    public Flux<DataBuffer> getBody() {
        
                        return bodyFlux;
                    }
                    @Override
                    public HttpHeaders getHeaders() {
        
                        return headers;
                    }
                };
                return chain.filter(exchange.mutate().request(newRequest).build());
            });
    }

post方法sql注入检验实现postRequestSqlKeyWordsCheck如下

public static boolean postRequestSqlKeyWordsCheck(String value) {
        
        Object jsonObj = JSON.parse(value);
        if (jsonObj instanceof JSONObject) {
        
            JSONObject json = (JSONObject) jsonObj;
            Map<String, Object> map = json;
            //对post请求参数值进行sql注入检验
            return map.entrySet().stream().parallel().anyMatch(entry -> {
        
                //这里需要将参数转换为小写来处理
                String lowerValue = Optional.ofNullable(entry.getValue())
                    .map(Object::toString)
                    .map(String::toLowerCase)
                    .orElse("");
                if (sqlPattern.matcher(lowerValue).find()) {
        
                    logger.error("参数[{}]中包含不允许sql的关键词", lowerValue);
                    return true;
                }
                return false;
            });
        } else {
        
            JSONArray json = (JSONArray) jsonObj;
            List<Object> list = json;
            //对post请求参数值进行sql注入检验
            return list.stream().parallel().anyMatch(obj -> {
        
                //这里需要将参数转换为小写来处理
                String lowerValue = Optional.ofNullable(obj)
                    .map(Object::toString)
                    .map(String::toLowerCase)
                    .orElse("");
                if (sqlPattern.matcher(lowerValue).find()) {
        
                    logger.error("参数[{}]中包含不允许sql的关键词", lowerValue);
                    return true;
                }
                return false;
            });
        }
    }

##### 三、完整代码 #####

###### 1）SqlInjectionFilter ######

/**
     * sql注入检查过滤器
     */
    @Component
    @RefreshScope
    public class SqlInjectionFilter implements GlobalFilter, Ordered{
        
        private final Logger logger = LoggerFactory.getLogger(getClass());
    
    
        // 设置白名单路径
        private String[] sqlInjectionHttpUrls = new String[0];
    
        @Override
        public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        
            // grab configuration from Config object
            logger.debug("----自定义防sql注入网关全局过滤器生效----");
            //获取URI，以及头部
            ServerHttpRequest serverHttpRequest = exchange.getRequest();
            HttpMethod method = serverHttpRequest.getMethod();
            String contentType = serverHttpRequest.getHeaders().getFirst(HttpHeaders.CONTENT_TYPE);
            URI uri = exchange.getRequest().getURI();
            //1.动态刷新 sql注入的过滤的路径
            String path = serverHttpRequest.getURI().getRawPath();
            String[] matchUrls = this.getSqlinjectionHttpUrls();
    
            if (AuthUtils.isMatchPath(path, matchUrls)) {
        
                logger.error("请求【{}】在sql注入过滤白名单中，直接放行", path);
                return chain.filter(exchange);
            }
    
            Boolean postFlag = (method == HttpMethod.POST || method == HttpMethod.PUT) &&
                (MediaType.APPLICATION_FORM_URLENCODED_VALUE.equalsIgnoreCase(contentType) || MediaType.APPLICATION_JSON_VALUE.equals(contentType));
    
            //过滤get请求
            if (method == HttpMethod.GET) {
        
                String rawQuery = uri.getRawQuery();
                if (StringUtils.isBlank(rawQuery)) {
        
                    return chain.filter(exchange);
                }
                logger.debug("请求参数为：{}", rawQuery);
    
                // 执行sql注入校验清理
                boolean chkRet = false;
                try {
        
                    chkRet = sqlInjectionRuleUtils.getRequestSqlKeyWordsCheck(rawQuery);
                } catch (UnsupportedEncodingException e) {
        
                    e.printStackTrace();
                }
                //如果存在sql注入,直接拦截请求
                if (chkRet) {
        
                    logger.error("请求【" + uri.getRawPath() + uri.getRawQuery() + "】参数中包含不允许sql的关键词, 请求拒绝");
                    return setUnauthorizedResponse(exchange);
                }
                //透传参数，不对参数做任何处理
                return chain.filter(exchange);
            }
            //post请求时，如果是文件上传之类的请求，不修改请求消息体
            else if (postFlag) {
        
                return DataBufferUtils.join(serverHttpRequest.getBody()).flatMap(d -> Mono.just(Optional.of(d))).defaultIfEmpty(
                    Optional.empty())
                    .flatMap(optional -> {
        
                        // 取出body中的参数
                        String bodyString = "";
                        if (optional.isPresent()) {
        
                            byte[] oldBytes = new byte[optional.get().readableByteCount()];
                            optional.get().read(oldBytes);
                            bodyString = new String(oldBytes, StandardCharsets.UTF_8);
                        }
                        HttpHeaders httpHeaders = serverHttpRequest.getHeaders();
                        logger.debug("{} - [{}] 请求参数：{}", method, uri.getPath(), bodyString);
                        boolean chkRet = false;
                        if (MediaType.APPLICATION_JSON_VALUE.equals(contentType)) {
        
                            //如果MediaType是json才执行json方式验证
                            chkRet = sqlInjectionRuleUtils.postRequestSqlKeyWordsCheck(bodyString);
                        } else {
        
                            //form表单方式，需要走get请求
                            try {
        
                                chkRet = sqlInjectionRuleUtils.getRequestSqlKeyWordsCheck(bodyString);
                            } catch (UnsupportedEncodingException e) {
        
                                e.printStackTrace();
                            }
                        }
                        //  如果存在sql注入,直接拦截请求
                        if (chkRet) {
        
                            logger.error("{} - [{}] 参数：{}, 包含不允许sql的关键词，请求拒绝", method, uri.getPath(), bodyString);
                            return setUnauthorizedResponse(exchange);
                        }
                        ServerHttpRequest newRequest = serverHttpRequest.mutate().uri(uri).build();
                        // 重新构造body
                        byte[] newBytes = bodyString.getBytes(StandardCharsets.UTF_8);
                        DataBuffer bodyDataBuffer = toDataBuffer(newBytes);
                        Flux<DataBuffer> bodyFlux = Flux.just(bodyDataBuffer);
                        // 重新构造header
                        HttpHeaders headers = new HttpHeaders();
                        headers.putAll(httpHeaders);
                        // 由于修改了传递参数，需要重新设置CONTENT_LENGTH，长度是字节长度，不是字符串长度
                        int length = newBytes.length;
                        headers.remove(HttpHeaders.CONTENT_LENGTH);
                        headers.setContentLength(length);
                        headers.set(HttpHeaders.CONTENT_TYPE, contentType);
                        // 重写ServerHttpRequestDecorator，修改了body和header，重写getBody和getHeaders方法
                        newRequest = new ServerHttpRequestDecorator(newRequest) {
        
                            @Override
                            public Flux<DataBuffer> getBody() {
        
                                return bodyFlux;
                            }
                            @Override
                            public HttpHeaders getHeaders() {
        
                                return headers;
                            }
                        };
                        return chain.filter(exchange.mutate().request(newRequest).build());
                    });
            } else {
        
                return chain.filter(exchange);
            }
        }
        // 自定义过滤器执行的顺序，数值越大越靠后执行，越小就越先执行
        @Override
        public int getOrder() {
        
            return Ordered.HIGHEST_PRECEDENCE;
        }
        /**
         * 设置403拦截状态
         */
        private Mono<Void> setUnauthorizedResponse(ServerWebExchange exchange) {
        
            return WebfluxResponseUtil.responseFailed(exchange, HttpStatus.FORBIDDEN.value(),
                                                      "request is forbidden, SQL keywords are not allowed in the parameters.");
        }
        /**
         * 字节数组转DataBuffer
         *
         * @param bytes 字节数组
         * @return DataBuffer
         */
        private DataBuffer toDataBuffer(byte[] bytes) {
        
            NettyDataBufferFactory nettyDataBufferFactory = new NettyDataBufferFactory(ByteBufAllocator.DEFAULT);
            DataBuffer buffer = nettyDataBufferFactory.allocateBuffer(bytes.length);
            buffer.write(bytes);
            return buffer;
        }
    
        public String[] getSqlinjectionHttpUrls() {
        
            return sqlInjectionHttpUrls;
        }
        public void setSqlinjectionHttpUrls(String[] sqlinjectionHttpUrls) {
        
            this.sqlInjectionHttpUrls = sqlinjectionHttpUrls;
        }
    }

###### 2）sqlInjectionRuleUtls ######

public class sqlInjectionRuleUtils {
        
        private static final Logger logger = LoggerFactory.getLogger(sqlInjectionRuleUtils.class);
        private static final String badStrReg = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
        private static final Pattern sqlPattern = Pattern.compile(badStrReg, Pattern.CASE_INSENSITIVE);//整体都忽略大小写
        /**
         * get请求sql注入校验
         *
         */
        public static boolean getRequestSqlKeyWordsCheck(String value) throws UnsupportedEncodingException {
        
            //参数需要url编码
            //这里需要将参数转换为小写来处理
            //不改变原值
            //value示例 order=asc&pageNum=1&pageSize=100&parentId=0
            String lowerValue = URLDecoder.decode(value, "UTF-8").toLowerCase();
            //获取到请求中所有参数值-取每个key=value组合第一个等号后面的值
            return Stream.of(lowerValue.split("\\&"))
                .map(kp -> kp.substring(kp.indexOf("=") + 1))
                .parallel()
                .anyMatch(param -> {
        
                    if (sqlPattern.matcher(param).find()) {
        
                        logger.error("参数中包含不允许sql的关键词");
                        return true;
                    }
                    return false;
                });
        }
        /**
         * post请求sql注入校验
         *
         */
        public static boolean postRequestSqlKeyWordsCheck(String value) {
        
            Object jsonObj = JSON.parse(value);
            if (jsonObj instanceof JSONObject) {
        
                JSONObject json = (JSONObject) jsonObj;
                Map<String, Object> map = json;
                //对post请求参数值进行sql注入检验
                return map.entrySet().stream().parallel().anyMatch(entry -> {
        
                    //这里需要将参数转换为小写来处理
                    String lowerValue = Optional.ofNullable(entry.getValue())
                        .map(Object::toString)
                        .map(String::toLowerCase)
                        .orElse("");
                    if (sqlPattern.matcher(lowerValue).find()) {
        
                        logger.error("参数[{}]中包含不允许sql的关键词", lowerValue);
                        return true;
                    }
                    return false;
                });
            } else {
        
                JSONArray json = (JSONArray) jsonObj;
                List<Object> list = json;
                //对post请求参数值进行sql注入检验
                return list.stream().parallel().anyMatch(obj -> {
        
                    //这里需要将参数转换为小写来处理
                    String lowerValue = Optional.ofNullable(obj)
                        .map(Object::toString)
                        .map(String::toLowerCase)
                        .orElse("");
                    if (sqlPattern.matcher(lowerValue).find()) {
        
                        logger.error("参数[{}]中包含不允许sql的关键词", lowerValue);
                        return true;
                    }
                    return false;
                });
            }
        }
    }

###### 3）AuthUtils ######

@Slf4j
    public class AuthUtils {
        
        private AuthUtils() {
        
            throw new IllegalStateException("Utility class");
        }
    
        private static final String BASIC_ = "Basic ";
    
        /**
         * 通配符匹配要过滤的路径
         * @param path 要匹配的路径
         * @param urls Spring通配符路径
         */
        public static boolean isMatchPath(String path, String... urls){
        
            return Arrays.stream(urls).anyMatch(igUrl -> {
        
                PathMatcher pm = new AntPathMatcher();
                return pm.match(igUrl, path);
            });
        }
    }

###### 4）WebfluxResponseUtli ######

public class WebfluxResponseUtil {
        
        /**
         * webflux的response返回json对象
         */
        public static Mono<Void> responseWriter(Boolean success, ServerWebExchange exchange, int httpStatus, String msg) {
        
            Result result = Result.of(success, null, httpStatus, msg, null);
            return responseWrite(exchange, httpStatus, result);
        }
    
        public static Mono<Void> responseFailed(ServerWebExchange exchange, String msg) {
        
            Result result = Result.failed(msg);
            return responseWrite(exchange, HttpStatus.INTERNAL_SERVER_ERROR.value(), result);
        }
    
        public static Mono<Void> responseFailed(ServerWebExchange exchange, int code, int httpStatus, String msg) {
        
            Result result = Result.failed(code, msg, null);
            return responseWrite(exchange, httpStatus, result);
        }
    
        public static Mono<Void> responseFailed(ServerWebExchange exchange, int httpStatus, String msg) {
        
            Result result = Result.failed(httpStatus, msg, null);
            return responseWrite(exchange, httpStatus, result);
        }
    
        public static Mono<Void> responseWrite(ServerWebExchange exchange, int httpStatus, Result result) {
        
            if (httpStatus == 0) {
        
                httpStatus = HttpStatus.INTERNAL_SERVER_ERROR.value();
            }
            ServerHttpResponse response = exchange.getResponse();
            response.getHeaders().setAccessControlAllowCredentials(true);
            response.getHeaders().setAccessControlAllowOrigin("*");
            response.setStatusCode(HttpStatus.valueOf(httpStatus));
            response.getHeaders().setContentType(MediaType.APPLICATION_JSON_UTF8);
            DataBufferFactory dataBufferFactory = response.bufferFactory();
            DataBuffer buffer = dataBufferFactory.wrap(JSONObject.toJSONString(result).getBytes(Charset.defaultCharset()));
            return response.writeWith(Mono.just(buffer)).doOnError((error) -> {
        
                DataBufferUtils.release(buffer);
            });
        }
    }