SpringBoot通过AOP实现Xss攻击拦截
1、定义Xss工具类
import java.util.regex.Matcher;import java.util.regex.Pattern;public class XssUtils { private XssUtils() { } private static final Pattern[] PATTERNS = { // Avoid anything in a type of expression Pattern.compile("(.*?)", Pattern.CASE_INSENSITIVE), // Avoid anything in a src='...' type of expression Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Remove any lonesome tag Pattern.compile("", Pattern.CASE_INSENSITIVE), // Avoid anything in a type of expression Pattern.compile("(.*?)", Pattern.CASE_INSENSITIVE), // Remove any lonesome tag Pattern.compile("", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Remove any lonesome tag Pattern.compile("", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Avoid eval(...) expressions Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Avoid expression(...) expressions Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Avoid javascript:... expressions Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE), // Avoid vbscript:... expressions Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE), // Avoid οnlοad= expressions Pattern.compile("on(load|error|mouseover|submit|reset|focus|click)(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL) }; public static String stripXSS(String value) { return stripXSS(null, value); } public static String stripXSS(String key, String value) { if (StringUtils.isEmpty(value)) { return value; } for (Pattern scriptPattern : PATTERNS) { Matcher matcher = scriptPattern.matcher(value); if (matcher.matches()) { // 直接抛出异常处理 - 推荐 String msg = key == null ? "" : "字段:" + key + ","; throw new RuntimeException(msg + "存在非法关键字符"); } // 直接过虑xss关键词 // value = scriptPattern.matcher(value).replaceAll(""); } return value; }}
2、定义AOP
在AOP中,设置Controller所在包为切入点,对所有经过的请求进行Xss验证
import com.alibaba.fastjson.JSON;import com.alibaba.fastjson.JSONObject;import com.alibaba.fastjson.TypeReference;import com.lhz.common.utils.XssUtils;import org.aspectj.lang.JoinPoint;import org.aspectj.lang.annotation.Aspect;import org.aspectj.lang.annotation.Before;import org.aspectj.lang.annotation.Pointcut;import org.springframework.stereotype.Component;import java.util.HashMap;@Component@Aspectpublic class XssParamAspect { // org.project.controller为包名称 @Pointcut("execution(* org.project.controller..*.*(..))") public void xssPoint() { } @Before("xssPoint()") public void paramValid(JoinPoint point) { Object[] args = point.getArgs(); for (Object o : args) { if (o instanceof Number) { continue; } else if (o instanceof String) { XssUtils.stripXSS(o.toString()); } else { String paramStr = JSON.toJSONString(o); // 使用fastjson将请求的参数转换为map HashMap<String, Object> map = JSONObject.parseObject(paramStr, new TypeReference<HashMap<String, Object>>() { }); map.forEach((k, v) -> { if (v instanceof String) { XssUtils.stripXSS(k, v.toString()); } }); System.out.println(map); } } }}