参数校验注解的实现
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 | /** * 请求参数注解处理类 * * @author d * @since 2019/2/20 14:32 */@Configurationpublic class WebMvcConfiguration implements WebMvcConfigurer { @Override public void configureMessageConverters(List<HttpMessageConverter<?>> converters) { int flag = 0; for (HttpMessageConverter converter : converters) { if (converter instanceof MappingJackson2HttpMessageConverter) { break; } flag++; } FastJsonHttpMessageConverter converter = new FastJsonHttpMessageConverter(); FastJsonConfig config = new FastJsonConfig(); config.setSerializerFeatures(SerializerFeature.WriteDateUseDateFormat, SerializerFeature.WriteMapNullValue, SerializerFeature.QuoteFieldNames); converter.setFastJsonConfig(config); converters.add(flag, converter); converters.removeIf(type -> type instanceof MappingJackson2HttpMessageConverter); List<MediaType> supportedMediaTypes = new ArrayList<>(); supportedMediaTypes.add(MediaType.TEXT_HTML); supportedMediaTypes.add(MediaType.APPLICATION_JSON); supportedMediaTypes.add(MediaType.APPLICATION_ATOM_XML); converter.setSupportedMediaTypes(supportedMediaTypes); } @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(getHttpsCheckInterceptor()).addPathPatterns("/**"); registry.addInterceptor(getParamCheckInterceptor()).addPathPatterns("/**"); } /** * 获取https过滤拦截器 * * @return https过滤拦截器 */ @Bean public HttpsCheckInterceptor getHttpsCheckInterceptor() { return new HttpsCheckInterceptor(); } /** * 获取参数过滤拦截器 * * @return 参数过滤拦截器 */ @Bean public ParamCheckInterceptor getParamCheckInterceptor() { return new ParamCheckInterceptor(); }} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 | /** * 参数过滤拦截器 * * @author d * @since 2019/07/02 */public class ParamCheckInterceptor implements HandlerInterceptor { private static final Logger LOG = LoggerFactory.getLogger(ParamCheckInterceptor.class); private static final String XSS_PATTERN = "((<.+>)|(/\\*.*/))+"; private static final String XSS_PATTERN2 = "<|>|\\$|>|<|&#|/\\*.*\\*/|vbscript:|javascript:|=\\s*[\\[{\"']"; private static Pattern pattern = Pattern.compile(XSS_PATTERN); private static Pattern pattern2 = Pattern.compile(XSS_PATTERN2); private static final String TOO_LONG = "maybe risky param value-too long:"; private static final String API00001 = "API00001"; @Override public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception exception) throws HwPayException { LOG.info("afterCompletion"); } @Override public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView mav) throws HwPayException { LOG.info("postHandle"); } @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws HwPayException { // defect 6911012 if (request == null) { throw new HwPayException(API00001); } Enumeration tempEnumRation = request.getParameterNames(); while (tempEnumRation.hasMoreElements()) { Object obj = tempEnumRation.nextElement(); if (obj instanceof String) { String paramName = (String) obj; if (request.getParameter(paramName) != null) { validData(request, paramName); } } } return true; } /** * 请求数据校验 * * @param request 响应request消息 * @param paramName 参数名称 * @throws HwPayException 异常 */ private void validData(HttpServletRequest request, String paramName) throws HwPayException { String paramValue = StringUtils.trimToEmpty(request.getParameter(paramName)); // 参数值为空,直接返回 if (StringUtils.isBlank(paramValue)) { return; } // 为防止DDOS攻击,先校验长度,后进行正则判定 if (ParamLengthEnum.containsCode(paramName) && paramValue.length() > ParamLengthEnum.getLength(paramName)) { LOG.info(TOO_LONG, paramName, ":", paramValue); throw new HwPayException(API00001); } // 默认校验 validDefaultAndKeyInfo(request, paramName, paramValue); // 正则校验 validPattern(paramName, paramValue); } /** * 默认校验 * * @param request 请求信息 * @param paramName 参数名称 * @param paramValue 参数值 * @throws HwPayException 支付异常 */ private void validDefaultAndKeyInfo(HttpServletRequest request, String paramName, String paramValue) throws HwPayException { if (paramName.equalsIgnoreCase("keyinfo") && request.getServletPath().equals("/uploadKey.htm")) { if (paramValue.length() > 20480) { LOG.info(TOO_LONG, paramName); throw new HwPayException(API00001); } } else { if (paramValue.length() > ParamLengthEnum.DEFAULT_LENGTH.getLength()) { LOG.info(TOO_LONG, paramName, ":", paramValue); throw new HwPayException(API00001); } } } /** * 正则校验 * * @param paramName 参数名称 * @param paramValue 参数值 * @throws HwPayException 异常 */ private void validPattern(String paramName, String paramValue) throws HwPayException { if ((pattern.matcher(paramValue).find() || pattern2.matcher(paramValue).find()) && !PatternValidEnum.containsCode(paramName)) { LOG.info("maybe risky param value:", paramValue, " for:", paramName); throw new HwPayException(API00001); } }} |
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
2020-11-03 如何生成和分析Dump文件