Skip to content

P
performance
Commit 1041a2bf by ryun
Options

Merge branch 'feature/SQL注入拦截' into release/v23.2.19高县版

parents d38321e2 e2058872
Showing with 70 additions and 24 deletions
performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
using System;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using System.Text.RegularExpressions;
......@@ -7,6 +8,7 @@
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Performance.DtoModels;
using Performance.DtoModels.AppSettings;
......@@ -94,10 +96,12 @@ public string GetSafetySql(string input)
public class AntiSqlInjectFilter : IAsyncActionFilter
{
private readonly Application _application;
private readonly ILogger<AntiSqlInjectFilter> _logger;
public AntiSqlInjectFilter(IOptions<Application> options)
public AntiSqlInjectFilter(ILogger<AntiSqlInjectFilter> logger, IOptions<Application> options)
{
_application = options.Value;
_logger = logger;
}
/// <inheritdoc />
......@@ -106,46 +110,88 @@ public AntiSqlInjectFilter(IOptions<Application> options)
if (_application.OpenAntiSqlInject == true)
{
var routePath = context.HttpContext.Request.Path.ToString();
if (_application.AntiSqlInjectRouteWhite?.Any(route => Regex.IsMatch(routePath, route, RegexOptions.IgnoreCase)) != true)
try
{
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
if (_application.AntiSqlInjectRouteWhite?.Any(route => Regex.IsMatch(routePath, route, RegexOptions.IgnoreCase)) != true)
{
//如果不是值类型或接口,不需要过滤
var pType = value.GetType();
if (!pType.IsClass) continue;
//对string类型过滤
if (value is string)
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
{
if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
//如果不是值类型或接口,不需要过滤
var pType = value.GetType();
if (!pType.IsClass) continue;
//对string类型过滤
if (value is string)
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
else if (value is not IFormCollection)
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
else if (value is not IFormCollection)
{
var temp = pp.GetValue(value);
if (temp == null) continue;
if (temp is string)
if (value is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
else if (value is IEnumerable objects)
{
foreach (var item in objects)
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var temp = pp.GetValue(item);
if (temp == null) continue;
if (temp is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
}
}
else
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var temp = pp.GetValue(value);
if (temp == null) continue;
if (temp is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
}
}
}
}
}
catch (Exception ex)
{
_logger.LogError($"SQL注入过滤器出现异常:{routePath};{ex}");
}
}
await next();
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment