Skip to content

P
performance
Commit 1041a2bf by ryun
Options

Merge branch 'feature/SQL注入拦截' into release/v23.2.19高县版

parents d38321e2 e2058872
Showing with 47 additions and 1 deletions
performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
using System; using System;
using System.Collections;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using System.Text.RegularExpressions; using System.Text.RegularExpressions;
...@@ -7,6 +8,7 @@ ...@@ -7,6 +8,7 @@
using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options; using Microsoft.Extensions.Options;
using Performance.DtoModels; using Performance.DtoModels;
using Performance.DtoModels.AppSettings; using Performance.DtoModels.AppSettings;
...@@ -94,10 +96,12 @@ public string GetSafetySql(string input) ...@@ -94,10 +96,12 @@ public string GetSafetySql(string input)
public class AntiSqlInjectFilter : IAsyncActionFilter public class AntiSqlInjectFilter : IAsyncActionFilter
{ {
private readonly Application _application; private readonly Application _application;
private readonly ILogger<AntiSqlInjectFilter> _logger;
public AntiSqlInjectFilter(IOptions<Application> options) public AntiSqlInjectFilter(ILogger<AntiSqlInjectFilter> logger, IOptions<Application> options)
{ {
_application = options.Value; _application = options.Value;
_logger = logger;
} }
/// <inheritdoc /> /// <inheritdoc />
...@@ -106,6 +110,8 @@ public AntiSqlInjectFilter(IOptions<Application> options) ...@@ -106,6 +110,8 @@ public AntiSqlInjectFilter(IOptions<Application> options)
if (_application.OpenAntiSqlInject == true) if (_application.OpenAntiSqlInject == true)
{ {
var routePath = context.HttpContext.Request.Path.ToString(); var routePath = context.HttpContext.Request.Path.ToString();
try
{
if (_application.AntiSqlInjectRouteWhite?.Any(route => Regex.IsMatch(routePath, route, RegexOptions.IgnoreCase)) != true) if (_application.AntiSqlInjectRouteWhite?.Any(route => Regex.IsMatch(routePath, route, RegexOptions.IgnoreCase)) != true)
{ {
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value)) foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
...@@ -126,6 +132,40 @@ public AntiSqlInjectFilter(IOptions<Application> options) ...@@ -126,6 +132,40 @@ public AntiSqlInjectFilter(IOptions<Application> options)
} }
else if (value is not IFormCollection) else if (value is not IFormCollection)
{ {
if (value is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
else if (value is IEnumerable objects)
{
foreach (var item in objects)
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var temp = pp.GetValue(item);
if (temp == null) continue;
if (temp is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
}
}
else
{
//是一个class,对class的属性中,string类型的属性进行过滤 //是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties(); var properties = pType.GetProperties();
foreach (var pp in properties) foreach (var pp in properties)
...@@ -147,6 +187,12 @@ public AntiSqlInjectFilter(IOptions<Application> options) ...@@ -147,6 +187,12 @@ public AntiSqlInjectFilter(IOptions<Application> options)
} }
} }
} }
}
catch (Exception ex)
{
_logger.LogError($"SQL注入过滤器出现异常:{routePath};{ex}");
}
}
await next(); await next();
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment