Skip to content

P
performance
Commit 9df30473 by ryun
Options

反SQL注入白名单功能优化

parent b0fef222
Showing with 27 additions and 41 deletions
performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
......@@ -6,6 +6,7 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Options;
using Performance.DtoModels;
using Performance.DtoModels.AppSettings;
......@@ -92,30 +93,21 @@ public string GetSafetySql(string input)
public class AntiSqlInjectFilter : IAsyncActionFilter
{
private readonly IConfiguration _configuration;
private readonly Application _application;
public AntiSqlInjectFilter(IConfiguration configuration)
public AntiSqlInjectFilter(IOptions<Application> options)
{
_configuration = configuration;
_application = options.Value;
}
/// <inheritdoc />
public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
{
var openAntiSqlInject = _configuration.GetValue("Application:OpenAntiSqlInject", false);
if (openAntiSqlInject)
if (_application.OpenAntiSqlInject == true)
{
bool judgmentWhitelist = true;
var path = string.Format(context.RouteData.Values["Controller"] + @"/" + context.RouteData.Values["action"]).ToLower();
var routeWhiteLists = _configuration.GetSection("RouteWhiteList").AsEnumerable();
foreach (var item in routeWhiteLists)
var routePath = context.HttpContext.Request.Path.ToString();
if (_application.AntiSqlInjectRouteWhite?.Any(route => route.Equals(routePath)) != true)
{
if (!string.IsNullOrEmpty(item.Value))
if (item.Value.Equals(path))
judgmentWhitelist = false;
}
if (judgmentWhitelist)
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
{
//如果不是值类型或接口,不需要过滤
......@@ -148,6 +140,7 @@ public AntiSqlInjectFilter(IConfiguration configuration)
}
}
}
}
await next();
}
......
performance/Performance.Api/appsettings.Localhost.json
......@@ -11,7 +11,13 @@
//"PerformanceConnectionString": "server=116.62.245.55;database=db_performance;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;"
},
"Application": {
// 是否开启反SQL注入 默认关闭 true 开启 false 关闭
"OpenAntiSqlInject": true,
// 开启反SQL注入白名单地址
"AntiSqlInjectRouteWhite": [
"account/logins",
"account/quick/login"
],
//登录过期时间
"ExpirationMinutes": "1200",
//验证码过期
......@@ -46,11 +52,5 @@
],
"Period": "1", // 单位为秒
"Limit": 1
},
"RouteWhiteList": {
"Route": [
"account/logins",
"account/quick/login"
]
}
}
performance/Performance.Api/wwwroot/Performance.DtoModels.xml
......@@ -49,6 +49,11 @@
相对
</summary>
</member>
<member name="P:Performance.DtoModels.AppSettings.Application.OpenAntiSqlInject">
<summary>
是否开启反SQL注入 默认关闭 true 开启 false 关闭
</summary>
</member>
<member name="P:Performance.DtoModels.AppSettings.RateLimitingConfig.Endpoints">
<summary>
路径
......
performance/Performance.DtoModels/AppSettings/Application.cs
......@@ -18,26 +18,6 @@ public class Application
/// 短信模板
/// </summary>
public string SmsTemplate { get; set; }
///// <summary>
///// 护士长二次绩效管理员
///// </summary>
//public int NurseRole { get; set; }
///// <summary>
///// 科主任二次绩效管理员
///// </summary>
//public int DirectorRole { get; set; }
///// <summary>
///// 特殊科室二次绩效管理员
///// </summary>
//public int SpecialRole { get; set; }
///// <summary>
///// 数据收集角色(可查看所有)
///// </summary>
//public int[] CollectRoles { get; set; }
///// <summary>
///// 行政科室二次绩效管理员
///// </summary>
//public int OfficeRole { get; set; }
/// <summary>
/// 邮件指定接收人
/// </summary>
......@@ -50,5 +30,13 @@ public class Application
/// 相对
/// </summary>
public string HttpPath { get; set; }
/// <summary>
/// 是否开启反SQL注入 默认关闭 true 开启 false 关闭
/// </summary>
public bool? OpenAntiSqlInject { get; set; }
/// <summary>
/// 开启反SQL注入白名单地址
/// </summary>
public string[] AntiSqlInjectRouteWhite { get; set; }
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment