反SQL注入白名单功能优化

9df30473 · ryun · b0fef222 · 9df30473 · 9df30473 · 9df30473
Commit 9df30473 authored Feb 16, 2023 by ryun
4 changed files
--- a/performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
+++ b/performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
@@ -6,6 +6,7 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Options;
 using Performance.DtoModels;
 using Performance.DtoModels.AppSettings;
@@ -92,30 +93,21 @@ public string GetSafetySql(string input)
    public class AntiSqlInjectFilter : IAsyncActionFilter
    {
        private readonly IConfiguration _configuration;
+        private readonly Application _application;
-        public AntiSqlInjectFilter(IConfiguration configuration)
+        public AntiSqlInjectFilter(IOptions<Application> options)
        {
-            _configuration = configuration;
+            _application = options.Value;
        }
        /// <inheritdoc />
        public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next)
        {
-            var openAntiSqlInject = _configuration.GetValue("Application:OpenAntiSqlInject", false);
+            if (_application.OpenAntiSqlInject == true)
-            if (openAntiSqlInject)
            {
-                bool judgmentWhitelist = true;
+                var routePath = context.HttpContext.Request.Path.ToString();
-                var path = string.Format(context.RouteData.Values["Controller"] + @"/" + context.RouteData.Values["action"]).ToLower();
+                if (_application.AntiSqlInjectRouteWhite?.Any(route => route.Equals(routePath)) != true)
-                var routeWhiteLists = _configuration.GetSection("RouteWhiteList").AsEnumerable();
-                foreach (var item in routeWhiteLists)
                {
-                    if (!string.IsNullOrEmpty(item.Value))
-                        if (item.Value.Equals(path))
-                            judgmentWhitelist = false;
-                }
-                if (judgmentWhitelist)
                    foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
                    {
                        //如果不是值类型或接口，不需要过滤
@@ -148,6 +140,7 @@ public AntiSqlInjectFilter(IConfiguration configuration)
                        }
                    }
                }
+            }
            await next();
        }

--- a/performance/Performance.Api/appsettings.Localhost.json
+++ b/performance/Performance.Api/appsettings.Localhost.json
@@ -11,7 +11,13 @@
    //"PerformanceConnectionString": "server=116.62.245.55;database=db_performance;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;"
  },
  "Application": {
+    // 是否开启反SQL注入 默认关闭  true 开启  false 关闭
    "OpenAntiSqlInject": true,
+    // 开启反SQL注入白名单地址
+    "AntiSqlInjectRouteWhite": [
+      "account/logins",
+      "account/quick/login"
+    ],
    //登录过期时间
    "ExpirationMinutes": "1200",
    //验证码过期
@@ -46,11 +52,5 @@
    ],
    "Period": "1", // 单位为秒
    "Limit": 1
-  },
-  "RouteWhiteList": {
-    "Route": [
-      "account/logins",
-      "account/quick/login"
-    ]
  }
 }
--- a/performance/Performance.Api/wwwroot/Performance.DtoModels.xml
+++ b/performance/Performance.Api/wwwroot/Performance.DtoModels.xml
@@ -49,6 +49,11 @@
            相对
            </summary>
        </member>
+        <member name="P:Performance.DtoModels.AppSettings.Application.OpenAntiSqlInject">
+            <summary>
+            是否开启反SQL注入 默认关闭  true 开启  false 关闭
+            </summary>
+        </member>
        <member name="P:Performance.DtoModels.AppSettings.RateLimitingConfig.Endpoints">
            <summary>
            路径

--- a/performance/Performance.DtoModels/AppSettings/Application.cs
+++ b/performance/Performance.DtoModels/AppSettings/Application.cs
@@ -18,26 +18,6 @@ public class Application
        /// 短信模板
        /// </summary>
        public string SmsTemplate { get; set; }
-        ///// <summary>
-        ///// 护士长二次绩效管理员
-        ///// </summary>
-        //public int NurseRole { get; set; }
-        ///// <summary>
-        ///// 科主任二次绩效管理员
-        ///// </summary>
-        //public int DirectorRole { get; set; }
-        ///// <summary>
-        ///// 特殊科室二次绩效管理员
-        ///// </summary>
-        //public int SpecialRole { get; set; }
-        ///// <summary>
-        ///// 数据收集角色（可查看所有）
-        ///// </summary>
-        //public int[] CollectRoles { get; set; }
-        ///// <summary>
-        ///// 行政科室二次绩效管理员
-        ///// </summary>
-        //public int OfficeRole { get; set; }
        /// <summary>
        /// 邮件指定接收人
        /// </summary>
@@ -50,5 +30,13 @@ public class Application
        /// 相对
        /// </summary>
        public string HttpPath { get; set; }
+        /// <summary>
+        /// 是否开启反SQL注入 默认关闭  true 开启  false 关闭
+        /// </summary>
+        public bool? OpenAntiSqlInject { get; set; }
+        /// <summary>
+        /// 开启反SQL注入白名单地址
+        /// </summary>
+        public string[] AntiSqlInjectRouteWhite { get; set; }
    }
 }