Skip to content

P
performance
Commit b0fef222 by DESKTOP-115LT8U\admin
Options

添加白名单

parent ef67265d
Showing with 43 additions and 23 deletions
performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
......@@ -7,6 +7,7 @@
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Configuration;
using Performance.DtoModels;
using Performance.DtoModels.AppSettings;
namespace Performance.Api
{
......@@ -95,6 +96,7 @@ public class AntiSqlInjectFilter : IAsyncActionFilter
public AntiSqlInjectFilter(IConfiguration configuration)
{
_configuration = configuration;
}
/// <inheritdoc />
......@@ -103,39 +105,51 @@ public AntiSqlInjectFilter(IConfiguration configuration)
var openAntiSqlInject = _configuration.GetValue("Application:OpenAntiSqlInject", false);
if (openAntiSqlInject)
{
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
bool judgmentWhitelist = true;
var path = string.Format(context.RouteData.Values["Controller"] + @"/" + context.RouteData.Values["action"]).ToLower();
var routeWhiteLists = _configuration.GetSection("RouteWhiteList").AsEnumerable();
foreach (var item in routeWhiteLists)
{
//如果不是值类型或接口,不需要过滤
var pType = value.GetType();
if (!pType.IsClass) continue;
if (!string.IsNullOrEmpty(item.Value))
if (item.Value.Equals(path))
judgmentWhitelist = false;
//对string类型过滤
if (value is string && !AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
else
}
if (judgmentWhitelist)
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var temp = pp.GetValue(value);
if (temp == null) continue;
//如果不是值类型或接口,不需要过滤
var pType = value.GetType();
if (!pType.IsClass) continue;
if (temp is string && !AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
//对string类型过滤
if (value is string && !AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
else
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
var temp = pp.GetValue(value);
if (temp == null) continue;
if (temp is string && !AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
}
}
}
await next();
}
}
}
performance/Performance.Api/appsettings.Localhost.json
......@@ -46,5 +46,11 @@
],
"Period": "1", // 单位为秒
"Limit": 1
},
"RouteWhiteList": {
"Route": [
"account/logins",
"account/quick/login"
]
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment