Skip to content

P
performance
Commit b0fef222 by DESKTOP-115LT8U\admin
Options

添加白名单

parent ef67265d
Showing with 43 additions and 23 deletions
performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
...@@ -7,6 +7,7 @@ ...@@ -7,6 +7,7 @@
using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Configuration; using Microsoft.Extensions.Configuration;
using Performance.DtoModels; using Performance.DtoModels;
using Performance.DtoModels.AppSettings;
namespace Performance.Api namespace Performance.Api
{ {
...@@ -95,6 +96,7 @@ public class AntiSqlInjectFilter : IAsyncActionFilter ...@@ -95,6 +96,7 @@ public class AntiSqlInjectFilter : IAsyncActionFilter
public AntiSqlInjectFilter(IConfiguration configuration) public AntiSqlInjectFilter(IConfiguration configuration)
{ {
_configuration = configuration; _configuration = configuration;
} }
/// <inheritdoc /> /// <inheritdoc />
...@@ -103,39 +105,51 @@ public AntiSqlInjectFilter(IConfiguration configuration) ...@@ -103,39 +105,51 @@ public AntiSqlInjectFilter(IConfiguration configuration)
var openAntiSqlInject = _configuration.GetValue("Application:OpenAntiSqlInject", false); var openAntiSqlInject = _configuration.GetValue("Application:OpenAntiSqlInject", false);
if (openAntiSqlInject) if (openAntiSqlInject)
{ {
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value)) bool judgmentWhitelist = true;
var path = string.Format(context.RouteData.Values["Controller"] + @"/" + context.RouteData.Values["action"]).ToLower();
var routeWhiteLists = _configuration.GetSection("RouteWhiteList").AsEnumerable();
foreach (var item in routeWhiteLists)
{ {
//如果不是值类型或接口,不需要过滤 if (!string.IsNullOrEmpty(item.Value))
var pType = value.GetType(); if (item.Value.Equals(path))
if (!pType.IsClass) continue; judgmentWhitelist = false;
//对string类型过滤 }
if (value is string && !AntiSqlInject.Instance.IsSafetySql(value.ToString())) if (judgmentWhitelist)
{ foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
else
{ {
//是一个class,对class的属性中,string类型的属性进行过滤 //如果不是值类型或接口,不需要过滤
var properties = pType.GetProperties(); var pType = value.GetType();
foreach (var pp in properties) if (!pType.IsClass) continue;
{
var temp = pp.GetValue(value);
if (temp == null) continue;
if (temp is string && !AntiSqlInject.Instance.IsSafetySql(temp.ToString())) //对string类型过滤
if (value is string && !AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
else
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{ {
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截"); var temp = pp.GetValue(value);
context.Result = new ObjectResult(response); if (temp == null) continue;
return;
if (temp is string && !AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
} }
} }
} }
}
} }
await next(); await next();
} }
} }
} }
performance/Performance.Api/appsettings.Localhost.json
...@@ -46,5 +46,11 @@ ...@@ -46,5 +46,11 @@
], ],
"Period": "1", // 单位为秒 "Period": "1", // 单位为秒
"Limit": 1 "Limit": 1
},
"RouteWhiteList": {
"Route": [
"account/logins",
"account/quick/login"
]
} }
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment