添加白名单

performance/Performance.Api/Filters/AntiSqlInjectFilter.cs

@@ -7,6 +7,7 @@
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.Configuration;
 using Performance.DtoModels;
+using Performance.DtoModels.AppSettings;
 
 namespace Performance.Api
 {
@@ -95,6 +96,7 @@ public class AntiSqlInjectFilter : IAsyncActionFilter
         public AntiSqlInjectFilter(IConfiguration configuration)
         {
             _configuration = configuration;
+
         }
 
         /// <inheritdoc />
@@ -103,6 +105,17 @@ public AntiSqlInjectFilter(IConfiguration configuration)
             var openAntiSqlInject = _configuration.GetValue("Application:OpenAntiSqlInject", false);
             if (openAntiSqlInject)
             {
+                bool judgmentWhitelist = true;
+                var path = string.Format(context.RouteData.Values["Controller"] + @"/" + context.RouteData.Values["action"]).ToLower();
+                var routeWhiteLists = _configuration.GetSection("RouteWhiteList").AsEnumerable();
+                foreach (var item in routeWhiteLists)
+                {
+                    if (!string.IsNullOrEmpty(item.Value))
+                        if (item.Value.Equals(path))
+                            judgmentWhitelist = false;
+
+                }
+                if (judgmentWhitelist)
                     foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
                     {
                         //如果不是值类型或接口，不需要过滤
@@ -137,5 +150,6 @@ public AntiSqlInjectFilter(IConfiguration configuration)
             }
             await next();
         }
+
     }
 }

performance/Performance.Api/appsettings.Localhost.json

@@ -46,5 +46,11 @@
     ],
     "Period": "1", // 单位为秒
     "Limit": 1
+  },
+  "RouteWhiteList": {
+    "Route": [
+      "account/logins",
+      "account/quick/login"
+    ]
   }
 }