Skip to content

P
performance
Commit e2058872 by ryun
Options

兼容集合和异常

parent 698312a5
Showing with 71 additions and 25 deletions
performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
using System;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using System.Text.RegularExpressions;
......@@ -7,6 +8,7 @@
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Performance.DtoModels;
using Performance.DtoModels.AppSettings;
......@@ -94,10 +96,12 @@ public string GetSafetySql(string input)
public class AntiSqlInjectFilter : IAsyncActionFilter
{
private readonly Application _application;
private readonly ILogger<AntiSqlInjectFilter> _logger;
public AntiSqlInjectFilter(IOptions<Application> options)
public AntiSqlInjectFilter(ILogger<AntiSqlInjectFilter> logger, IOptions<Application> options)
{
_application = options.Value;
_logger = logger;
}
/// <inheritdoc />
......@@ -106,46 +110,88 @@ public AntiSqlInjectFilter(IOptions<Application> options)
if (_application.OpenAntiSqlInject == true)
{
var routePath = context.HttpContext.Request.Path.ToString();
if (_application.AntiSqlInjectRouteWhite?.Any(route => Regex.IsMatch(routePath, route, RegexOptions.IgnoreCase)) != true)
try
{
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
if (_application.AntiSqlInjectRouteWhite?.Any(route => Regex.IsMatch(routePath, route, RegexOptions.IgnoreCase)) != true)
{
//如果不是值类型或接口,不需要过滤
var pType = value.GetType();
if (!pType.IsClass) continue;
//对string类型过滤
if (value is string)
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
{
if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
//如果不是值类型或接口,不需要过滤
var pType = value.GetType();
if (!pType.IsClass) continue;
//对string类型过滤
if (value is string)
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
else if (value is not IFormCollection)
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
else if (value is not IFormCollection)
{
var temp = pp.GetValue(value);
if (temp == null) continue;
if (temp is string)
if (value is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
else if (value is IEnumerable objects)
{
foreach (var item in objects)
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var temp = pp.GetValue(item);
if (temp == null) continue;
if (temp is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
}
}
else
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var temp = pp.GetValue(value);
if (temp == null) continue;
if (temp is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
}
}
}
}
}
catch (Exception ex)
{
_logger.LogError($"SQL注入过滤器出现异常:{routePath};{ex}");
}
}
await next();
}
......
performance/Performance.Api/appsettings.Localhost.json
......@@ -7,7 +7,7 @@
},
"AppConnection": {
//"PerformanceConnectionString": "server=112.124.13.17;database=db_performance;uid=suvalue;pwd=suvalue2016;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;",
"PerformanceConnectionString": "server=192.168.18.166;database=db_test_dingxieryuan;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;"
"PerformanceConnectionString": "server=192.168.18.166;database=db_test_beiliu;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;"
//"PerformanceConnectionString": "server=116.62.245.55;database=db_performance;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;"
},
"Application": {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment