Skip to content

P
performance
Commit e2058872 by ryun
Options

兼容集合和异常

parent 698312a5
Showing with 71 additions and 25 deletions
performance/Performance.Api/Filters/AntiSqlInjectFilter.cs
using System; using System;
using System.Collections;
using System.Collections.Generic; using System.Collections.Generic;
using System.Linq; using System.Linq;
using System.Text.RegularExpressions; using System.Text.RegularExpressions;
...@@ -7,6 +8,7 @@ ...@@ -7,6 +8,7 @@
using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options; using Microsoft.Extensions.Options;
using Performance.DtoModels; using Performance.DtoModels;
using Performance.DtoModels.AppSettings; using Performance.DtoModels.AppSettings;
...@@ -94,10 +96,12 @@ public string GetSafetySql(string input) ...@@ -94,10 +96,12 @@ public string GetSafetySql(string input)
public class AntiSqlInjectFilter : IAsyncActionFilter public class AntiSqlInjectFilter : IAsyncActionFilter
{ {
private readonly Application _application; private readonly Application _application;
private readonly ILogger<AntiSqlInjectFilter> _logger;
public AntiSqlInjectFilter(IOptions<Application> options) public AntiSqlInjectFilter(ILogger<AntiSqlInjectFilter> logger, IOptions<Application> options)
{ {
_application = options.Value; _application = options.Value;
_logger = logger;
} }
/// <inheritdoc /> /// <inheritdoc />
...@@ -106,46 +110,88 @@ public AntiSqlInjectFilter(IOptions<Application> options) ...@@ -106,46 +110,88 @@ public AntiSqlInjectFilter(IOptions<Application> options)
if (_application.OpenAntiSqlInject == true) if (_application.OpenAntiSqlInject == true)
{ {
var routePath = context.HttpContext.Request.Path.ToString(); var routePath = context.HttpContext.Request.Path.ToString();
if (_application.AntiSqlInjectRouteWhite?.Any(route => Regex.IsMatch(routePath, route, RegexOptions.IgnoreCase)) != true) try
{ {
foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value)) if (_application.AntiSqlInjectRouteWhite?.Any(route => Regex.IsMatch(routePath, route, RegexOptions.IgnoreCase)) != true)
{ {
//如果不是值类型或接口,不需要过滤 foreach (var value in context.ActionArguments.Where(w => w.Value != null).Select(w => w.Value))
var pType = value.GetType();
if (!pType.IsClass) continue;
//对string类型过滤
if (value is string)
{ {
if (!AntiSqlInject.Instance.IsSafetySql(value.ToString())) //如果不是值类型或接口,不需要过滤
var pType = value.GetType();
if (!pType.IsClass) continue;
//对string类型过滤
if (value is string)
{ {
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截"); if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
context.Result = new ObjectResult(response); {
return; var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
} }
} else if (value is not IFormCollection)
else if (value is not IFormCollection)
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{ {
var temp = pp.GetValue(value); if (value is string)
if (temp == null) continue;
if (temp is string)
{ {
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString())) if (!AntiSqlInject.Instance.IsSafetySql(value.ToString()))
{ {
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截"); var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response); context.Result = new ObjectResult(response);
return; return;
} }
} }
else if (value is IEnumerable objects)
{
foreach (var item in objects)
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var temp = pp.GetValue(item);
if (temp == null) continue;
if (temp is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
}
}
else
{
//是一个class,对class的属性中,string类型的属性进行过滤
var properties = pType.GetProperties();
foreach (var pp in properties)
{
var temp = pp.GetValue(value);
if (temp == null) continue;
if (temp is string)
{
if (!AntiSqlInject.Instance.IsSafetySql(temp.ToString()))
{
var response = new ApiResponse(ResponseType.Dangerous, "危险操作已拦截");
context.Result = new ObjectResult(response);
return;
}
}
}
}
} }
} }
} }
} }
catch (Exception ex)
{
_logger.LogError($"SQL注入过滤器出现异常:{routePath};{ex}");
}
} }
await next(); await next();
} }
......
performance/Performance.Api/appsettings.Localhost.json
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
}, },
"AppConnection": { "AppConnection": {
//"PerformanceConnectionString": "server=112.124.13.17;database=db_performance;uid=suvalue;pwd=suvalue2016;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;", //"PerformanceConnectionString": "server=112.124.13.17;database=db_performance;uid=suvalue;pwd=suvalue2016;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;",
"PerformanceConnectionString": "server=192.168.18.166;database=db_test_dingxieryuan;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;" "PerformanceConnectionString": "server=192.168.18.166;database=db_test_beiliu;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;"
//"PerformanceConnectionString": "server=116.62.245.55;database=db_performance;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;" //"PerformanceConnectionString": "server=116.62.245.55;database=db_performance;uid=root;pwd=1234qwer;pooling=true;charset=utf8;convert zero datetime=true;port=3306;connection timeout=120;max pool size=512;allow user variables=true;"
}, },
"Application": { "Application": {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment