时间:2022-12-06 01:27
json数据sql注入的解决方法:
使用jackson实现对json数据的处理,添加依赖如下:
<dependency><groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.8.10</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.8.10</version>
<dependency>
使用jackson的属性来获取数据,例如:
importcom.fasterxml.jackson.core.JsonProcessingException;importcom.fasterxml.jackson.databind.JsonNode;
importcom.fasterxml.jackson.databind.ObjectMapper;@Component
publicclasssqlValidateFilterimplementsFilter{privatestaticfinalLoggerlogger=LoggerFactory.getLogger(sqlValidateFilter.class);
@Value("${spring.profiles.active}")
privateStringactiveProfile;@Override
publicvoidinit(FilterConfigfilterConfig)throwsServletException{
}@Override
publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse,FilterChainchain)
throwsIOException,ServletException{
RequestWrapperwrapper=newRequestWrapper((HttpServletRequest)request);
HttpServletResponseresp=(HttpServletResponse)response;
if(existsInvalidsqlTokenInRequest(wrapper)){
resp.setStatus(417);
StringcontentType="test".equals(activeProfile)?"text/html;charset=GBK":"text/html;charset=UTF-8";
response.setContentType(contentType);
response.getOutputStream().write("您发送请求中的参数中含有非法字符".getBytes());
return;
}chain.doFilter(wrapper,resp);}
/**
*判断请求中是否有非法sql关键字
*
*@paramrequest
*@return
*@throwsIOException
*@throwsJsonProcessingException
*/
privatebooleanexistsInvalidsqlTokenInRequest(RequestWrapperrequest)throwsJsonProcessingException,IOException{
for(Stringvalue:getParameterValuesBehindUrl(request)){
if(findInvalidsqlToken(value)){
returntrue;
}
}
for(Stringvalue:getParameterValuesInBody(request)){
if(findInvalidsqlToken(value)){
returntrue;
}
}
returnfalse;
}/**
*从URL中提取参数值
*
*@paramrequest
*@return
*/
privateList<String>getParameterValuesBehindUrl(RequestWrapperrequest){
List<String>results=newArrayList<String>();
Enumeration<String>params=request.getParameterNames();
while(params.hasMoreElements()){
Stringname=params.nextElement().toString();
String[]values=request.getParameterValues(name);
for(Stringvalue:values){
results.add(value);
}
}
returnresults;
}/**
*从报文体中提取参数值
*
*@paramrequest
*@return
*@throwsJsonProcessingException
*@throwsIOException
*/
privateList<String>getParameterValuesInBody(RequestWrapperrequest)
throwsJsonProcessingException,IOException{
List<String>results=newArrayList<String>();
Stringbody=request.getBody();
if(StringUtils.isNotBlank(body)){
ObjectMappermapper=newObjectMapper();
JsonNodenode=mapper.readTree(body);
results.addAll(parseJsonNode(node));
}
returnresults;
}/**
*从JSON节点中提取参数值
*
*@paramnode
*@return
*/
privateList<String>parseJsonNode(JsonNodenode){
List<String>results=newArrayList<String>();
switch(node.getNodeType()){
caseARRAY:
for(intindex=0;index<node.size();index++){
results.addAll(parseJsonNode(node.get(index)));
}
break;
caseOBJECT:
Iterator<Map.Entry<String,JsonNode>>fields=node.fields();
while(fields.hasNext()){
results.addAll(parseJsonNode(fields.next().getValue()));
}
break;
default:
results.add(node.toString());
break;
}
returnresults;
}/**
*从字符串中查找sql关键字
*
*@paramvalue
*@return
*/
privatebooleanfindInvalidsqlToken(Stringvalue){
StringlowerCaseValue=value.toLowerCase(Locale.ENGLISH);
StringsqlTokens="'|and|exec|execute|insert|select|delete|count|drop|*|chr|mid|master|truncate|"
+"char|declare|netuser|xp_cmdshell|;|+|like'|and|exec|execute|insert|create"
+"table|from|grant|use|group_concat|column_name|"
+"information_schema.columns|table_schema|union|where|order|by|*|//|--|#|";
for(Stringtoken:sqlTokens.split("\\|")){
if(lowerCaseValue.contains(token)){
logger.info("dataValue="+lowerCaseValue+",marchValue="+token);
returntrue;
}
}
returnfalse;
}@Override
publicvoiddestroy(){
//TODOAuto-generatedmethodstub}
}
