Gateway拦截器实现防止SQL注入/XSS攻击-多维IT资讯

SQL注入是截器常见的系统安全问题之一，用户通过特定方式向系统发送SQL脚本，实现可直接自定义操作系统数据库，防止如果系统没有对SQL注入进行拦截，攻击那么用户甚至可以直接对数据库进行增删改查等操作。截器

XSS全称为Cross Site Script跨站点脚本攻击，实现和SQL注入类似，防止都是攻击通过特定方式向系统发送攻击脚本，对系统进行控制和侵害。截器SQL注入主要以攻击数据库来达到攻击系统的实现目的，而XSS则是防止以恶意执行前端脚本来攻击系统。

Gateway拦截器实现防止SQL注入/XSS攻击

项目框架中使用mybatis/mybatis-plus数据持久层框架，攻击在使用过程中，截器已有规避SQL注入的实现规则和使用方法。但是防止在实际开发过程中，由于各种原因，开发人员对持久层框架的掌握水平不同，有些特殊业务情况必须从前台传入SQL脚本。这时就需要对系统进行加固，防止特殊情况下引起的系统风险。

在微服务架构下，我们考虑如何实现SQL注入/XSS攻击拦截时，肯定不会在每个微服务都实现一遍SQL注入/XSS攻击拦截。根据我们微服务系统的高防服务器设计，所有的请求都会经过Gateway网关，所以在实现时就可以参照前面的日志拦截器来实现。在接收到一个请求时，通过拦截器解析请求参数，判断是否有SQL注入/XSS攻击参数，如果有，那么返回异常即可。

我们前面在对微服务Gateway进行自定义扩展时，增加了Gateway插件功能。我们会根据系统需求开发各种Gateway功能扩展插件，并且可以根据系统配置文件来启用/禁用这些插件。下面我们就将防止SQL注入/XSS攻击拦截器作为一个Gateway插件来开发和配置。

1、新增SqlInjectionFilter 过滤器和XssInjectionFilter过滤器，分别用于解析请求参数并对参数进行判断是否存在SQL注入/XSS攻脚本。此处有公共判断方法，通过配置文件来读取请求的过滤配置，因为不是多有的请求都会引发SQL注入和XSS攻击，如果无差别的全部拦截和请求，那么势必影响到系统的性能。

判断SQL注入的拦截器

复制/** * 防sql注入 * @author GitEgg */

@Log4j2

@AllArgsConstructor

public class SqlInjectionFilter implements GlobalFilter, Ordered {

......

当返回参数为true时，解析请求参数和返回参数

if (shouldSqlInjection(exchange)) { MultiValueMap<String, String> queryParams = request.getQueryParams(); boolean chkRetGetParams = SqlInjectionRuleUtils.mapRequestSqlKeyWordsCheck(queryParams); boolean chkRetJson = false; boolean chkRetFormData = false; HttpHeaders headers = request.getHeaders(); MediaType contentType = headers.getContentType(); long length = headers.getContentLength(); if(length > 0 && null != contentType && (contentType.includes(MediaType.APPLICATION_JSON) ||contentType.includes(MediaType.APPLICATION_JSON_UTF8))){ chkRetJson = SqlInjectionRuleUtils.jsonRequestSqlKeyWordsCheck(gatewayContext.getRequestBody()); } if(length > 0 && null != contentType && contentType.includes(MediaType.APPLICATION_FORM_URLENCODED)){ log.debug("[RequestLogFilter](Request)FormData:{}",gatewayContext.getFormData()); chkRetFormData = SqlInjectionRuleUtils.mapRequestSqlKeyWordsCheck(gatewayContext.getFormData());} if (chkRetGetParams || chkRetJson || chkRetFormData) { return WebfluxResponseUtils.responseWrite(exchange, "参数中不允许存在sql关键字"); } return chain.filter(exchange); } else { return chain.filter(exchange); } }

......

}1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.46.47. 判断XSS攻击的亿华云计算拦截器复制/** * 防xss注入 * @author GitEgg */

@Log4j2

@AllArgsConstructor

public class XssInjectionFilter implements GlobalFilter, Ordered {

......

当返回参数为true时，记录请求参数和返回参数

if (shouldXssInjection(exchange)) { MultiValueMap<String, String> queryParams = request.getQueryParams(); boolean chkRetGetParams = XssInjectionRuleUtils.mapRequestSqlKeyWordsCheck(queryParams); boolean chkRetJson = false; boolean chkRetFormData = false; HttpHeaders headers = request.getHeaders(); MediaType contentType = headers.getContentType(); long length = headers.getContentLength(); if(length > 0 && null != contentType && (contentType.includes(MediaType.APPLICATION_JSON) ||contentType.includes(MediaType.APPLICATION_JSON_UTF8))){ chkRetJson = XssInjectionRuleUtils.jsonRequestSqlKeyWordsCheck(gatewayContext.getRequestBody()); } if(length > 0 && null != contentType && contentType.includes(MediaType.APPLICATION_FORM_URLENCODED)){ log.debug("[RequestLogFilter](Request)FormData:{}",gatewayContext.getFormData()); chkRetFormData = XssInjectionRuleUtils.mapRequestSqlKeyWordsCheck(gatewayContext.getFormData());} if (chkRetGetParams || chkRetJson || chkRetFormData) { return WebfluxResponseUtils.responseWrite(exchange, "参数中不允许存在XSS注入关键字"); } return chain.filter(exchange); } else { return chain.filter(exchange); } }

......

}1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.46.47.

2、新增SqlInjectionRuleUtils工具类和XssInjectionRuleUtils工具类，通过正则表达式，用于判断参数是否属于SQL注入/XSS攻击脚本。

通过正则表达式对参数进行是否有SQL注入风险的判断复制/** * 防sql注入工具类 * @author GitEgg */

@Slf4j

public class SqlInjectionRuleUtils { /** * SQL的正则表达式 */ private static String badStrReg = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)"; /** * SQL的正则表达式 */ private static Pattern sqlPattern = Pattern.compile(badStrReg, Pattern.CASE_INSENSITIVE); /** * sql注入校验 map * * @param map * @return */ public static boolean mapRequestSqlKeyWordsCheck(MultiValueMap<String, String> map) { //

对post请求参数值进行sql注入检验

return map.entrySet().stream().parallel().anyMatch(entry -> { //

这里需要将参数转换为小写来处理

String lowerValue = Optional.ofNullable(entry.getValue()) .map(Object::toString) .map(String::toLowerCase) .orElse(""); if (sqlPattern.matcher(lowerValue).find()) { log.error("参数[{}]中包含不允许sql的关键词", lowerValue); return true;} return false; }); } /** * sql注入校验 json * * @param value * @return */ public static boolean jsonRequestSqlKeyWordsCheck(String value) { if (JSONUtil.isJsonObj(value)) { JSONObject json = JSONUtil.parseObj(value); Map<String, Object> map = json; //

对post请求参数值进行sql注入检验

return map.entrySet().stream().parallel().anyMatch(entry -> { //

这里需要将参数转换为小写来处理

对post请求参数值进行sql注入检验

return list.stream().parallel().anyMatch(obj -> { //

这里需要将参数转换为小写来处理

String lowerValue = Optional.ofNullable(obj) .map(Object::toString) .map(String::toLowerCase) .orElse(""); if (sqlPattern.matcher(lowerValue).find()) { log.error("参数[{}]中包含不允许sql的关键词", lowerValue); return true;} return false; }); } }}1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.46.47.48.49.50.51.52.53.54.55.56.57.58.59.60.61.62.63.64.65.66.67.68.69.70.71.72.73.74.75.76.77.78.79.80.81.82.83. 通过正则表达式对参数进行是否有XSS攻击风险的判断复制/** * XSS注入过滤工具类 * @author GitEgg */public class XssInjectionRuleUtils { private static final Pattern[] PATTERNS = { // Avoid anything in a <script>

type of expression

Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE), // Avoid anything in a src=...

type of expression

Pattern.compile("src[\r\n]*=[\r\n]*\\\(.*?)\\\", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Remove any lonesome </script>

tag

Pattern.compile("</script>", Pattern.CASE_INSENSITIVE), // Avoid anything in a <iframe>

type of expression

Pattern.compile("<iframe>(.*?)</iframe>", Pattern.CASE_INSENSITIVE), // Remove any lonesome <script ...>

tag

Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Remove any lonesome <img ...>

tag

Pattern.compile("<img(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Avoid eval(...)

expressions

Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Avoid expression(...)

expressions

Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL), // Avoid javascript:...

expressions

Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE), // Avoid vbscript:...

expressions

Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE), // Avoid onload=

expressions

Pattern.compile("on(load|error|mouseover|submit|reset|focus|click)(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL) }; public static String stripXSS(String value) { if (StringUtils.isEmpty(value)) { return value; } for (Pattern scriptPattern : PATTERNS) { value = scriptPattern.matcher(value).replaceAll(""); } return value; } public static boolean hasStripXSS(String value) { if (!StringUtils.isEmpty(value)) { for (Pattern scriptPattern : PATTERNS) { if (scriptPattern.matcher(value).find() == true) { return true; } } } return false; } /** * xss注入校验 map * * @param map * @return */ public static boolean mapRequestSqlKeyWordsCheck(MultiValueMap<String, String> map) { //

对post请求参数值进行sql注入检验

return map.entrySet().stream().parallel().anyMatch(entry -> { //

这里需要将参数转换为小写来处理

String lowerValue = Optional.ofNullable(entry.getValue()) .map(Object::toString) .map(String::toLowerCase) .orElse(""); if (hasStripXSS(lowerValue)) { return true; } return false; }); } /** * xss注入校验 json * * @param value * @return */ public static boolean jsonRequestSqlKeyWordsCheck(String value) { if (JSONUtil.isJsonObj(value)) { JSONObject json = JSONUtil.parseObj(value); Map<String, Object> map = json; //

对post请求参数值进行sql注入检验

return map.entrySet().stream().parallel().anyMatch(entry -> { //

这里需要将参数转换为小写来处理

对post请求参数值进行sql注入检验

return list.stream().parallel().anyMatch(obj -> { //

这里需要将参数转换为小写来处理

String lowerValue = Optional.ofNullable(obj) .map(Object::toString) .map(String::toLowerCase) .orElse(""); if (hasStripXSS(lowerValue)) { return true; } return false; }); } }}1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.46.47.48.49.50.51.52.53.54.55.56.57.58.59.60.61.62.63.64.65.66.67.68.69.70.71.72.73.74.75.76.77.78.79.80.81.82.83.84.85.86.87.88.89.90.91.92.93.94.95.96.97.98.99.100.101.102.103.104.105.106.107.108.109.110.111.112.113.114.115.116.117.118.

3、在GatewayRequestContextFilter 中新增判断那些请求需要解析参数。因为出于性能等方面的考虑，网关并不是对所有的参数都进行解析，只有在需要记录日志、防止SQL注入/XSS攻击时才会进行解析。

复制/** * check should read request data whether or not * @return boolean */ private boolean shouldReadRequestData(ServerWebExchange exchange){ if(gatewayPluginProperties.getLogRequest().getRequestLog() && GatewayLogTypeEnum.ALL.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())){ log.debug("[GatewayContext]Properties Set Read All Request Data"); return true; } boolean serviceFlag = false; boolean pathFlag = false; boolean lbFlag = false; List<String> readRequestDataServiceIdList = gatewayPluginProperties.getLogRequest().getServiceIdList(); List<String> readRequestDataPathList = gatewayPluginProperties.getLogRequest().getPathList(); if(!CollectionUtils.isEmpty(readRequestDataPathList) && (GatewayLogTypeEnum.PATH.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()) || GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()))){ String requestPath = exchange.getRequest().getPath().pathWithinApplication().value(); for(String path : readRequestDataPathList){ if(ANT_PATH_MATCHER.match(path,requestPath)){ log.debug("[GatewayContext]Properties Set Read Specific Request Data With Request Path:{},Math Pattern:{}", requestPath, path); pathFlag = true; break;} } } Route route = exchange.getAttribute(ServerWebExchangeUtils.GATEWAY_ROUTE_ATTR); URI routeUri = route.getUri(); if(!"lb".equalsIgnoreCase(routeUri.getScheme())){ lbFlag = true; } String routeServiceId = routeUri.getHost().toLowerCase(); if(!CollectionUtils.isEmpty(readRequestDataServiceIdList) && (GatewayLogTypeEnum.SERVICE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()) || GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()))){ if(readRequestDataServiceIdList.contains(routeServiceId)){ log.debug("[GatewayContext]Properties Set Read Specific Request Data With ServiceId:{}",routeServiceId); serviceFlag = true;} } if (GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()) && serviceFlag && pathFlag && !lbFlag) { return true; } else if (GatewayLogTypeEnum.SERVICE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()) && serviceFlag && !lbFlag) { return true; } else if (GatewayLogTypeEnum.PATH.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()) && pathFlag) { return true; } return false; }1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.46.47.48.49.50.51.52.53.54.55.56.57.58.59.60.61.62.63.64.65.66.

4、在GatewayPluginProperties中新增配置，用于读取Gateway过滤器的系统配置，判断开启新增的防止SQL注入/XSS攻击插件。

复制@Slf4j

@Getter

@Setter

@ToString

public class GatewayPluginProperties implements InitializingBean { public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX = "spring.cloud.gateway.plugin.config"; public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_LOG_REQUEST = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".logRequest"; public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_SQL_INJECTION = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".sqlInjection"; public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_XSS_INJECTION = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".xssInjection"; /** * Enable Or Disable */ private Boolean enable = false; /** * LogProperties */ private LogProperties logRequest; /** * SqlInjectionProperties */ private SqlInjectionProperties sqlInjection; /** * XssInjectionProperties */ private XssInjectionProperties xssInjection;

@Override

public void afterPropertiesSet() { log.info("Gateway plugin logRequest enable:", logRequest.enable); log.info("Gateway plugin sqlInjection enable:", sqlInjection.enable); log.info("Gateway plugin xssInjection enable:", xssInjection.enable); } /** * 日志记录相关配置 */

@Getter

@Setter

@ToString

public static class LogProperties implements InitializingBean{ /** * Enable Or Disable Log Request Detail */ private Boolean enable = false; /** * Enable Or Disable Read Request Data */ private Boolean requestLog = false; /** * Enable Or Disable Read Response Data */ private Boolean responseLog = false; /** * logType * all：所有日志 * configure:serviceId和pathList交集 * serviceId：只记录serviceId配置列表 * pathList：只记录pathList配置列表 */ private String logType = "all"; /** * Enable Read Request Data When use discover route by serviceId */ private List<String> serviceIdList = Collections.emptyList(); /** * Enable Read Request Data by specific path */ private List<String> pathList = Collections.emptyList();

@Override

public void afterPropertiesSet() throws Exception { if(!CollectionUtils.isEmpty(serviceIdList)){ serviceIdList = serviceIdList.stream().map(String::toLowerCase).collect(Collectors.toList()); } if(!CollectionUtils.isEmpty(pathList)){ pathList = pathList.stream().map(String::toLowerCase).collect(Collectors.toList()); } } } /** * sql注入拦截相关配置 */

@Getter

@Setter

@ToString

public static class SqlInjectionProperties implements InitializingBean{ /** * Enable Or Disable */ private Boolean enable = false; /** * Enable Read Request Data When use discover route by serviceId */ private List<String> serviceIdList = Collections.emptyList(); /** * Enable Read Request Data by specific path */ private List<String> pathList = Collections.emptyList();

@Override

@Getter

@Setter

@ToString

public static class XssInjectionProperties implements InitializingBean{ /** * Enable Or Disable */ private Boolean enable = false; /** * Enable Read Request Data When use discover route by serviceId */ private List<String> serviceIdList = Collections.emptyList(); /** * Enable Read Request Data by specific path */ private List<String> pathList = Collections.emptyList();

@Override

public void afterPropertiesSet() { if(!CollectionUtils.isEmpty(serviceIdList)){ serviceIdList = serviceIdList.stream().map(String::toLowerCase).collect(Collectors.toList()); } if(!CollectionUtils.isEmpty(pathList)){ pathList = pathList.stream().map(String::toLowerCase).collect(Collectors.toList()); } } }}1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.46.47.48.49.50.51.52.53.54.55.56.57.58.59.60.61.62.63.64.65.66.67.68.69.70.71.72.73.74.75.76.77.78.79.80.81.82.83.84.85.86.87.88.89.90.91.92.93.94.95.96.97.98.99.100.101.102.103.104.105.106.107.108.109.110.111.112.113.114.115.116.117.118.119.120.121.122.123.124.125.126.127.128.129.130.131.132.133.134.135.136.137.138.139.140.141.142.143.144.145.146.147.148.149.150.151.152.153.154.155.156.157.158.159.160.161.162.

5、GatewayPluginConfig 配置过滤器在启动时动态判断是否启用某些Gateway插件。IT技术网在这里我们将新增的SQL注入拦截插件和XSS攻击拦截插件配置进来，可以根据配置文件动态判断是否启用SQL注入拦截插件和XSS攻击拦截插件。

复制@Slf4j

@Configuration

@ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "enable"}, havingValue = "true")public class GatewayPluginConfig { /** * Gateway插件是否生效 * @return */

@Bean

@ConditionalOnMissingBean(GatewayPluginProperties.class) @ConfigurationProperties(GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX) public GatewayPluginProperties gatewayPluginProperties(){ return new GatewayPluginProperties(); }

......

/** * sql注入拦截插件 * @return */

@Bean

@ConditionalOnMissingBean(SqlInjectionFilter.class) @ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "sqlInjection.enable" },havingValue = "true") public SqlInjectionFilter sqlInjectionFilter(@Autowired GatewayPluginProperties gatewayPluginProperties){ SqlInjectionFilter sqlInjectionFilter = new SqlInjectionFilter(gatewayPluginProperties); log.debug("Load SQL Injection Filter Config Bean"); return sqlInjectionFilter; } /** * xss注入拦截插件 * @return */

@Bean

@ConditionalOnMissingBean(XssInjectionFilter.class) @ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "xssInjection.enable" },havingValue = "true") public XssInjectionFilter xssInjectionFilter(@Autowired GatewayPluginProperties gatewayPluginProperties){ XssInjectionFilter xssInjectionFilter = new XssInjectionFilter(gatewayPluginProperties); log.debug("Load XSS Injection Filter Config Bean"); return xssInjectionFilter; }

......

}1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.

在日常开发过程中很多业务需求都不会从前端传入SQL脚本和XSS脚本，所以很多的开发框架都不去识别前端参数是否有安全风险，然后直接禁止掉所有前端传入的的脚本，这样就强制规避了SQL注入和XSS攻击的风险。但是在某些特殊业务情况下，尤其是传统行业系统，需要通过前端配置执行脚本，然后由业务系统去执行这些配置的脚本，这个时候就需要通过配置来进行识别和判断，然后对容易引起安全性风险的脚本进转换和配置，在保证业务正常运行的情况下完成脚本配置。

源码地址:

Gitee:

https://gitee.com/wmz1930/GitEgg

GitHub:

https://github.com/wmz1930/GitEgg

作者:域名