package com.vci.ubcs.gateway.filter;
|
|
import org.slf4j.Logger;
|
import org.slf4j.LoggerFactory;
|
import org.springframework.beans.factory.annotation.Value;
|
import org.springframework.cloud.gateway.filter.GatewayFilterChain;
|
import org.springframework.cloud.gateway.filter.GlobalFilter;
|
import org.springframework.core.Ordered;
|
import org.springframework.http.HttpStatus;
|
import org.springframework.http.server.reactive.ServerHttpRequest;
|
import org.springframework.stereotype.Component;
|
import org.springframework.web.server.ServerWebExchange;
|
import reactor.core.publisher.Mono;
|
|
import javax.annotation.PostConstruct;
|
import java.util.Arrays;
|
import java.util.HashSet;
|
import java.util.Set;
|
import java.util.regex.Pattern;
|
|
/**
|
* 全局URL安全过滤器 - 对所有请求生效
|
* 直接使用@Value注解读取配置
|
*/
|
@Component
|
public class GlobalUrlSecurityFilter implements GlobalFilter, Ordered {
|
private static final Logger log = LoggerFactory.getLogger(GlobalUrlSecurityFilter.class);
|
|
// 是否启用URL安全过滤器
|
@Value("${gateway.security.url.enabled:true}")
|
private boolean enabled;
|
|
// 危险字符正则表达式
|
@Value("${gateway.security.url.dangerous-pattern:<script|</script|javascript:|onload|onerror|onclick|union.*select|select.*from|[\"';<>\\x00-\\x1F\\x7F]|%3C|%3E|%27|%22|%00|\\.\\./|\\.\\.\\\\}")
|
private String dangerousPattern;
|
|
// 白名单路径
|
@Value("${gateway.security.url.whitelist-paths:/health,/actuator/health,/actuator/info,/favicon.ico}")
|
private String[] whitelistPaths;
|
|
private Pattern compiledPattern;
|
|
private Set<String> whitelistSet;
|
|
/**
|
* 初始化方法
|
*/
|
@PostConstruct
|
public void init() {
|
try {
|
// 编译危险字符正则表达式
|
this.compiledPattern = Pattern.compile(dangerousPattern, Pattern.CASE_INSENSITIVE);
|
|
// 初始化白名单集合
|
this.whitelistSet = new HashSet<>(Arrays.asList(whitelistPaths));
|
|
log.info("全局URL安全过滤器初始化完成");
|
log.info("过滤器状态: {}", enabled ? "已启用" : "已禁用");
|
log.info("白名单路径: {}", whitelistSet);
|
|
} catch (Exception e) {
|
log.error("初始化过滤器失败", e);
|
// 使用默认配置作为后备
|
this.compiledPattern = Pattern.compile(
|
"<script|</script|javascript:|onload|onerror|onclick|union.*select|select.*from|[\"';<>\\x00-\\x1F\\x7F]|%3C|%3E|%27|%22|%00|\\.\\./|\\.\\.\\\\",
|
Pattern.CASE_INSENSITIVE
|
);
|
this.whitelistSet = new HashSet<>(Arrays.asList(
|
"/health", "/actuator/health", "/actuator/info", "/favicon.ico"
|
));
|
}
|
}
|
|
@Override
|
public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
|
// 检查是否启用过滤器
|
if (!enabled) {
|
return chain.filter(exchange);
|
}
|
|
ServerHttpRequest request = exchange.getRequest();
|
String path = request.getURI().getPath();
|
String method = request.getMethod().name();
|
|
// 检查白名单路径
|
if (isWhitelistedPath(path)) {
|
return chain.filter(exchange);
|
}
|
|
// 验证路径安全性
|
if (!isPathSafe(path)) {
|
log.warn("拦截危险请求: {} {}", method, request.getURI());
|
exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
|
return exchange.getResponse().setComplete();
|
}
|
|
return chain.filter(exchange);
|
}
|
|
@Override
|
public int getOrder() {
|
return Ordered.HIGHEST_PRECEDENCE;
|
}
|
|
/**
|
* 验证路径安全性
|
*/
|
private boolean isPathSafe(String path) {
|
if (path == null || path.isEmpty()) {
|
return true;
|
}
|
|
// 检查路径遍历
|
if (path.contains("../") || path.contains("..\\")) {
|
return false;
|
}
|
|
// 检查危险字符
|
if (compiledPattern.matcher(path).find()) {
|
return false;
|
}
|
|
return true;
|
}
|
|
/**
|
* 检查路径是否在白名单中
|
*/
|
private boolean isWhitelistedPath(String path) {
|
if (path == null) {
|
return false;
|
}
|
|
for (String whitelistPath : whitelistSet) {
|
if (path.startsWith(whitelistPath) || path.equals(whitelistPath)) {
|
return true;
|
}
|
}
|
|
return false;
|
}
|
}
|
