using Microsoft.AspNetCore.Mvc.Controllers;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Competition.Common.Util;
using System.Text.RegularExpressions;
using System.Reflection;
using System.Linq;
using System.Collections;
using Newtonsoft.Json;
using Org.BouncyCastle.Ocsp;
using CompetitionAPI.api.unity;
using Newtonsoft.Json.Linq;
namespace CompetitionAPI
{
public class APIFilter : ActionFilterAttribute
{
///
/// Action方法调用之前执行
///
///
public override void OnActionExecuting(ActionExecutingContext context)
{
var descriptor = context.ActionDescriptor as ControllerActionDescriptor;
string param = string.Empty;
string globalParam = string.Empty;
foreach (var arg in context.ActionArguments)
{
if (arg.Key != "req")
{
string message = "";
if (arg.Value != null)
{
var result = CheckParams(arg.Key, arg.Value.ToString(), out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
}
else
{
if (arg.Value != null)
{
// 获取对象的类型
Type type = arg.Value.GetType();
// 获取所有的公共实例属性和字段
PropertyInfo[] properties = type.GetProperties(BindingFlags.Public | BindingFlags.Instance);
foreach (var field in properties)
{
var fieldType = field.PropertyType.FullName;
var fieldName = field.Name;
var fieldValue = field.GetValue(arg.Value);
if (fieldValue != null)
{
if (descriptor.ControllerName == "WriteUserOperationTicket" && fieldName == "data")
{
var list_user_operation_ticket = JsonConvert.DeserializeObject>(fieldValue.ToString());
foreach (var item in list_user_operation_ticket)
{
if (!string.IsNullOrEmpty(item.ExamOperationTicketId))
{
string message = "";
var result = CheckParams("ExamOperationTicketId", item.ExamOperationTicketId, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.ExamId))
{
string message = "";
var result = CheckParams("ExamId", item.ExamId, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.OperationTicketId))
{
string message = "";
var result = CheckParams("OperationTicketId", item.OperationTicketId, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.Type))
{
string message = "";
var result = CheckParams("Type", item.Type, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.SerialNumber))
{
string message = "";
var result = CheckParams("SerialNumber", item.SerialNumber, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.Content))
{
string message = "";
var result = CheckParams("Content", item.Content, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
}
}
else
{
if (fieldType.Contains("System.Collections.Generic.List"))
{
JArray jsonArray = JArray.Parse(JsonConvert.SerializeObject(fieldValue));
foreach (JObject item in jsonArray.Children())
{
foreach (var prop in item.Properties())
{
string message = "";
var result = CheckParams(prop.Name, (string)prop.Value, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
//if (prop.Value.Type == JTokenType.String)
//{
// string filteredValue = FilterString((string)prop.Value);
// prop.Value = filteredValue;
//}
}
}
//Type type2 = fieldValue.GetType();
//PropertyInfo[] properties2 = type2.GetProperties(BindingFlags.Public | BindingFlags.Instance);
//foreach (var field2 in properties2)
//{
// var fieldType2 = field2.PropertyType.FullName;
// var fieldName2 = field2.Name;
// var fieldValue2 = field2.GetValue(fieldValue);
// if (fieldValue2 != null)
// {
// string message = "";
// var result = CheckParams(fieldName2, fieldValue2.ToString(), out message);
// if (!result)
// {
// context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
// }
// }
//}
}
else
{
var is_vaild = true;
if (descriptor.ControllerName == "AddUser" && fieldName == "PassWord")
{
is_vaild = false;
}
else if (descriptor.ControllerName == "EditUserMim" && fieldName == "NewPassWord")
{
is_vaild = false;
}
else if (descriptor.ControllerName == "ChangePassword" && fieldName == "OldPassword")
{
is_vaild = false;
}
else if (descriptor.ControllerName == "ChangePassword" && fieldName == "NewPassword")
{
is_vaild = false;
}
if (is_vaild)
{
string message = "";
var result = CheckParams(fieldName, fieldValue.ToString(), out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
}
}
}
}
}
}
}
//Console.WriteLine($"webapi方法名称:【{descriptor.ActionName}】接收到参数为:{param}");
}
///
/// Action 方法调用后,Result 方法调用前执行
///
///
public override void OnActionExecuted(ActionExecutedContext context) { }
///
/// Result 方法调用前执行
///
///
public override void OnResultExecuting(ResultExecutingContext context) { }
///
/// Result 方法调用后执行
///
///
public override void OnResultExecuted(ResultExecutedContext context)
{
//var descriptor = context.ActionDescriptor as ControllerActionDescriptor;
//string result = string.Empty;
////ObjectResult
//if (context.Result is JsonResult)
//{
// result = Newtonsoft.Json.JsonConvert.SerializeObject(((JsonResult)context.Result).Value);
//}
//Console.WriteLine($"webapi方法名称【{descriptor.ActionName}】执行的返回值 : {result}");
}
///
/// 非法sql注入字符串
///
public List list_sql_filter = new List()
{
"ascii(","ord(","hex(","bin("
," if(","+if(" ," char(","+char("
,"substr(","substring(" ,"mid("," replace(","+replace("
,"sleep(","benchmark("
,"concat(","concat_ws"
," floor(" ," rand(","+floor(" ,"+rand("
," limit"," offset " ," regexp "
,"user(","database(" ,"desc(","version(","datadir","version_compile_os" ,"table(","columns("
,"and+" ,"+and"
," between "," in "," and "," or "," xor "," not "," like "," rlike "," begin "," join "
," > ","> "," >" ," < ","< "," <"," = ","= "," ="
,"<>","!="," + ","+ "," +"
,"greatest(","least(","strcmp(","left(","right("
," select "," from "," where ","order by"," union "," group "
," insert "," update "," delete ","table_schema","information_schema.columns","truncate","execute","table","drop","into","exec"
};
///
/// 检查参数值是否非法
///
///
///
///
public bool CheckParams(string key, string value, out string message)
{
//string ragular = @"^[a-zA-Z0-9_\u4e00-\u9fa5\s-、()()]+$";
//string ragular = @"^[\.:"",\{ \}\[\]a-zA-Z0-9_\u4e00-\u9fa5\s-、\(\)()\\//,。;\?“”;:?!!\n\r\t]+$";
string ragular = @"^[\.:"",\{ \}\[\]a-zA-Z0-9_\u4e00-\u9fa5\s-、\(\)()\\//,。;;\?“”;:?!!\n\r\t*#Φ~|\u2103×]+$";
message = "";
string paraName = key;
string paraValue = value;
if (!string.IsNullOrWhiteSpace(paraValue))
{
var IsMatch = Regex.IsMatch(paraValue, ragular);
if (!IsMatch)
{
message = string.Format("异常值:{0} 请检查!", paraValue);
return false;
}
var low = paraValue.ToLower();
foreach (var item in list_sql_filter)
{
if (low.Contains(item))
{
message = string.Format("异常值:{0} 请检查!", item);
return false;
}
}
}
return true;
}
}
}