chenguoping
/
CompetitionAPI_dotnet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
CompetitionAPI_dotnet/CompetitionAPI/APIFilter.cs

287 lines
15 KiB
C#
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

using Microsoft.AspNetCore.Mvc.Controllers;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Competition.Common.Util;
using System.Text.RegularExpressions;
using System.Reflection;
using System.Linq;
using System.Collections;
using Newtonsoft.Json;
using Org.BouncyCastle.Ocsp;
using CompetitionAPI.api.unity;
using Newtonsoft.Json.Linq;
namespace CompetitionAPI
{
public class APIFilter : ActionFilterAttribute
{
/// <summary>
/// Action方法调用之前执行
/// </summary>
/// <param name="context"></param>
public override void OnActionExecuting(ActionExecutingContext context)
{
var descriptor = context.ActionDescriptor as ControllerActionDescriptor;
string param = string.Empty;
string globalParam = string.Empty;
foreach (var arg in context.ActionArguments)
{
if (arg.Key != "req")
{
string message = "";
if (arg.Value != null)
{
var result = CheckParams(arg.Key, arg.Value.ToString(), out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
}
else
{
if (arg.Value != null)
{
// 获取对象的类型
Type type = arg.Value.GetType();
// 获取所有的公共实例属性和字段
PropertyInfo[] properties = type.GetProperties(BindingFlags.Public | BindingFlags.Instance);
foreach (var field in properties)
{
var fieldType = field.PropertyType.FullName;
var fieldName = field.Name;
var fieldValue = field.GetValue(arg.Value);
if (fieldValue != null)
{
if (descriptor.ControllerName == "WriteUserOperationTicket" && fieldName == "data")
{
var list_user_operation_ticket = JsonConvert.DeserializeObject<List<OperationTicketData>>(fieldValue.ToString());
foreach (var item in list_user_operation_ticket)
{
if (!string.IsNullOrEmpty(item.ExamOperationTicketId))
{
string message = "";
var result = CheckParams("ExamOperationTicketId", item.ExamOperationTicketId, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.ExamId))
{
string message = "";
var result = CheckParams("ExamId", item.ExamId, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.OperationTicketId))
{
string message = "";
var result = CheckParams("OperationTicketId", item.OperationTicketId, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.Type))
{
string message = "";
var result = CheckParams("Type", item.Type, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.SerialNumber))
{
string message = "";
var result = CheckParams("SerialNumber", item.SerialNumber, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
if (!string.IsNullOrEmpty(item.Content))
{
string message = "";
var result = CheckParams("Content", item.Content, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
}
}
else
{
if (fieldType.Contains("System.Collections.Generic.List"))
{
JArray jsonArray = JArray.Parse(JsonConvert.SerializeObject(fieldValue));
foreach (JObject item in jsonArray.Children<JObject>())
{
foreach (var prop in item.Properties())
{
string message = "";
var result = CheckParams(prop.Name, (string)prop.Value, out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
//if (prop.Value.Type == JTokenType.String)
//{
// string filteredValue = FilterString((string)prop.Value);
// prop.Value = filteredValue;
//}
}
}
//Type type2 = fieldValue.GetType();
//PropertyInfo[] properties2 = type2.GetProperties(BindingFlags.Public | BindingFlags.Instance);
//foreach (var field2 in properties2)
//{
// var fieldType2 = field2.PropertyType.FullName;
// var fieldName2 = field2.Name;
// var fieldValue2 = field2.GetValue(fieldValue);
// if (fieldValue2 != null)
// {
// string message = "";
// var result = CheckParams(fieldName2, fieldValue2.ToString(), out message);
// if (!result)
// {
// context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
// }
// }
//}
}
else
{
var is_vaild = true;
if (descriptor.ControllerName == "AddUser" && fieldName == "PassWord")
{
is_vaild = false;
}
else if (descriptor.ControllerName == "EditUserMim" && fieldName == "NewPassWord")
{
is_vaild = false;
}
else if (descriptor.ControllerName == "ChangePassword" && fieldName == "OldPassword")
{
is_vaild = false;
}
else if (descriptor.ControllerName == "ChangePassword" && fieldName == "NewPassword")
{
is_vaild = false;
}
if (is_vaild)
{
string message = "";
var result = CheckParams(fieldName, fieldValue.ToString(), out message);
if (!result)
{
context.Result = new ObjectResult(Tool.GetJsonWithCode(APICode.Fail, message)) { };
}
}
}
}
}
}
}
}
}
//Console.WriteLine($"webapi方法名称:【{descriptor.ActionName}】接收到参数为:{param}");
}
/// <summary>
/// Action 方法调用后Result 方法调用前执行
/// </summary>
/// <param name="context"></param>
public override void OnActionExecuted(ActionExecutedContext context) { }
/// <summary>
/// Result 方法调用前执行
/// </summary>
/// <param name="context"></param>
public override void OnResultExecuting(ResultExecutingContext context) { }
/// <summary>
/// Result 方法调用后执行
/// </summary>
/// <param name="context"></param>
public override void OnResultExecuted(ResultExecutedContext context)
{
//var descriptor = context.ActionDescriptor as ControllerActionDescriptor;
//string result = string.Empty;
////ObjectResult
//if (context.Result is JsonResult)
//{
// result = Newtonsoft.Json.JsonConvert.SerializeObject(((JsonResult)context.Result).Value);
//}
//Console.WriteLine($"webapi方法名称【{descriptor.ActionName}】执行的返回值 : {result}");
}
/// <summary>
/// 非法sql注入字符串
/// </summary>
public List<string> list_sql_filter = new List<string>()
{
"ascii(","ord(","hex(","bin("
," if(","+if(" ," char(","+char("
,"substr(","substring(" ,"mid("," replace(","+replace("
,"sleep(","benchmark("
,"concat(","concat_ws"
," floor(" ," rand(","+floor(" ,"+rand("
," limit"," offset " ," regexp "
,"user(","database(" ,"desc(","version(","datadir","version_compile_os" ,"table(","columns("
,"and+" ,"+and"
," between "," in "," and "," or "," xor "," not "," like "," rlike "," begin "," join "
," > ","> "," >" ," < ","< "," <"," = ","= "," ="
,"<>","!="," + ","+ "," +"
,"greatest(","least(","strcmp(","left(","right("
," select "," from "," where ","order by"," union "," group "
," insert "," update "," delete ","table_schema","information_schema.columns","truncate","execute","table","drop","into","exec"
};
/// <summary>
/// 检查参数值是否非法
/// </summary>
/// <param name="context"></param>
/// <param name="message"></param>
/// <returns></returns>
public bool CheckParams(string key, string value, out string message)
{
//string ragular = @"^[a-zA-Z0-9_\u4e00-\u9fa5\s-、()]+$";
//string ragular = @"^[\.:"",\{ \}\[\]a-zA-Z0-9_\u4e00-\u9fa5\s-、\(\)\\//,。;\?“”;!\n\r\t]+$";
string ragular = @"^[\.:"",\{ \}\[\]a-zA-Z0-9_\u4e00-\u9fa5\s-、\(\)\\//,。;\?“”;!\n\r\t*#Φ~|\u2103×]+$";
message = "";
string paraName = key;
string paraValue = value;
if (!string.IsNullOrWhiteSpace(paraValue))
{
var IsMatch = Regex.IsMatch(paraValue, ragular);
if (!IsMatch)
{
message = string.Format("异常值:{0} 请检查!", paraValue);
return false;
}
var low = paraValue.ToLower();
foreach (var item in list_sql_filter)
{
if (low.Contains(item))
{
message = string.Format("异常值:{0} 请检查!", item);
return false;
}
}
}
return true;
}
}
}
Reference in New Issue View Git Blame Copy Permalink