SpringCloud微服务实战——搭建企业级开发框架：微服务安全加固—自定义Gateway拦截器实现防止SQL注入/XSS攻击_gateway拦截器配置

 SQL注入是常见的系统安全问题之一，用户通过特定方式向系统发送SQL脚本，可直接自定义操作系统数据库，如果系统没有对SQL注入进行拦截，那么用户甚至可以直接对数据库进行增删改查等操作。

  XSS全称为Cross Site Script跨站点脚本攻击，和SQL注入类似，都是通过特定方式向系统发送攻击脚本，对系统进行控制和侵害。SQL注入主要以攻击数据库来达到攻击系统的目的，而XSS则是以恶意执行前端脚本来攻击系统。

  项目框架中使用mybatis/mybatis-plus数据持久层框架，在使用过程中，已有规避SQL注入的规则和使用方法。但是在实际开发过程中，由于各种原因，开发人员对持久层框架的掌握水平不同，有些特殊业务情况必须从前台传入SQL脚本。这时就需要对系统进行加固，防止特殊情况下引起的系统风险。

  在微服务架构下，我们考虑如何实现SQL注入/XSS攻击拦截时，肯定不会在每个微服务都实现一遍SQL注入/XSS攻击拦截。根据我们微服务系统的设计，所有的请求都会经过Gateway网关，所以在实现时就可以参照前面的日志拦截器来实现。在接收到一个请求时，通过拦截器解析请求参数，判断是否有SQL注入/XSS攻击参数，如果有，那么返回异常即可。

  我们前面在对微服务Gateway进行自定义扩展时，增加了Gateway插件功能。我们会根据系统需求开发各种Gateway功能扩展插件，并且可以根据系统配置文件来启用/禁用这些插件。下面我们就将防止SQL注入/XSS攻击拦截器作为一个Gateway插件来开发和配置。

1、新增SqlInjectionFilter 过滤器和XssInjectionFilter过滤器，分别用于解析请求参数并对参数进行判断是否存在SQL注入/XSS攻脚本。此处有公共判断方法，通过配置文件来读取请求的过滤配置，因为不是多有的请求都会引发SQL注入和XSS攻击，如果无差别的全部拦截和请求，那么势必影响到系统的性能。

• 判断SQL注入的拦截器

/**
 * 防sql注入
 * @author GitEgg
 */
@Log4j2
@AllArgsConstructor
public class SqlInjectionFilter implements GlobalFilter, Ordered {
 
......
 
        // 当返回参数为true时，解析请求参数和返回参数
        if (shouldSqlInjection(exchange))
        {
            MultiValueMap<String, String> queryParams = request.getQueryParams();
            boolean chkRetGetParams = SqlInjectionRuleUtils.mapRequestSqlKeyWordsCheck(queryParams);
    
            boolean chkRetJson = false;
            boolean chkRetFormData = false;
            
            HttpHeaders headers = request.getHeaders();
            MediaType contentType = headers.getContentType();
            long length = headers.getContentLength();
 
            if(length > 0 && null != contentType && (contentType.includes(MediaType.APPLICATION_JSON)
                    ||contentType.includes(MediaType.APPLICATION_JSON_UTF8))){
                chkRetJson = SqlInjectionRuleUtils.jsonRequestSqlKeyWordsCheck(gatewayContext.getRequestBody());
            }
            
            if(length > 0 && null != contentType  && contentType.includes(MediaType.APPLICATION_FORM_URLENCODED)){
                log.debug("[RequestLogFilter](Request)FormData:{}",gatewayContext.getFormData());
                chkRetFormData = SqlInjectionRuleUtils.mapRequestSqlKeyWordsCheck(gatewayContext.getFormData());
            }
            
            if (chkRetGetParams || chkRetJson || chkRetFormData)
            {
                return WebfluxResponseUtils.responseWrite(exchange, "参数中不允许存在sql关键字");
            }
            return chain.filter(exchange);
        }
        else {
            return chain.filter(exchange);
        }
    }
 
......
 
}

• 判断XSS攻击的拦截器

/**
 * 防xss注入
 * @author GitEgg
 */
@Log4j2
@AllArgsConstructor
public class XssInjectionFilter implements GlobalFilter, Ordered {
 
 ......
 
        // 当返回参数为true时，记录请求参数和返回参数
        if (shouldXssInjection(exchange))
        {
            MultiValueMap<String, String> queryParams = request.getQueryParams();
            boolean chkRetGetParams = XssInjectionRuleUtils.mapRequestSqlKeyWordsCheck(queryParams);
    
            boolean chkRetJson = false;
            boolean chkRetFormData = false;
            
            HttpHeaders headers = request.getHeaders();
            MediaType contentType = headers.getContentType();
            long length = headers.getContentLength();
 
            if(length > 0 && null != contentType && (contentType.includes(MediaType.APPLICATION_JSON)
                    ||contentType.includes(MediaType.APPLICATION_JSON_UTF8))){
                chkRetJson = XssInjectionRuleUtils.jsonRequestSqlKeyWordsCheck(gatewayContext.getRequestBody());
            }
            
            if(length > 0 && null != contentType  && contentType.includes(MediaType.APPLICATION_FORM_URLENCODED)){
                log.debug("[RequestLogFilter](Request)FormData:{}",gatewayContext.getFormData());
                chkRetFormData = XssInjectionRuleUtils.mapRequestSqlKeyWordsCheck(gatewayContext.getFormData());
            }
            
            if (chkRetGetParams || chkRetJson || chkRetFormData)
            {
                return WebfluxResponseUtils.responseWrite(exchange, "参数中不允许存在XSS注入关键字");
            }
            return chain.filter(exchange);
        }
        else {
            return chain.filter(exchange);
        }
    }
 
......
 
}

2、新增SqlInjectionRuleUtils工具类和XssInjectionRuleUtils工具类，通过正则表达式，用于判断参数是否属于SQL注入/XSS攻击脚本。

• 通过正则表达式对参数进行是否有SQL注入风险的判断

/**
 * 防sql注入工具类
 * @author GitEgg
 */
@Slf4j
public class SqlInjectionRuleUtils {
    
    /**
     * SQL的正则表达式
     */
    private static String badStrReg = "\\b(and|or)\\b.{1,6}?(=|>|<|\\bin\\b|\\blike\\b)|\\/\\*.+?\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
    
    /**
     * SQL的正则表达式
     */
    private static Pattern sqlPattern = Pattern.compile(badStrReg, Pattern.CASE_INSENSITIVE);
    
    
    /**
     * sql注入校验 map
     *
     * @param map
     * @return
     */
    public static boolean mapRequestSqlKeyWordsCheck(MultiValueMap<String, String> map) {
        //对post请求参数值进行sql注入检验
        return map.entrySet().stream().parallel().anyMatch(entry -> {
            //这里需要将参数转换为小写来处理
            String lowerValue = Optional.ofNullable(entry.getValue())
                    .map(Object::toString)
                    .map(String::toLowerCase)
                    .orElse("");
            if (sqlPattern.matcher(lowerValue).find()) {
                log.error("参数[{}]中包含不允许sql的关键词", lowerValue);
                return true;
            }
            return false;
        });
    }
    
    
    /**
     *  sql注入校验 json
     *
     * @param value
     * @return
     */
    public static boolean jsonRequestSqlKeyWordsCheck(String value) {
        if (JSONUtil.isJsonObj(value)) {
            JSONObject json = JSONUtil.parseObj(value);
            Map<String, Object> map = json;
            //对post请求参数值进行sql注入检验
            return map.entrySet().stream().parallel().anyMatch(entry -> {
                //这里需要将参数转换为小写来处理
                String lowerValue = Optional.ofNullable(entry.getValue())
                        .map(Object::toString)
                        .map(String::toLowerCase)
                        .orElse("");
                if (sqlPattern.matcher(lowerValue).find()) {
                    log.error("参数[{}]中包含不允许sql的关键词", lowerValue);
                    return true;
                }
                return false;
            });
        } else {
            JSONArray json = JSONUtil.parseArray(value);
            List<Object> list = json;
            //对post请求参数值进行sql注入检验
            return list.stream().parallel().anyMatch(obj -> {
                //这里需要将参数转换为小写来处理
                String lowerValue = Optional.ofNullable(obj)
                        .map(Object::toString)
                        .map(String::toLowerCase)
                        .orElse("");
                if (sqlPattern.matcher(lowerValue).find()) {
                    log.error("参数[{}]中包含不允许sql的关键词", lowerValue);
                    return true;
                }
                return false;
            });
        }
    }
}
 

• 通过正则表达式对参数进行是否有XSS攻击风险的判断

/**
 * XSS注入过滤工具类
 * @author GitEgg
 */
public class XssInjectionRuleUtils {
    
    private static final Pattern[] PATTERNS = {
            
            // Avoid anything in a <script> type of expression
            Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
            // Avoid anything in a src='...' type of expression
            Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // Remove any lonesome </script> tag
            Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
            // Avoid anything in a <iframe> type of expression
            Pattern.compile("<iframe>(.*?)</iframe>", Pattern.CASE_INSENSITIVE),
            // Remove any lonesome <script ...> tag
            Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // Remove any lonesome <img ...> tag
            Pattern.compile("<img(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // Avoid eval(...) expressions
            Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // Avoid expression(...) expressions
            Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
            // Avoid javascript:... expressions
            Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
            // Avoid vbscript:... expressions
            Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
            // Avoid onload= expressions
            Pattern.compile("on(load|error|mouseover|submit|reset|focus|click)(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL)
    };
    
    public static String stripXSS(String value) {
        if (StringUtils.isEmpty(value)) {
            return value;
        }
        for (Pattern scriptPattern : PATTERNS) {
            value = scriptPattern.matcher(value).replaceAll("");
        }
        return value;
    }
    
    public static boolean hasStripXSS(String value) {
        if (!StringUtils.isEmpty(value)) {
            for (Pattern scriptPattern : PATTERNS) {
                if (scriptPattern.matcher(value).find() == true)
                {
                    return true;
                }
            }
        }
        return false;
    }
    
    /**
     * xss注入校验 map
     *
     * @param map
     * @return
     */
    public static boolean mapRequestSqlKeyWordsCheck(MultiValueMap<String, String> map) {
        //对post请求参数值进行sql注入检验
        return map.entrySet().stream().parallel().anyMatch(entry -> {
            //这里需要将参数转换为小写来处理
            String lowerValue = Optional.ofNullable(entry.getValue())
                    .map(Object::toString)
                    .map(String::toLowerCase)
                    .orElse("");
            if (hasStripXSS(lowerValue)) {
                return true;
            }
            return false;
        });
    }
    
    
    /**
     *  xss注入校验 json
     *
     * @param value
     * @return
     */
    public static boolean jsonRequestSqlKeyWordsCheck(String value) {
        if (JSONUtil.isJsonObj(value)) {
            JSONObject json = JSONUtil.parseObj(value);
            Map<String, Object> map = json;
            //对post请求参数值进行sql注入检验
            return map.entrySet().stream().parallel().anyMatch(entry -> {
                //这里需要将参数转换为小写来处理
                String lowerValue = Optional.ofNullable(entry.getValue())
                        .map(Object::toString)
                        .map(String::toLowerCase)
                        .orElse("");
                if (hasStripXSS(lowerValue)) {
                    return true;
                }
                return false;
            });
        } else {
            JSONArray json = JSONUtil.parseArray(value);
            List<Object> list = json;
            //对post请求参数值进行sql注入检验
            return list.stream().parallel().anyMatch(obj -> {
                //这里需要将参数转换为小写来处理
                String lowerValue = Optional.ofNullable(obj)
                        .map(Object::toString)
                        .map(String::toLowerCase)
                        .orElse("");
                if (hasStripXSS(lowerValue)) {
                    return true;
                }
                return false;
            });
        }
    }
    
}

3、在GatewayRequestContextFilter 中新增判断那些请求需要解析参数。因为出于性能等方面的考虑，网关并不是对所有的参数都进行解析，只有在需要记录日志、防止SQL注入/XSS攻击时才会进行解析。

    /**
     * check should read request data whether or not
     * @return boolean
     */
    private boolean shouldReadRequestData(ServerWebExchange exchange){
        if(gatewayPluginProperties.getLogRequest().getRequestLog()
                && GatewayLogTypeEnum.ALL.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())){
            log.debug("[GatewayContext]Properties Set Read All Request Data");
            return true;
        }
 
        boolean serviceFlag = false;
        boolean pathFlag = false;
        boolean lbFlag = false;
 
        List<String> readRequestDataServiceIdList = gatewayPluginProperties.getLogRequest().getServiceIdList();
 
        List<String> readRequestDataPathList = gatewayPluginProperties.getLogRequest().getPathList();
 
        if(!CollectionUtils.isEmpty(readRequestDataPathList)
                && (GatewayLogTypeEnum.PATH.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
                    || GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()))){
            String requestPath = exchange.getRequest().getPath().pathWithinApplication().value();
            for(String path : readRequestDataPathList){
                if(ANT_PATH_MATCHER.match(path,requestPath)){
                    log.debug("[GatewayContext]Properties Set Read Specific Request Data With Request Path:{},Math Pattern:{}", requestPath, path);
                    pathFlag =  true;
                    break;
                }
            }
        }
 
        Route route = exchange.getAttribute(ServerWebExchangeUtils.GATEWAY_ROUTE_ATTR);
        URI routeUri = route.getUri();
        if(!"lb".equalsIgnoreCase(routeUri.getScheme())){
            lbFlag = true;
        }
 
        String routeServiceId = routeUri.getHost().toLowerCase();
        if(!CollectionUtils.isEmpty(readRequestDataServiceIdList)
                && (GatewayLogTypeEnum.SERVICE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
                || GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType()))){
            if(readRequestDataServiceIdList.contains(routeServiceId)){
                log.debug("[GatewayContext]Properties Set Read Specific Request Data With ServiceId:{}",routeServiceId);
                serviceFlag =  true;
            }
        }
 
        if (GatewayLogTypeEnum.CONFIGURE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
                && serviceFlag && pathFlag && !lbFlag)
        {
            return true;
        }
        else if (GatewayLogTypeEnum.SERVICE.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
                && serviceFlag && !lbFlag)
        {
            return true;
        }
        else if (GatewayLogTypeEnum.PATH.getType().equals(gatewayPluginProperties.getLogRequest().getLogType())
                && pathFlag)
        {
            return true;
        }
 
        return false;
    }

4、在GatewayPluginProperties中新增配置，用于读取Gateway过滤器的系统配置，判断开启新增的防止SQL注入/XSS攻击插件。

@Slf4j
@Getter
@Setter
@ToString
public class GatewayPluginProperties implements InitializingBean {
 
    public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX = "spring.cloud.gateway.plugin.config";
    
    public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_LOG_REQUEST = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".logRequest";
    
    public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_SQL_INJECTION = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".sqlInjection";
    
    public static final String GATEWAY_PLUGIN_PROPERTIES_PREFIX_XSS_INJECTION = GATEWAY_PLUGIN_PROPERTIES_PREFIX + ".xssInjection";
    
    /**
     * Enable Or Disable
     */
    private Boolean enable = false;
    
    /**
     * LogProperties
     */
    private LogProperties logRequest;
    
    /**
     * SqlInjectionProperties
     */
    private SqlInjectionProperties sqlInjection;
    
    /**
     * XssInjectionProperties
     */
    private XssInjectionProperties xssInjection;
 
    @Override
    public void afterPropertiesSet() {
        log.info("Gateway plugin logRequest enable:", logRequest.enable);
        log.info("Gateway plugin sqlInjection enable:", sqlInjection.enable);
        log.info("Gateway plugin xssInjection enable:", xssInjection.enable);
    }
    
    /**
     * 日志记录相关配置
     */
    @Getter
    @Setter
    @ToString
    public static class LogProperties implements InitializingBean{
    
        /**
         * Enable Or Disable Log Request Detail
         */
        private Boolean enable = false;
    
        /**
         * Enable Or Disable Read Request Data
         */
        private Boolean requestLog = false;
    
        /**
         * Enable Or Disable Read Response Data
         */
        private Boolean responseLog = false;
    
        /**
         * logType
         * all： 所有日志
         * configure:serviceId和pathList交集
         * serviceId： 只记录serviceId配置列表
         * pathList：只记录pathList配置列表
         */
        private String logType = "all";
    
        /**
         * Enable Read Request Data When use discover route by serviceId
         */
        private List<String> serviceIdList = Collections.emptyList();
    
        /**
         * Enable Read Request Data by specific path
         */
        private List<String> pathList = Collections.emptyList();
    
        @Override
        public void afterPropertiesSet() throws Exception {
            if(!CollectionUtils.isEmpty(serviceIdList)){
                serviceIdList = serviceIdList.stream().map(String::toLowerCase).collect(Collectors.toList());
            }
            if(!CollectionUtils.isEmpty(pathList)){
                pathList = pathList.stream().map(String::toLowerCase).collect(Collectors.toList());
            }
        }
    }
    
    /**
     * sql注入拦截相关配置
     */
    @Getter
    @Setter
    @ToString
    public static class SqlInjectionProperties implements InitializingBean{
        
        /**
         * Enable Or Disable
         */
        private Boolean enable = false;
        
        /**
         * Enable Read Request Data When use discover route by serviceId
         */
        private List<String> serviceIdList = Collections.emptyList();
        
        /**
         * Enable Read Request Data by specific path
         */
        private List<String> pathList = Collections.emptyList();
        
        @Override
        public void afterPropertiesSet() {
            if(!CollectionUtils.isEmpty(serviceIdList)){
                serviceIdList = serviceIdList.stream().map(String::toLowerCase).collect(Collectors.toList());
            }
            if(!CollectionUtils.isEmpty(pathList)){
                pathList = pathList.stream().map(String::toLowerCase).collect(Collectors.toList());
            }
        }
    }
    
    /**
     * xss注入拦截相关配置
     */
    @Getter
    @Setter
    @ToString
    public static class XssInjectionProperties implements InitializingBean{
        
        /**
         * Enable Or Disable
         */
        private Boolean enable = false;
        
        /**
         * Enable Read Request Data When use discover route by serviceId
         */
        private List<String> serviceIdList = Collections.emptyList();
        
        /**
         * Enable Read Request Data by specific path
         */
        private List<String> pathList = Collections.emptyList();
        
        @Override
        public void afterPropertiesSet() {
            if(!CollectionUtils.isEmpty(serviceIdList)){
                serviceIdList = serviceIdList.stream().map(String::toLowerCase).collect(Collectors.toList());
            }
            if(!CollectionUtils.isEmpty(pathList)){
                pathList = pathList.stream().map(String::toLowerCase).collect(Collectors.toList());
            }
        }
    }
}

5、GatewayPluginConfig 配置过滤器在启动时动态判断是否启用某些Gateway插件。在这里我们将新增的SQL注入拦截插件和XSS攻击拦截插件配置进来，可以根据配置文件动态判断是否启用SQL注入拦截插件和XSS攻击拦截插件。

@Slf4j
@Configuration
@ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "enable"}, havingValue = "true")
public class GatewayPluginConfig {
    
    /**
     * Gateway插件是否生效
     * @return
     */
    @Bean
    @ConditionalOnMissingBean(GatewayPluginProperties.class)
    @ConfigurationProperties(GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX)
    public GatewayPluginProperties gatewayPluginProperties(){
        return new GatewayPluginProperties();
    }
    
......
    
    /**
     * sql注入拦截插件
     * @return
     */
    @Bean
    @ConditionalOnMissingBean(SqlInjectionFilter.class)
    @ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "sqlInjection.enable" },havingValue = "true")
    public SqlInjectionFilter sqlInjectionFilter(@Autowired GatewayPluginProperties gatewayPluginProperties){
        SqlInjectionFilter sqlInjectionFilter = new SqlInjectionFilter(gatewayPluginProperties);
        log.debug("Load SQL Injection Filter Config Bean");
        return sqlInjectionFilter;
    }
 
    /**
     * xss注入拦截插件
     * @return
     */
    @Bean
    @ConditionalOnMissingBean(XssInjectionFilter.class)
    @ConditionalOnProperty(prefix = GatewayPluginProperties.GATEWAY_PLUGIN_PROPERTIES_PREFIX, value = { "xssInjection.enable" },havingValue = "true")
    public XssInjectionFilter xssInjectionFilter(@Autowired GatewayPluginProperties gatewayPluginProperties){
        XssInjectionFilter xssInjectionFilter = new XssInjectionFilter(gatewayPluginProperties);
        log.debug("Load XSS Injection Filter Config Bean");
        return xssInjectionFilter;
    }
......
}

  在日常开发过程中很多业务需求都不会从前端传入SQL脚本和XSS脚本，所以很多的开发框架都不去识别前端参数是否有安全风险，然后直接禁止掉所有前端传入的的脚本，这样就强制规避了SQL注入和XSS攻击的风险。但是在某些特殊业务情况下，尤其是传统行业系统，需要通过前端配置执行脚本，然后由业务系统去执行这些配置的脚本，这个时候就需要通过配置来进行识别和判断，然后对容易引起安全性风险的脚本进转换和配置，在保证业务正常运行的情况下完成脚本配置。