使用RequestBodyAdvice实现对Http请求非法字符过滤

RequestBodyAdvice对Http请求非法字符过滤

利用RequestBodyAdvice对HTTP请求参数放入body中的参数进行非法字符过滤。

要求：spring 4.2+

额外的pom.xml

1. <dependency>
2. <groupId>org.apache.commons</groupId>
3. <artifactId>commons-io</artifactId>
4. <version>1.3.2</version>
5. </dependency>
6.  
7. <dependency>
8. <groupId>com.alibaba</groupId>
9. <artifactId>fastjson</artifactId>
10. <version>1.2.44</version>
11. </dependency>

代码

1. package com.niugang.controller;
2. import java.io.IOException;
3. import java.io.InputStream;
4. import java.lang.reflect.Type;
5. import java.util.ArrayList;
6. import java.util.HashMap;
7. import java.util.List;
8. import java.util.Map;
9. import java.util.Map.Entry;
10. import java.util.Set;
11. import org.apache.commons.io.IOUtils;
12. import org.slf4j.Logger;
13. import org.slf4j.LoggerFactory;
14. import org.springframework.core.MethodParameter;
15. import org.springframework.http.HttpHeaders;
16. import org.springframework.http.HttpInputMessage;
17. import org.springframework.http.converter.HttpMessageConverter;
18. import org.springframework.web.bind.annotation.ControllerAdvice;
19. import org.springframework.web.servlet.mvc.method.annotation.RequestBodyAdvice;
20. import com.alibaba.fastjson.JSON;
21. import com.alibaba.fastjson.JSONArray;
22. /**
23. * RequestBodyAdvice:解释
24. * 允许在将请求的主体读取和转换成一个对象之前对请求进行自定义，
25. * 并允许在将其传递到控制器方法作为一个@RequestBody或HttpEntity方法参数之前处理结果对象。
26. *
27. * @author niugang
28. *
29. */
30. @ControllerAdvice(basePackages = "com.niugang")
31. public class MyRequestBodyAdvice implements RequestBodyAdvice {
32. private final static Logger logger = LoggerFactory.getLogger(MyRequestBodyAdvice.class);
33.  
34. @Override
35. public boolean supports(MethodParameter methodParameter, Type targetType,
36. Class<? extends HttpMessageConverter<?>> converterType) {
37. return true;
38. }
39.  
40. @Override
41. public Object handleEmptyBody(Object body, HttpInputMessage inputMessage, MethodParameter parameter,
42. Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
43. return body;
44. }
45.  
46. @Override
47. public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType,
48. Class<? extends HttpMessageConverter<?>> converterType) throws IOException {
49.  
50. try {
51. return new MyHttpInputMessage(inputMessage);
52. } catch (Exception e) {
53. e.printStackTrace();
54. return inputMessage;
55. }
56. }
57. @Override
58. public Object afterBodyRead(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType,
59. Class<? extends HttpMessageConverter<?>> converterType) {
60. return body;
61. }
62.  
63. class MyHttpInputMessage implements HttpInputMessage {
64. private HttpHeaders headers;
65. private InputStream body;
66. @SuppressWarnings("unchecked")
67. public MyHttpInputMessage(HttpInputMessage inputMessage) throws Exception {
68. String string = IOUtils.toString(inputMessage.getBody(), "UTF-8");
69. Map<String, Object> mapJson = (Map<String, Object>) JSON.parseObject(string, Map.class);
70. Map<String, Object> map = new HashMap<String, Object>();
71. Set<Entry<String, Object>> entrySet = mapJson.entrySet();
72. for (Entry<String, Object> entry : entrySet) {
73. String key = entry.getKey();
74. Object objValue = entry.getValue();
75. if (objValue instanceof String) {
76. String value = objValue.toString();
77. map.put(key, filterDangerString(value));
78. } else { // 针对结合的处理
79. @SuppressWarnings("rawtypes")
80. List<HashMap> parseArray = JSONArray.parseArray(objValue.toString(), HashMap.class);
81. List<Map<String, Object>> listMap = new ArrayList<Map<String, Object>>();
82. for (Map<String, Object> innerMap : parseArray) {
83. Map<String, Object> childrenMap = new HashMap<String, Object>();
84. Set<Entry<String, Object>> elseEntrySet = innerMap.entrySet();
85. for (Entry<String, Object> en : elseEntrySet) {
86. String innerKey = en.getKey();
87. Object innerObj = en.getValue();
88. if (innerObj instanceof String) {
89. String value = innerObj.toString();
90. childrenMap.put(innerKey, filterDangerString(value));
91. }
92. }
93. listMap.add(childrenMap);
94. }
95. map.put(key, listMap);
96. }
97. }
98. this.headers = inputMessage.getHeaders();
99. this.body = IOUtils.toInputStream(JSON.toJSONString(map), "UTF-8");
100. }
101.  
102. @Override
103. public InputStream getBody() throws IOException {
104. return body;
105. }
106.  
107. @Override
108. public HttpHeaders getHeaders() {
109. return headers;
110. }
111. }
112. private String filterDangerString(String value) {
113. if (value == null) {
114. return null;
115. }
116. value = value.replaceAll("\\|", "");
117. value = value.replaceAll("&", "");
118. value = value.replaceAll(";", "");
119. value = value.replaceAll("@", "");
120. value = value.replaceAll("'", "");
121. value = value.replaceAll("\\'", "");
122. value = value.replaceAll("<", "");
123. value = value.replaceAll("-", "");
124. value = value.replaceAll(">", "");
125. value = value.replaceAll("\\(", "");
126. value = value.replaceAll("\\)", "");
127. value = value.replaceAll("\\+", "");
128. value = value.replaceAll("\r", "");
129. value = value.replaceAll("\n", "");
130. value = value.replaceAll("script", "");
131. value = value.replaceAll("select", "");
132. value = value.replaceAll("\"", "");
133. value = value.replaceAll(">", "");
134. value = value.replaceAll("<", "");
135. value = value.replaceAll("=", "");
136. value = value.replaceAll("/", "");
137. return value;
138. }
139. }

对于以上的配置Controller接收参数需要加@RequestBody。

测试

过滤后的数据

自定义RequestBodyAdvice过滤Json表情符号

1. /**
2. * @Author: ZhiHao
3. * @Date: 2021/6/4 19:03
4. * @Description: 过滤表情符号, POST-json请求
5. * @Versions 1.0
6. **/
7. @ControllerAdvice
8. @Slf4j
9. public class FilterEmojiRequestBodyAdvice implements RequestBodyAdvice {
10. @Override
11. public boolean supports(MethodParameter methodParameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
12. Annotation[] annotations = methodParameter.getParameterAnnotations();
13. for (Annotation ann : annotations) {
14. Validated validatedAnn = AnnotationUtils.getAnnotation(ann, Validated.class);
15. if (validatedAnn != null || ann.annotationType().getSimpleName().startsWith("Valid")) {
16. return true;
17. }
18. }
19. return false;
20. }
21. @Override
22. public HttpInputMessage beforeBodyRead(HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) throws IOException {
23. return inputMessage;
24. }
25. @Override
26. public Object afterBodyRead(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
27. try {
28. this.filterEmojiAfterBody(body);
29. } catch (Exception e) {
30. log.info("过滤表情异常:{}", e);
31. }
32. return body;
33. }
34. private void filterEmojiAfterBody(Object body) throws IllegalAccessException {
35. if (null != body) {
36. Field[] fields = ReflectUtil.getFields(body.getClass());
37. for (int i = 0; i < fields.length; i++) {
38. Field field = fields[i];
39. if (field.isAnnotationPresent(Valid.class)) {
40. field.setAccessible(true);
41. this.filterEmojiAfterBody(field.get(body));
42. }
43. if (field.isAnnotationPresent(FilterEmoji.class)) {
44. field.setAccessible(true);
45. Object value = field.get(body);
46. if (value instanceof String) {
47. String str = filterEmoji(value.toString());
48. field.set(body, str);
49. }
50. }
51. }
52. }
53. }
54. @Override
55. public Object handleEmptyBody(Object body, HttpInputMessage inputMessage, MethodParameter parameter, Type targetType, Class<? extends HttpMessageConverter<?>> converterType) {
56. return body;
57. }
58. /**
59. * 过滤emoji 或者 其他非文字类型的字符
60. *
61. * @param source
62. * @return
63. */
64. public static String filterEmoji(String source) {
65. if (StringUtils.isEmpty(source)) {
66. return "";
67. }
68. if (!containsEmoji(source)) {
69. return source;//如果不包含，直接返回
70. }
71. StringBuilder buf = new StringBuilder();
72. int len = source.length();
73. for (int i = 0; i < len; i++) {
74. char codePoint = source.charAt(i);
75. if (isNotEmojiCharacter(codePoint)) {
76. buf.append(codePoint);
77. }
78. }
79. return buf.toString().trim();
80. }
81. /**
82. * 检测是否有emoji字符
83. *
84. * @param source
85. * @return 一旦含有就抛出
86. */
87. public static boolean containsEmoji(String source) {
88. if (StringUtils.isBlank(source)) {
89. return false;
90. }
91. int len = source.length();
92. for (int i = 0; i < len; i++) {
93. char codePoint = source.charAt(i);
94. if (!isNotEmojiCharacter(codePoint)) {
95. //判断到了这里表明，确认有表情字符
96. return true;
97. }
98. }
99. return false;
100. }
101. /**
102. * 判断是否为非Emoji字符
103. *
104. * @param codePoint 比较的单个字符
105. * @return
106. */
107. public static boolean isNotEmojiCharacter(char codePoint) {
108. return (codePoint == 0x0) ||
109. (codePoint == 0x9) ||
110. (codePoint == 0xA) ||
111. (codePoint == 0xD) ||
112. ((codePoint >= 0x20) && (codePoint <= 0xD7FF)) ||
113. ((codePoint >= 0xE000) && (codePoint <= 0xFFFD)) ||
114. ((codePoint >= 0x10000) && (codePoint <= 0x10FFFF));
115. }
116. }

以上为个人经验，希望能给大家一个参考，也希望大家多多支持我们。

原文链接：https://blog.csdn.net/niugang0920/article/details/80679096