From 4e3b2a7ae2a98e8171a0ebca4f9c6bb43437cd6f Mon Sep 17 00:00:00 2001 From: taojinlong Date: Wed, 30 Nov 2022 15:17:37 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E4=B8=8A=E4=BC=A0excel=E9=99=90?= =?UTF-8?q?=E5=88=B6=E6=96=87=E4=BB=B6=E5=A4=A7=E5=B0=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../io/dataease/commons/filter/SqlFilter.java | 58 +++++++++++-------- 1 file changed, 33 insertions(+), 25 deletions(-) diff --git a/backend/src/main/java/io/dataease/commons/filter/SqlFilter.java b/backend/src/main/java/io/dataease/commons/filter/SqlFilter.java index 6439f27b8e..37566a083c 100644 --- a/backend/src/main/java/io/dataease/commons/filter/SqlFilter.java +++ b/backend/src/main/java/io/dataease/commons/filter/SqlFilter.java @@ -12,10 +12,13 @@ import javax.servlet.*; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.*; +import java.util.ArrayList; +import java.util.List; public class SqlFilter implements Filter { + private List excludedUris = new ArrayList<>(); @Override public void destroy() { @@ -34,38 +37,43 @@ public class SqlFilter implements Filter { return; } - String method = "GET"; - String param; - XssAndSqlHttpServletRequestWrapper xssRequest = null; - if (request instanceof HttpServletRequest) { - method = ((HttpServletRequest) request).getMethod(); - xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request); - } - if ("POST".equalsIgnoreCase(method)) { - param = this.getBodyString(xssRequest.getReader()); - if (StringUtils.isNotBlank(param)) { - if (xssRequest.checkXSSAndSql(param)) { - response.setCharacterEncoding("UTF-8"); - response.setContentType("application/json;charset=UTF-8"); - String msg = ThreadLocalContextHolder.getData().toString(); - DEException.throwException(msg); - return; + if(excludedUris.contains(((HttpServletRequest) request).getRequestURI())){ + chain.doFilter(request, response); + }else { + String method = "GET"; + String param; + XssAndSqlHttpServletRequestWrapper xssRequest = null; + if (request instanceof HttpServletRequest) { + method = ((HttpServletRequest) request).getMethod(); + xssRequest = new XssAndSqlHttpServletRequestWrapper((HttpServletRequest) request); + } + if ("POST".equalsIgnoreCase(method)) { + param = this.getBodyString(xssRequest.getReader()); + if (StringUtils.isNotBlank(param)) { + if (xssRequest.checkXSSAndSql(param)) { + response.setCharacterEncoding("UTF-8"); + response.setContentType("application/json;charset=UTF-8"); + String msg = ThreadLocalContextHolder.getData().toString(); + DEException.throwException(msg); + return; + } } } + if (xssRequest.checkParameter()) { + response.setCharacterEncoding("UTF-8"); + response.setContentType("application/json;charset=UTF-8"); + String msg = ThreadLocalContextHolder.getData().toString(); + DEException.throwException(msg); + return; + } + chain.doFilter(xssRequest, response); } - if (xssRequest.checkParameter()) { - response.setCharacterEncoding("UTF-8"); - response.setContentType("application/json;charset=UTF-8"); - String msg = ThreadLocalContextHolder.getData().toString(); - DEException.throwException(msg); - return; - } - chain.doFilter(xssRequest, response); + } @Override public void init(FilterConfig filterConfig) throws ServletException { - + excludedUris.add("/dataset/table/excel/upload"); } // 获取request请求body中参数