com.myhexin.filter.FileMultipartFilter.java Source code

Java tutorial

Introduction

Here is the source code for com.myhexin.filter.FileMultipartFilter.java

Source

/*
 * Copyright 2002-2010 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.myhexin.filter;

import java.io.IOException;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.MultipartResolver;
import org.springframework.web.multipart.support.MultipartFilter;

import com.myhexin.security.xss.support.XSSSecurityConfig;
import com.myhexin.security.xss.support.XSSSecurityManager;
import com.myhexin.util.PropertiesUtil;

/**
 * 
 * http,post??servletrequest.getParameter???inputstream??
 * ???
 * ????postxss
 * multipart/form-data
 * 
 * @author ljy
 */
public class FileMultipartFilter extends MultipartFilter {

    /**
     * ??
     */
    private static boolean FILE_FILTER_ISOPEN = Boolean
            .valueOf(PropertiesUtil.getPropertyValue("file.filter.isopen"));

    /**
     * ?
     */
    private static String FILE_FILTER_REGX = PropertiesUtil.getPropertyValue("file.filter.regx");

    private static Logger logger = LoggerFactory.getLogger(FileMultipartFilter.class);

    /**
     * ?beanfilterMultipartResolver??
     * DispatchServlet?MultipartResolver
     */
    protected void initFilterBean() throws ServletException {
        super.initFilterBean();
        setMultipartResolverBeanName("multipartResolver");
    }

    /**
     * 
     */
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
            FilterChain filterChain) throws ServletException, IOException {

        MultipartResolver multipartResolver = lookupMultipartResolver(request);

        HttpServletRequest processedRequest = request;
        if (multipartResolver.isMultipart(processedRequest)) {
            if (logger.isDebugEnabled()) {
                logger.debug("Resolving multipart request [" + processedRequest.getRequestURI()
                        + "] with MultipartFilter");
            }
            processedRequest = multipartResolver.resolveMultipart(processedRequest);

            if (XSSSecurityConfig.IS_CHECK_HEADER || XSSSecurityConfig.IS_CHECK_PARAMETER) {
                if (isIlleageXssParam((MultipartHttpServletRequest) processedRequest)) {//??
                    processedRequest.getRequestDispatcher(XSSSecurityConfig.XSS_ERROR_PAGE_PATH).forward(request,
                            response);
                    return;
                }
            }

            if (FILE_FILTER_ISOPEN) {
                if (isIllegalFileSuffix((MultipartHttpServletRequest) processedRequest)) {//??
                    processedRequest.getRequestDispatcher(XSSSecurityConfig.XSS_ERROR_PAGE_PATH).forward(request,
                            response);
                    return;
                }
            }

        } else {
            if (logger.isDebugEnabled()) {
                logger.debug("Request [" + processedRequest.getRequestURI() + "] is not a multipart request");
            }
        }

        try {
            filterChain.doFilter(processedRequest, response);
        } finally {
            if (processedRequest instanceof MultipartHttpServletRequest) {
                multipartResolver.cleanupMultipart((MultipartHttpServletRequest) processedRequest);
            }
        }
    }

    /**
     * 
     * @param mRequest
     * @return true:??false?
     */
    public boolean isIlleageXssParam(MultipartHttpServletRequest mRequest) {

        // headerheader?
        if (XSSSecurityConfig.IS_CHECK_HEADER) {
            Enumeration<String> headerParams = mRequest.getHeaderNames();
            while (headerParams.hasMoreElements()) {
                String headerName = headerParams.nextElement();
                String headerValue = mRequest.getHeader(headerName);
                if (XSSSecurityManager.matches(headerValue)) {
                    recordXssRequestInfo(mRequest, headerValue);
                    return true;
                }
            }
            return false;
        }

        // parameterparameter?
        if (XSSSecurityConfig.IS_CHECK_PARAMETER) {
            Map<String, Object> submitParams = mRequest.getParameterMap();
            Set<String> submitNames = submitParams.keySet();
            for (String submitName : submitNames) {
                Object submitValues = submitParams.get(submitName);
                if (submitValues instanceof String) {
                    if (XSSSecurityManager.matches((String) submitValues)) {
                        recordXssRequestInfo(mRequest, submitName + "=" + submitValues);
                        return true;
                    }
                } else if (submitValues instanceof String[]) {
                    for (String submitValue : (String[]) submitValues) {
                        if (XSSSecurityManager.matches((String) submitValue)) {
                            recordXssRequestInfo(mRequest, submitName + "" + submitValue);
                            return true;
                        }
                    }
                }
            }
            return false;
        }
        return false;
    }

    public boolean isIllegalFileSuffix(MultipartHttpServletRequest mRequest) {

        Map<String, MultipartFile> fileMap = mRequest.getFileMap();

        for (Iterator<Map.Entry<String, MultipartFile>> it = fileMap.entrySet().iterator(); it.hasNext();) {

            Map.Entry<String, MultipartFile> entry = it.next();
            MultipartFile mFile = entry.getValue();

            String origFileName = mFile.getOriginalFilename();
            String name = mFile.getName();
            int a = origFileName.indexOf(".", -1);
            Pattern pattern = Pattern.compile(FILE_FILTER_REGX, Pattern.CASE_INSENSITIVE);
            if (a != -1) {
                String suffix = origFileName.substring(a + 1);
                if (pattern.matcher(suffix).matches()) {
                    recordXssRequestInfo(mRequest, origFileName);
                    return true;
                } else {
                    return false;
                }

            } else {
                return false;
            }
        }
        return false;
    }

    private void recordXssRequestInfo(MultipartHttpServletRequest mRequest, String illegalParam) {
        Map<String, Object> submitParams = mRequest.getParameterMap();// get
        // post??
        Set<String> paramName = submitParams.keySet();

        String requestURL = mRequest.getRequestURL().toString();
        String questMethod = mRequest.getMethod();
        StringBuffer buffer = new StringBuffer();
        for (String pn : paramName) {
            Object paramValues = submitParams.get(pn);

            if (paramValues instanceof String[]) {
                buffer.append(pn + "=");
                for (String submitValue : (String[]) paramValues) {
                    buffer.append(submitValue + " ");
                }
                buffer.append(" \\ ");
            } else {
                buffer.append(pn + "=" + paramValues + " \\ ");
            }
        }
        logger.warn("mulipart !!! " + questMethod + " " + requestURL + "  ==" + buffer.toString()
                + " illegal param   " + illegalParam);
    }

}