From 3bbc662b390fb3abccf30375585aa9a64c0eb9b1 Mon Sep 17 00:00:00 2001 From: smallchill Date: Mon, 22 Feb 2021 23:02:26 +0800 Subject: [PATCH] =?UTF-8?q?:zap:=20xss=E8=BF=87=E6=BB=A4=E5=A2=9E=E5=BC=BA?= =?UTF-8?q?=E9=80=9A=E9=85=8D=E7=AC=A6=E5=8C=B9=E9=85=8D=E9=80=BB=E8=BE=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../springblade/core/tool/support/xss/XssFilter.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/blade-core-tool/src/main/java/org/springblade/core/tool/support/xss/XssFilter.java b/blade-core-tool/src/main/java/org/springblade/core/tool/support/xss/XssFilter.java index cab3e79..80221de 100644 --- a/blade-core-tool/src/main/java/org/springblade/core/tool/support/xss/XssFilter.java +++ b/blade-core-tool/src/main/java/org/springblade/core/tool/support/xss/XssFilter.java @@ -16,7 +16,7 @@ package org.springblade.core.tool.support.xss; import lombok.AllArgsConstructor; -import org.springblade.core.tool.utils.StringPool; +import org.springframework.util.AntPathMatcher; import javax.servlet.*; import javax.servlet.http.HttpServletRequest; @@ -30,8 +30,9 @@ import java.io.IOException; @AllArgsConstructor public class XssFilter implements Filter { - private XssProperties xssProperties; - private XssUrlProperties xssUrlProperties; + private final XssProperties xssProperties; + private final XssUrlProperties xssUrlProperties; + private final AntPathMatcher antPathMatcher = new AntPathMatcher(); @Override public void init(FilterConfig config) { @@ -50,8 +51,8 @@ public class XssFilter implements Filter { } private boolean isSkip(String path) { - return (xssUrlProperties.getExcludePatterns().stream().anyMatch(path::startsWith)) - || (xssProperties.getSkipUrl().stream().map(url -> url.replace("/**", StringPool.EMPTY)).anyMatch(path::startsWith)); + return (xssUrlProperties.getExcludePatterns().stream().anyMatch(pattern -> antPathMatcher.match(pattern, path))) + || (xssProperties.getSkipUrl().stream().anyMatch(pattern -> antPathMatcher.match(pattern, path))); } @Override