最近公司的项目在的安全检测,涉及到项目安全渗透等方面的问题;
参与项目的渗透等改造,是一个机遇与挑战,今后对与项目安全等方面会思考更多;
下面说说form表单对象提交,为了防止抓包,后台做的类型转化;一个简单的DEMO思路
1、数据库对象bean,属相与数据库中字段相同,有Integer,Boolean,Double等类型
2、form表单的对象formbean,所有属性都是String
3、将formbean的值赋值到bean对象,在赋值过程中对数据的安全性(类型转化的问题)进行判断,
form对象
1 package february.week1.safe; 2 /** 3 * Description: form表单的数据类型 4 * @Package february.week1.safe 5 * @author BIQI IS BEST 6 * @date 2018年2月5日 上午10:38:33 7 */ 8 public class PersonForm { 9 10 private String name; 11 12 private String sex; 13 14 private String age; 15 16 private String phoneNumber; 17 18 private String salary; 19 20 public PersonForm(String name, String sex, String age, String phoneNumber, String salary) { 21 super(); 22 this.name = name; 23 this.sex = sex; 24 this.age = age; 25 this.phoneNumber = phoneNumber; 26 this.salary = salary; 27 } 28 29 public PersonForm() { 30 super(); 31 } 32 33 34 public String getName() { 35 return name; 36 } 37 38 public void setName(String name) { 39 this.name = name; 40 } 41 42 public String getSex() { 43 return sex; 44 } 45 46 public void setSex(String sex) { 47 this.sex = sex; 48 } 49 50 public String getAge() { 51 return age; 52 } 53 54 public void setAge(String age) { 55 this.age = age; 56 } 57 58 public String getPhoneNumber() { 59 return phoneNumber; 60 } 61 62 public void setPhoneNumber(String phoneNumber) { 63 this.phoneNumber = phoneNumber; 64 } 65 66 public String getSalary() { 67 return salary; 68 } 69 70 public void setSalary(String salary) { 71 this.salary = salary; 72 } 73 74 @Override 75 public String toString() { 76 return "PersonForm [name=" + name + ", sex=" + sex + ", age=" + age + ", phoneNumber=" + phoneNumber 77 + ", salary=" + salary + "]"; 78 } 83 84 }
后台对象:
1 package february.week1.safe; 2 /** 3 * Description: 后台类型 4 * @Package february.week1.safe 5 * @author BIQI IS BEST 6 * @date 2018年2月5日 上午10:38:33 7 */ 8 public class Person { 9 10 private String name; 11 12 private String sex; 13 14 private Integer age; 15 16 private String phoneNumber; 17 18 private Double salary; 19 20 public Person() { 21 super(); 22 } 23 24 public Person(String name, String sex, Integer age, String phoneNumber, Double salary) { 25 super(); 26 this.name = name; 27 this.sex = sex; 28 this.age = age; 29 this.phoneNumber = phoneNumber; 30 this.salary = salary; 31 } 32 33 public String getName() { 34 return name; 35 } 36 37 public void setName(String name) { 38 this.name = name; 39 } 40 41 public String getSex() { 42 return sex; 43 } 44 45 public void setSex(String sex) { 46 this.sex = sex; 47 } 48 49 public Integer getAge() { 50 return age; 51 } 52 53 public void setAge(Integer age) { 54 this.age = age; 55 } 56 57 public String getPhoneNumber() { 58 return phoneNumber; 59 } 60 61 public void setPhoneNumber(String phoneNumber) { 62 this.phoneNumber = phoneNumber; 63 } 64 65 public Double getSalary() { 66 return salary; 67 } 68 69 public void setSalary(Double salary) { 70 this.salary = salary; 71 } 72 73 @Override 74 public String toString() { 75 return "Person [name=" + name + ", sex=" + sex + ", age=" + age + ", phoneNumber=" + phoneNumber + ", salary=" 76 + salary + "]"; 77 } 78 79 80 81 }
测试的类:
1 package february.week1.safe; 2 /** 3 * Description: 转化字段的属性,并且捕获异常 4 * form表单提交时候,数据类型不一致的问题,防止渗透 5 * @Package february.week1.safe 6 * @author BIQI IS BEST 7 * @date 2018年2月5日 上午10:38:33 8 */ 9 10 import java.lang.reflect.Field; 11 import java.lang.reflect.Method; 12 import java.util.HashMap; 13 import java.util.Map; 14 15 public class ChangeFilterType { 16 17 public static void main(String[] args) { 18 PersonForm personForm = new PersonForm(); 19 personForm.setName("10"); 20 personForm.setSalary("1212123"); 21 personForm.setAge("qwe"); 22 Person person2 = new Person(); 23 changeFilter(personForm,person2); 24 } 25 26 private static boolean changeFilter(Object objectForm,Object object2){ 27 Map<String, String> map = getObjectFiled(objectForm); 28 try { 29 putValueToBean(map,object2); 30 } catch (Exception e) { 31 System.out.println(e.toString()); 32 } 33 System.out.println(object2.toString()); 34 return false; 35 } 36 37 38 /** 39 * Description: 获得属性的map,以及属性的值 40 * @param bean 41 * @return 42 * @author BIQI 2018年2月5日 下午2:22:31 43 * @return TreeMap<String,String> @throws 44 */ 45 private static Map<String, String> getObjectFiled(Object bean){ 46 Map<String, String> map = new HashMap<>(30); 47 Field[] fields = bean.getClass().getDeclaredFields(); 48 for(Field field:fields){ 49 // System.out.println(field.getName()); 50 // System.out.println(field.getType().toString()); 51 // System.out.println(getFieldValueByName(field.getName(),bean)); 52 map.put(field.getName(), (String) getFieldValueByName(field.getName(),bean)); 53 } 54 return map; 55 } 56 57 /** 58 * Description: 属性的值 59 * @param fieldName 60 * @param bean 61 * @return 62 * @author BIQI 2018年2月5日 上午11:23:15 63 * @return Object @throws 64 */ 65 private static Object getFieldValueByName(String fieldName, Object bean) { 66 try { 67 String firstLetter = fieldName.substring(0, 1).toUpperCase(); 68 String getter = "get" + firstLetter + fieldName.substring(1); 69 Method method = bean.getClass().getMethod(getter, new Class[] {}); 70 Object value = method.invoke(bean, new Object[] {}); 71 return value; 72 } catch (Exception e) { 73 return null; 74 } 75 } 76 77 /** 78 * Description: 属性的转化 值的传入 79 * @param treeMap 80 * @param bean 81 * @author BIQI 2018年2月5日 上午11:55:52 82 * @return void @throws 83 * @throws Exception 84 */ 85 public static void putValueToBean(Map<String, String> treeMap,Object bean) throws Exception{ 86 87 Field[] fields = bean.getClass().getDeclaredFields(); 88 // 属性的长度判断 89 if (fields.length!= treeMap.size()) { 90 System.out.println("转换的对象不对"); 91 throw new Exception("转换的对象不对"); 92 } 93 94 for(Field field:fields){ 95 String fieldName = field.getName(); 96 String fieldValue = treeMap.get(fieldName); 97 String firstLetter = fieldName.substring(0, 1).toUpperCase(); 98 String setter = "set" + firstLetter + fieldName.substring(1); 99 100 Method method = bean.getClass().getMethod(setter, field.getType()); 101 String type = field.getType().toString(); 102 try { 103 if ("class java.lang.String".equals(type)) { 104 method.invoke(bean,fieldValue); 105 } 106 if ("class java.lang.Integer".equals(type)) { 107 if (null == fieldValue || "".equals(fieldValue)) { 108 method.invoke(bean,0); 109 continue; 110 } 111 Integer temp = Integer.valueOf(fieldValue); 112 method.invoke(bean,temp); 113 } 114 if ("class java.lang.Double".equals(type)) { 115 if (null == fieldValue || "".equals(fieldValue)) { 116 method.invoke(bean,0); 117 continue; 118 } 119 Double temp = Double.valueOf(fieldValue); 120 method.invoke(bean,temp); 121 } 122 //其他的类型if(....){} 123 } catch (Exception e) { 124 throw new Exception("转换("+bean.getClass().getName()+")的属性:"+fieldName+" 值"+fieldValue+" 出现问题"); 125 } 126 } 127 } 128 129 130 }