管理系统增加XSS和SQL注入攻击防御

internal/web/helpers/user_must_auth.go

@@ -7,6 +7,7 @@ import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/goman"
 	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
 	"github.com/TeaOSLab/EdgeAdmin/internal/setup"
+	"github.com/TeaOSLab/EdgeAdmin/internal/waf/injectionutils"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/langs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/nodeconfigs"
@@ -115,6 +116,13 @@ func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramNam
 		return false
 	}
 
+	// 检测注入
+	if injectionutils.DetectXSS(action.Request.RequestURI, false) || injectionutils.DetectSQLInjection(action.Request.RequestURI, false) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		_, _ = action.ResponseWriter.Write([]byte("Denied By WAF"))
+		return false
+	}
+
 	// 恢复模式
 	if teaconst.IsRecoverMode {
 		action.RedirectURL("/recover")