Example #1
0
        public void OnResultExecuting(ResultExecutingContext context)
        {
            if (_option.Enabled && _option.ProtectParams.Length > 0)
            {
                foreach (var pair in _option.NeedProtectResponseValues)
                {
                    if (pair.Key.IsInstanceOfType(context.Result))
                    {
                        var prop = CacheUtil.GetTypeProperties(pair.Key).FirstOrDefault(p => p.Name == pair.Value);
                        var val  = prop?.GetValueGetter()?.Invoke(context.Result);
                        if (val != null)
                        {
                            _logger.LogDebug($"ParamsProtector is protecting {pair.Key.FullName} Value");

                            var obj = JToken.FromObject(val);
                            ParamsProtectionHelper.ProtectParams(obj, _protector, _option);
                            prop.GetValueSetter().Invoke(context.Result, obj);
                        }
                    }
                }
            }
        }
Example #2
0
        public void OnResourceExecuting(ResourceExecutingContext context)
        {
            if (_option.Enabled && _option.ProtectParams.Length > 0)
            {
                var request = context.HttpContext.Request;

                // QueryString
                if (request.Query != null && request.Query.Count > 0)
                {
                    var queryDic = request.Query.ToDictionary(query => query.Key, query => query.Value);
                    foreach (var param in _option.ProtectParams)
                    {
                        if (queryDic.ContainsKey(param))
                        {
                            var vals = new List <string>();
                            for (var i = 0; i < queryDic[param].Count; i++)
                            {
                                if (_protector.TryGetUnprotectedValue(_option, queryDic[param][i], out var val))
                                {
                                    vals.Add(val);
                                }
                                else
                                {
                                    _logger.LogWarning($"Error in unprotect query value: param:{param}");
                                    context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode);

                                    return;
                                }
                            }
                            queryDic[param] = new StringValues(vals.ToArray());
                        }
                        context.HttpContext.Request.Query = new QueryCollection(queryDic);
                    }
                }
                // route value
                if (context.RouteData?.Values != null)
                {
                    foreach (var param in _option.ProtectParams)
                    {
                        if (context.RouteData.Values.ContainsKey(param))
                        {
                            if (_protector.TryGetUnprotectedValue(_option, context.RouteData.Values[param].ToString(), out var val))
                            {
                                context.RouteData.Values[param] = val;
                            }
                            else
                            {
                                _logger.LogWarning($"Error in unprotect routeValue:{param}");

                                context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode);

                                return;
                            }
                        }
                    }
                }

                if (request.Method.EqualsIgnoreCase("POST") || request.Method.EqualsIgnoreCase("PUT"))
                {
                    if (request.ContentType.Contains("json"))
                    {
                        using (var reader = new StreamReader(request.Body, Encoding.UTF8))
                        {
                            var content = reader.ReadToEnd();
                            var obj     = content.JsonToObject <JToken>();
                            try
                            {
                                ParamsProtectionHelper.UnprotectParams(obj, _protector, _option);
                            }
                            catch (Exception e)
                            {
                                _logger.LogWarning(e, "Error in unprotect request body");

                                context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode);

                                return;
                            }

                            context.HttpContext.Request.Body = obj.ToJson().GetBytes().ToMemoryStream();
                        }
                    } // json body
                    else if (request.ContentType.Contains("xml"))
                    {
                        // TODO: need test
                        var obj = XmlDataSerializer.Value.Deserialize <JToken>(request.Body.ToByteArray());
                        try
                        {
                            ParamsProtectionHelper.UnprotectParams(obj, _protector, _option);
                        }
                        catch (Exception e)
                        {
                            _logger.LogWarning(e, "Error in unprotect request body");

                            context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode);

                            return;
                        }
                        context.HttpContext.Request.Body = XmlDataSerializer.Value.Serialize(obj).ToMemoryStream();
                    } // xml body

                    // form data
                    if (request.HasFormContentType && request.Form != null && request.Form.Count > 0)
                    {
                        var formDic = request.Form.ToDictionary(_ => _.Key, _ => _.Value);
                        foreach (var param in _option.ProtectParams)
                        {
                            if (formDic.TryGetValue(param, out var values))
                            {
                                var vals = new List <string>();
                                for (var i = 0; i < values.Count; i++)
                                {
                                    if (_protector.TryGetUnprotectedValue(_option, values[i], out var val))
                                    {
                                        vals.Add(val);
                                    }
                                    else
                                    {
                                        _logger.LogWarning($"Error in unprotect form data: param:{param}");
                                        context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode);

                                        return;
                                    }
                                }
                                formDic[param] = new StringValues(vals.ToArray());
                            }
                        }
                        request.Form = new FormCollection(formDic);
                    }
                }
            }
        }