public void OnResourceExecuting(ResourceExecutingContext context) { if (_option.Enabled && _option.ProtectParams.Length > 0) { var request = context.HttpContext.Request; // QueryString if (request.Query != null && request.Query.Count > 0) { var queryDic = request.Query.ToDictionary(query => query.Key, query => query.Value); foreach (var param in _option.ProtectParams) { if (queryDic.ContainsKey(param)) { var vals = new List <string>(); for (var i = 0; i < queryDic[param].Count; i++) { if (_protector.TryGetUnprotectedValue(_option, queryDic[param][i], out var val)) { vals.Add(val); } else { _logger.LogWarning($"Error in unprotect query value: param:{param}"); context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode); return; } } queryDic[param] = new StringValues(vals.ToArray()); } context.HttpContext.Request.Query = new QueryCollection(queryDic); } } // route value if (context.RouteData?.Values != null) { foreach (var param in _option.ProtectParams) { if (context.RouteData.Values.ContainsKey(param)) { if (_protector.TryGetUnprotectedValue(_option, context.RouteData.Values[param].ToString(), out var val)) { context.RouteData.Values[param] = val; } else { _logger.LogWarning($"Error in unprotect routeValue:{param}"); context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode); return; } } } } if (request.Method.EqualsIgnoreCase("POST") || request.Method.EqualsIgnoreCase("PUT")) { if (request.ContentType.Contains("json")) { using (var reader = new StreamReader(request.Body, Encoding.UTF8)) { var content = reader.ReadToEnd(); var obj = content.JsonToObject <JToken>(); try { ParamsProtectionHelper.UnprotectParams(obj, _protector, _option); } catch (Exception e) { _logger.LogWarning(e, "Error in unprotect request body"); context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode); return; } context.HttpContext.Request.Body = obj.ToJson().GetBytes().ToMemoryStream(); } } // json body else if (request.ContentType.Contains("xml")) { // TODO: need test var obj = XmlDataSerializer.Value.Deserialize <JToken>(request.Body.ToByteArray()); try { ParamsProtectionHelper.UnprotectParams(obj, _protector, _option); } catch (Exception e) { _logger.LogWarning(e, "Error in unprotect request body"); context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode); return; } context.HttpContext.Request.Body = XmlDataSerializer.Value.Serialize(obj).ToMemoryStream(); } // xml body // form data if (request.HasFormContentType && request.Form != null && request.Form.Count > 0) { var formDic = request.Form.ToDictionary(_ => _.Key, _ => _.Value); foreach (var param in _option.ProtectParams) { if (formDic.TryGetValue(param, out var values)) { var vals = new List <string>(); for (var i = 0; i < values.Count; i++) { if (_protector.TryGetUnprotectedValue(_option, values[i], out var val)) { vals.Add(val); } else { _logger.LogWarning($"Error in unprotect form data: param:{param}"); context.Result = new StatusCodeResult(_option.InvalidRequestStatusCode); return; } } formDic[param] = new StringValues(vals.ToArray()); } } request.Form = new FormCollection(formDic); } } } }