Skip to content

H
hp-smart
Commit 394aaec5 by wuwenlong
Options

防XSS注入rollback

parent 7511893b
Showing with 0 additions and 257 deletions
src/main/java/com/baosight/hpjx/config/FilterConfig.java deleted 100644 → 0
package com.baosight.hpjx.config;
import com.baosight.hpjx.xss.XssFilter;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
/**
* @Author wwl
* @Date 2024/3/11 14:20
*/
@Configuration
public class FilterConfig {
@Bean
public FilterRegistrationBean<XssFilter> xssFilterRegistration() {
FilterRegistrationBean<XssFilter> registration = new FilterRegistrationBean<>();
registration.setFilter(new XssFilter());
registration.addUrlPatterns("/*");
registration.setOrder(1);
return registration;
}
}
\ No newline at end of file
src/main/java/com/baosight/hpjx/xss/XssFilter.java deleted 100644 → 0
package com.baosight.hpjx.xss;
import com.baosight.hpjx.util.StringUtils;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
/**
* xss过滤
*/
public class XssFilter implements Filter {
//不拦截的地址
private List<String> excludedList = new ArrayList<String>();
@Override
public void init(FilterConfig config) throws ServletException {
/*
* 这里只处理了需要拦截的url地址,如果想不拦截某个字段,比如富文本字段,
* 需要自己在XssHttpServletRequestWrapper类中去添加逻辑
*/
excludedList.add("/service/HP*/*");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
(HttpServletRequest) request);
String url = xssRequest.getServletPath();
if(isExcluded(url)){
chain.doFilter(request, response);
}else{
//使用XSS过滤
chain.doFilter(xssRequest, response);
}
}
@Override
public void destroy() {
}
/**
* 是否不拦截
* @param url 请求地址
* @return true不拦截,false拦截
*/
private boolean isExcluded(String url){
// if(StringUtils.isBlank(url)){
// return false;
// }
if(!StringUtils.matches(url, excludedList)){
return true;
}
// for (String excluded : excludedList) {
// if(!url.contains(excluded)){
// return true;
// }
// }
return false;
}
}
src/main/java/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java deleted 100644 → 0
package com.baosight.hpjx.xss;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.LinkedHashMap;
import java.util.Map;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import org.apache.commons.io.IOUtils;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
// 没被包装过的HttpServletRequest(特殊场景,需求自己过滤)
HttpServletRequest orgRequest;
// html过滤
private final static HTMLFilter htmlFilter = new HTMLFilter();
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
/**
* 过滤json参数
*/
@Override
public ServletInputStream getInputStream() throws IOException {
String contentType = super.getHeader(HttpHeaders.CONTENT_TYPE);
//非json类型,直接返回
if(!(MediaType.APPLICATION_JSON_VALUE.
equalsIgnoreCase(contentType) ||
MediaType.APPLICATION_JSON_UTF8_VALUE.
equalsIgnoreCase(contentType))){
return super.getInputStream();
}
//为空,直接返回
String json = IOUtils.toString(super.getInputStream(), "utf-8");
if (StringUtils.isBlank(json)) {
return super.getInputStream();
}
//xss过滤
json =xssEncode(json);
json = StringEscapeUtils.unescapeHtml4(json);
final ByteArrayInputStream bis =
new ByteArrayInputStream(json.getBytes("utf-8"));
return new ServletInputStream() {
@Override
public boolean isFinished() {
return true;
}
@Override
public boolean isReady() {
return true;
}
@Override
public void setReadListener(ReadListener readListener) {
}
@Override
public int read() throws IOException {
return bis.read();
}
};
}
@Override
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (StringUtils.isNotBlank(value)) {
value =xssEncode(value);
}
return StringEscapeUtils.unescapeHtml4(value);
}
@Override
public String[] getParameterValues(String name) {
String[] parameters = super.getParameterValues(name);
if (parameters == null || parameters.length == 0) {
return null;
}
for (int i = 0; i < parameters.length; i++) {
parameters[i] = xssEncode(parameters[i]);
parameters[i] = StringEscapeUtils.unescapeHtml4(parameters[i]);
}
return parameters;
}
@Override
public Map<String, String[]> getParameterMap() {
Map<String, String[]> map = new LinkedHashMap<>();
Map<String, String[]> parameters = super.getParameterMap();
for (String key : parameters.keySet()) {
String[] values = parameters.get(key);
for (int i = 0; i < values.length; i++) {
values[i] = xssEncode(values[i]);
values[i] = StringEscapeUtils.unescapeHtml4(values[i]);
}
map.put(key, values);
}
return map;
}
@Override
public String getHeader(String name) {
String value = super.getHeader(xssEncode(name));
if (StringUtils.isNotBlank(value)) {
value = xssEncode(value);
}
return StringEscapeUtils.unescapeHtml4(value);
}
private String xssEncode(String input) {
return htmlFilter.filter(input);
}
/**
* 获取最原始的request
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 获取最原始的request
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest request) {
if (request instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) request).getOrgRequest();
}
return request;
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment