Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
H
hp-smart
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
platform
hp-smart
Commits
394aaec5
Commit
394aaec5
authored
Mar 12, 2024
by
wuwenlong
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
防XSS注入rollback
parent
7511893b
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
0 additions
and
257 deletions
+0
-257
FilterConfig.java
src/main/java/com/baosight/hpjx/config/FilterConfig.java
+0
-25
HTMLFilter.java
src/main/java/com/baosight/hpjx/xss/HTMLFilter.java
+0
-0
XssFilter.java
src/main/java/com/baosight/hpjx/xss/XssFilter.java
+0
-77
XssHttpServletRequestWrapper.java
...a/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java
+0
-155
No files found.
src/main/java/com/baosight/hpjx/config/FilterConfig.java
deleted
100644 → 0
View file @
7511893b
package
com
.
baosight
.
hpjx
.
config
;
import
com.baosight.hpjx.xss.XssFilter
;
import
org.springframework.boot.web.servlet.FilterRegistrationBean
;
import
org.springframework.context.annotation.Bean
;
import
org.springframework.context.annotation.Configuration
;
/**
* @Author wwl
* @Date 2024/3/11 14:20
*/
@Configuration
public
class
FilterConfig
{
@Bean
public
FilterRegistrationBean
<
XssFilter
>
xssFilterRegistration
()
{
FilterRegistrationBean
<
XssFilter
>
registration
=
new
FilterRegistrationBean
<>();
registration
.
setFilter
(
new
XssFilter
());
registration
.
addUrlPatterns
(
"/*"
);
registration
.
setOrder
(
1
);
return
registration
;
}
}
\ No newline at end of file
src/main/java/com/baosight/hpjx/xss/HTMLFilter.java
deleted
100644 → 0
View file @
7511893b
This diff is collapsed.
Click to expand it.
src/main/java/com/baosight/hpjx/xss/XssFilter.java
deleted
100644 → 0
View file @
7511893b
package
com
.
baosight
.
hpjx
.
xss
;
import
com.baosight.hpjx.util.StringUtils
;
import
java.io.IOException
;
import
java.util.ArrayList
;
import
java.util.List
;
import
javax.servlet.Filter
;
import
javax.servlet.FilterChain
;
import
javax.servlet.FilterConfig
;
import
javax.servlet.ServletException
;
import
javax.servlet.ServletRequest
;
import
javax.servlet.ServletResponse
;
import
javax.servlet.http.HttpServletRequest
;
/**
* xss过滤
*/
public
class
XssFilter
implements
Filter
{
//不拦截的地址
private
List
<
String
>
excludedList
=
new
ArrayList
<
String
>();
@Override
public
void
init
(
FilterConfig
config
)
throws
ServletException
{
/*
* 这里只处理了需要拦截的url地址,如果想不拦截某个字段,比如富文本字段,
* 需要自己在XssHttpServletRequestWrapper类中去添加逻辑
*/
excludedList
.
add
(
"/service/HP*/*"
);
}
@Override
public
void
doFilter
(
ServletRequest
request
,
ServletResponse
response
,
FilterChain
chain
)
throws
IOException
,
ServletException
{
XssHttpServletRequestWrapper
xssRequest
=
new
XssHttpServletRequestWrapper
(
(
HttpServletRequest
)
request
);
String
url
=
xssRequest
.
getServletPath
();
if
(
isExcluded
(
url
)){
chain
.
doFilter
(
request
,
response
);
}
else
{
//使用XSS过滤
chain
.
doFilter
(
xssRequest
,
response
);
}
}
@Override
public
void
destroy
()
{
}
/**
* 是否不拦截
* @param url 请求地址
* @return true不拦截,false拦截
*/
private
boolean
isExcluded
(
String
url
){
// if(StringUtils.isBlank(url)){
// return false;
// }
if
(!
StringUtils
.
matches
(
url
,
excludedList
)){
return
true
;
}
// for (String excluded : excludedList) {
// if(!url.contains(excluded)){
// return true;
// }
// }
return
false
;
}
}
src/main/java/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java
deleted
100644 → 0
View file @
7511893b
package
com
.
baosight
.
hpjx
.
xss
;
import
org.apache.commons.lang3.StringEscapeUtils
;
import
org.apache.commons.lang3.StringUtils
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletRequestWrapper
;
import
java.util.LinkedHashMap
;
import
java.util.Map
;
import
java.io.ByteArrayInputStream
;
import
java.io.IOException
;
import
javax.servlet.ReadListener
;
import
javax.servlet.ServletInputStream
;
import
org.apache.commons.io.IOUtils
;
import
org.springframework.http.HttpHeaders
;
import
org.springframework.http.MediaType
;
public
class
XssHttpServletRequestWrapper
extends
HttpServletRequestWrapper
{
// 没被包装过的HttpServletRequest(特殊场景,需求自己过滤)
HttpServletRequest
orgRequest
;
// html过滤
private
final
static
HTMLFilter
htmlFilter
=
new
HTMLFilter
();
public
XssHttpServletRequestWrapper
(
HttpServletRequest
request
)
{
super
(
request
);
orgRequest
=
request
;
}
/**
* 过滤json参数
*/
@Override
public
ServletInputStream
getInputStream
()
throws
IOException
{
String
contentType
=
super
.
getHeader
(
HttpHeaders
.
CONTENT_TYPE
);
//非json类型,直接返回
if
(!(
MediaType
.
APPLICATION_JSON_VALUE
.
equalsIgnoreCase
(
contentType
)
||
MediaType
.
APPLICATION_JSON_UTF8_VALUE
.
equalsIgnoreCase
(
contentType
))){
return
super
.
getInputStream
();
}
//为空,直接返回
String
json
=
IOUtils
.
toString
(
super
.
getInputStream
(),
"utf-8"
);
if
(
StringUtils
.
isBlank
(
json
))
{
return
super
.
getInputStream
();
}
//xss过滤
json
=
xssEncode
(
json
);
json
=
StringEscapeUtils
.
unescapeHtml4
(
json
);
final
ByteArrayInputStream
bis
=
new
ByteArrayInputStream
(
json
.
getBytes
(
"utf-8"
));
return
new
ServletInputStream
()
{
@Override
public
boolean
isFinished
()
{
return
true
;
}
@Override
public
boolean
isReady
()
{
return
true
;
}
@Override
public
void
setReadListener
(
ReadListener
readListener
)
{
}
@Override
public
int
read
()
throws
IOException
{
return
bis
.
read
();
}
};
}
@Override
public
String
getParameter
(
String
name
)
{
String
value
=
super
.
getParameter
(
xssEncode
(
name
));
if
(
StringUtils
.
isNotBlank
(
value
))
{
value
=
xssEncode
(
value
);
}
return
StringEscapeUtils
.
unescapeHtml4
(
value
);
}
@Override
public
String
[]
getParameterValues
(
String
name
)
{
String
[]
parameters
=
super
.
getParameterValues
(
name
);
if
(
parameters
==
null
||
parameters
.
length
==
0
)
{
return
null
;
}
for
(
int
i
=
0
;
i
<
parameters
.
length
;
i
++)
{
parameters
[
i
]
=
xssEncode
(
parameters
[
i
]);
parameters
[
i
]
=
StringEscapeUtils
.
unescapeHtml4
(
parameters
[
i
]);
}
return
parameters
;
}
@Override
public
Map
<
String
,
String
[]>
getParameterMap
()
{
Map
<
String
,
String
[]>
map
=
new
LinkedHashMap
<>();
Map
<
String
,
String
[]>
parameters
=
super
.
getParameterMap
();
for
(
String
key
:
parameters
.
keySet
())
{
String
[]
values
=
parameters
.
get
(
key
);
for
(
int
i
=
0
;
i
<
values
.
length
;
i
++)
{
values
[
i
]
=
xssEncode
(
values
[
i
]);
values
[
i
]
=
StringEscapeUtils
.
unescapeHtml4
(
values
[
i
]);
}
map
.
put
(
key
,
values
);
}
return
map
;
}
@Override
public
String
getHeader
(
String
name
)
{
String
value
=
super
.
getHeader
(
xssEncode
(
name
));
if
(
StringUtils
.
isNotBlank
(
value
))
{
value
=
xssEncode
(
value
);
}
return
StringEscapeUtils
.
unescapeHtml4
(
value
);
}
private
String
xssEncode
(
String
input
)
{
return
htmlFilter
.
filter
(
input
);
}
/**
* 获取最原始的request
*/
public
HttpServletRequest
getOrgRequest
()
{
return
orgRequest
;
}
/**
* 获取最原始的request
*/
public
static
HttpServletRequest
getOrgRequest
(
HttpServletRequest
request
)
{
if
(
request
instanceof
XssHttpServletRequestWrapper
)
{
return
((
XssHttpServletRequestWrapper
)
request
).
getOrgRequest
();
}
return
request
;
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment