最近在解決安全漏洞的時候,按照網上過濾的方法使用,發過發現有些路徑得到的對象使用仍是沒有轉義的JS腳本,而網上過濾器的攔截路徑是“/”,這就很好奇,為什么有些地方沒有攔截住XSS攻擊問題,引出今天的話題
先貼出網上的Filter的常見用法
/** * <p>Project Name:cweis-web</p> * <p>File Name: XssHttpServletRequestWrapper.java</p> * <p>Package Name:com.cweis.filter </p> package com.cloudwalk.common.xssnew; import java.util.Map; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequestWrapper; /** * <p>ClassName: XssHttpServletRequestWrapper</p> * Description:HttpServletRequestWapper的包裝類<br/> * @date 2018年11月1日 下午3:03:01 * @author yckj0914 * @version 1.0 * @since JDK 1.7 */ public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper { HttpServletRequest orgRequest = null; public XssHttpServletRequestWrapper(HttpServletRequest request) { super(request); } /** * 覆蓋getParameter方法,將參數名和參數值都做xss過濾。 * 如果需要獲得原始的值,則通過super.getParameterValues(name)來獲取 * getParameterNames,getParameterValues和getParameterMap也可能需要覆蓋 */ @Override public String getParameter(String name) { String value = super.getParameter(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } @Override public String[] getParameterValues(String name) { String[] value = super.getParameterValues(name); if (value != null) { for (int i = 0; i < value.length; i++) { value[i] = xssEncode(value[i]); } } return value; } @SuppressWarnings("rawtypes") @Override public Map getParameterMap() { return super.getParameterMap(); } /** * 將容易引起xss漏洞的半角字符直接替換成全角字符 在保證不刪除數據的情況下保存 * * @param s * @return 過濾后的值 */ private static String xssEncode(String value) { if (value == null || value.isEmpty()) { return value; } value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("<","<"); value = value.replaceAll(">",">"); value = value.replaceAll("'","'"); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", ""); value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", ""); value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", ""); // value = value.replaceAll("[<>{}\\[\\];\\&]",""); return value; } /** * 覆蓋getHeader方法,將參數名和參數值都做xss過濾。 如果需要獲得原始的值,則通過super.getHeaders(name)來獲取 * getHeaderNames 也可能需要覆蓋 這一段代碼在一開始沒有注釋掉導致出現406錯誤,原因是406錯誤是HTTP協議狀態碼的一種, * 表示無法使用請求的內容特性來響應請求的網頁。一般是指客戶端瀏覽器不接受所請求頁面的 MIME 類型。 **/ @Override public String getHeader(String name) { String value = super.getHeader(xssEncode(name)); if (value != null) { value = xssEncode(value); } return value; } }
/** * <p>Project Name:cweis-web</p> * <p>File Name: XssFilter.java</p> * <p>Package Name:com.cweis.filter </p> * @date 2018年10月16日 下午3:51:25 */ package com.cloudwalk.common.xssnew; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * <p>ClassName: XssFilter</p> * Description:Filter過濾器實現對Request的過濾<br/> * @date 2018年11月1日 下午3:02:37 * @author yckj0914 * @version 1.0 * @since JDK 1.7 */ public class XssFilter implements Filter { @Override public void destroy() { } /** * 過濾器用來過濾的方法 */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // 包裝request XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper((HttpServletRequest) request); //實際設置 HttpServletResponse xssResponse = (HttpServletResponse) response; xssResponse.setHeader("X-XSS-Protection", "1; mode=block"); xssResponse.setHeader("X-Frame-Options", "SAMEORIGIN"); xssResponse.setHeader("Strict-Transport-Security", "max-age=31536; includeSubDomains"); // xssResponse.setHeader("Content-Security-Policy", "default-src 'self'"); xssResponse.setHeader("X-Content-Type-Options", "nosniff"); chain.doFilter(xssRequest, xssResponse); } @Override public void init(FilterConfig filterConfig) throws ServletException { } }
<!--新增的filter-->
<filter>
<filter-name>XssFilter</filter-name>
<filter-class>com.cloudwalk.common.xssnew.XssFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
至此,以上的便是網上的方案,但是只能解決普通的getParamter()的辦法,接下來來說明一下 ,如何解決上傳,JSON,表單的XSS攻擊防御措施
package cn.cloudwalk.common.mapper.adapters; import java.util.ArrayList; import java.util.List; import java.util.Map; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlType; @XmlType(name = "MapConvertor") @XmlAccessorType(XmlAccessType.FIELD) public class MapConvertor { private List<MapEntry> entries = new ArrayList<MapEntry>(); public void addEntry(MapEntry entry) { entries.add(entry); } public List<MapEntry> getEntries() { return entries; } public static class MapEntry { private String key; private Object value; public MapEntry() { super(); } public MapEntry(Map.Entry<String, Object> entry) { super(); this.key = entry.getKey(); this.value = entry.getValue(); } public MapEntry(String key, Object value) { super(); this.key = key; this.value = value; } public String getKey() { return key; } public void setKey(String key) { this.key = key; } public Object getValue() { return value; } public void setValue(Object value) { this.value = value; } } }
package cn.cloudwalk.common.mapper.adapters; import java.util.HashMap; import java.util.Map; import javax.xml.bind.annotation.adapters.XmlAdapter; public class MapAdapter extends XmlAdapter<MapConvertor, Map<String, Object>> { @Override public MapConvertor marshal(Map<String, Object> map) throws Exception { MapConvertor convertor = new MapConvertor(); for (Map.Entry<String, Object> entry : map.entrySet()) { MapConvertor.MapEntry e = new MapConvertor.MapEntry(entry); convertor.addEntry(e); } return convertor; } @Override public Map<String, Object> unmarshal(MapConvertor map) throws Exception { Map<String, Object> result = new HashMap<String, Object>(); for (MapConvertor.MapEntry e : map.getEntries()) { result.put(e.getKey(), e.getValue()); } return result; } }
/** * Project Name:cloudwalk-common * File Name:CloudWalkHttpMessageConverter.java * Package Name:cn.cloudwalk.common.mapper.adapters * Date:2016年5月20日下午4:58:32 */ package cn.cloudwalk.common.mapper.adapters; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.nio.charset.Charset; import com.cloudwalk.common.xssnew.XssHttpServletRequestWrapper; import org.springframework.http.HttpInputMessage; import org.springframework.http.converter.HttpMessageNotReadableException; import com.alibaba.fastjson.JSON; import com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter; /** * ClassName:FalconHttpMessageConverter <br/> * Description: String 類型不需要轉換. <br/> * Date: 2016年5月20日 下午4:58:32 <br/> * */ public class FalconHttpMessageConverter extends FastJsonHttpMessageConverter { private Charset charset = UTF8; /** * 重寫讀取json,加密的時候,如果返回String,不需要轉json */ @Override protected Object readInternal(Class<? extends Object> clazz, HttpInputMessage inputMessage) throws IOException, HttpMessageNotReadableException { // String 不需要轉json if (clazz == String.class) { ByteArrayOutputStream baos = new ByteArrayOutputStream(); InputStream in = inputMessage.getBody(); byte[] buf = new byte[1024]; for (;;) { int len = in.read(buf); if (len == -1) { break; } if (len > 0) { baos.write(buf, 0, len); } } byte[] bytes = baos.toByteArray(); return xssEncode(new String(bytes, getCharset())); } else { ByteArrayOutputStream baos = new ByteArrayOutputStream(); InputStream in = inputMessage.getBody(); byte[] buf = new byte[1024]; for (;;) { int len = in.read(buf); if (len == -1) { break; } if (len > 0) { baos.write(buf, 0, len); } } byte[] bytes = baos.toByteArray(); String text=xssEncode(new String(bytes, getCharset())); return JSON.parseObject(text, clazz); } } private static String xssEncode(String value) { if (value == null || value.isEmpty()) { return value; } value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("<","<"); value = value.replaceAll(">",">"); value = value.replaceAll("'","'"); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", ""); value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", ""); value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", ""); // value = value.replaceAll("[<>{}\\[\\];\\&]",""); return value; } }
/** * Project Name:cloudwalk-common * File Name:CloudWalkHttpMessageConverter.java * Package Name:cn.cloudwalk.common.mapper.adapters * */ package cn.cloudwalk.common.mapper.adapters; import java.io.IOException; import cn.cloudwalk.common.ResultEntity; import cn.cloudwalk.enums.GlobalMessage; import org.springframework.http.HttpOutputMessage; import org.springframework.http.converter.HttpMessageNotWritableException; import org.springframework.validation.ObjectError; import com.alibaba.fastjson.support.spring.FastJsonHttpMessageConverter; /** * ClassName:CloudWalkHttpMessageConverter <br/> * Description: 自動封裝@ResponseBody 返回的Object 到 ResultEntity. <br/> * Date: 2016年5月20日 下午4:58:32 <br/> * * @author 李強 * @version 1.0.0 * @since JDK 1.7 * @see */ public class CloudWalkHttpMessageConverter extends FastJsonHttpMessageConverter { @Override protected void writeInternal(Object obj, HttpOutputMessage outputMessage) throws IOException, HttpMessageNotWritableException { if (obj instanceof ResultEntity) { super.writeInternal(obj, outputMessage); } else { ResultEntity entity = new ResultEntity(); if (obj instanceof ObjectError) { entity.setRespCode(GlobalMessage.RESP_FAIL.getRespCode()); ObjectError error = (ObjectError) obj; entity.setRespDesc(error.getDefaultMessage()); } else { entity.setData(obj); } super.writeInternal(entity, outputMessage); } } }
<!-- https://mvnrepository.com/artifact/net.sf.dozer/dozer --> <dependency> <groupId>net.sf.dozer</groupId> <artifactId>dozer</artifactId> <version>5.5.1</version> </dependency>
/** * Copyright (c) 2005-2012 springside.org.cn */ package cn.cloudwalk.common.mapper; import java.util.Collection; import java.util.List; import org.dozer.DozerBeanMapper; import com.google.common.collect.Lists; /** * 簡單封裝Dozer, 實現深度轉換Bean<->Bean的Mapper.實現: * * 1. 持有Mapper的單例. 2. 返回值類型轉換. 3. 批量轉換Collection中的所有對象. 4. * 區分創建新的B對象與將對象A值復制到已存在的B對象兩種函數. * * * @version 2013-01-15 */ public class BeanMapper { private BeanMapper() { } /** * 持有Dozer單例, 避免重復創建DozerMapper消耗資源. */ private static DozerBeanMapper dozer = new DozerBeanMapper(); /** * 基於Dozer轉換對象的類型. */ public static <T> T map(Object source, Class<T> destinationClass) { return dozer.map(source, destinationClass); } /** * 基於Dozer轉換Collection中對象的類型. */ @SuppressWarnings("rawtypes") public static <T> List<T> mapList(Collection sourceList, Class<T> destinationClass) { List<T> destinationList = Lists.newArrayList(); for (Object sourceObject : sourceList) { T destinationObject = dozer.map(sourceObject, destinationClass); destinationList.add(destinationObject); } return destinationList; } /** * 基於Dozer將對象A的值拷貝到對象B中. */ public static void copy(Object source, Object destinationObject) { dozer.map(source, destinationObject); } }
==================================================重寫DefaultMultipartHttpServletRequest==========================================
package cn.cloudwalk.common; import org.springframework.util.MultiValueMap; import org.springframework.web.multipart.MultipartFile; import org.springframework.web.multipart.support.DefaultMultipartHttpServletRequest; import javax.servlet.http.HttpServletRequest; import java.util.Map; public class XssFilterMultipartHttpServletRequest extends DefaultMultipartHttpServletRequest { public XssFilterMultipartHttpServletRequest(HttpServletRequest request, MultiValueMap<String, MultipartFile> mpFiles, Map<String, String[]> mpParams, Map<String, String> mpParamContentTypes) { super(request, mpFiles, mpParams, mpParamContentTypes); } public XssFilterMultipartHttpServletRequest(HttpServletRequest request) { super(request); } @Override public String[] getParameterValues(String name) { String[] values = getMultipartParameters().get(name); for (int i = 0; i < values.length; i++) { values[i] = xssEncode(values[i]); } return values; } private static String xssEncode(String value) { if (value == null || value.isEmpty()) { return value; } value = value.replaceAll("eval\\((.*)\\)", ""); value = value.replaceAll("<", "<"); value = value.replaceAll(">", ">"); value = value.replaceAll("'", "'"); value = value.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); value = value.replaceAll("(?i)<script.*?>.*?<script.*?>", ""); value = value.replaceAll("(?i)<script.*?>.*?</script.*?>", ""); value = value.replaceAll("(?i)<.*?javascript:.*?>.*?</.*?>", ""); value = value.replaceAll("(?i)<.*?\\s+on.*?>.*?</.*?>", ""); // value = value.replaceAll("[<>{}\\[\\];\\&]",""); return value; } }
package cn.cloudwalk.common; import javax.servlet.http.HttpServletRequest; import org.springframework.util.Assert; import org.springframework.web.multipart.MultipartException; import org.springframework.web.multipart.MultipartHttpServletRequest; import org.springframework.web.multipart.commons.CommonsMultipartResolver; import org.springframework.web.multipart.support.DefaultMultipartHttpServletRequest; /** * ClassName: CloudwalkMultipartResolver <br/> * Description: 重寫CommonsMultipartResolver,讓他不要攔截切片上傳的路徑. <br/> * date: 2016年11月17日 上午10:01:43 <br/> * * @version 1.0.0 * @since JDK 1.7 */ public class CloudwalkMultipartResolver extends CommonsMultipartResolver { private boolean resolveLazily = false; /** * 判斷是切片上傳的路徑,直接使用默認的request, 不去包裝request * @see org.springframework.web.multipart.commons.CommonsMultipartResolver#isMultipart(javax.servlet.http.HttpServletRequest) */ @Override public boolean isMultipart(HttpServletRequest request) { String urlString = request.getRequestURI(); if(urlString.endsWith("chunkUpload/fileUpload")){ return false; }else{ return super.isMultipart(request); } } @Override public MultipartHttpServletRequest resolveMultipart(final HttpServletRequest request) throws MultipartException { Assert.notNull(request, "Request must not be null"); if (this.resolveLazily) { return new XssFilterMultipartHttpServletRequest(request) { @Override protected void initializeMultipart() { MultipartParsingResult parsingResult = parseRequest(request); setMultipartFiles(parsingResult.getMultipartFiles()); setMultipartParameters(parsingResult.getMultipartParameters()); setMultipartParameterContentTypes(parsingResult.getMultipartParameterContentTypes()); } }; } else { MultipartParsingResult parsingResult = parseRequest(request); return new XssFilterMultipartHttpServletRequest(request, parsingResult.getMultipartFiles(), parsingResult.getMultipartParameters(), parsingResult.getMultipartParameterContentTypes()); } } /** * Set whether to resolve the multipart request lazily at the time of * file or parameter access. * <p>Default is "false", resolving the multipart elements immediately, throwing * corresponding exceptions at the time of the {@link #resolveMultipart} call. * Switch this to "true" for lazy multipart parsing, throwing parse exceptions * once the application attempts to obtain multipart files or parameters. */ public void setResolveLazily(boolean resolveLazily) { this.resolveLazily = resolveLazily; } }
添加以上,即可解決