防XSS注入

0fd1e1c9 · wuwenlong · 0f07eb0f · 0fd1e1c9 · 0fd1e1c9 · 0fd1e1c9
Commit 0fd1e1c9 authored Mar 11, 2024 by wuwenlong
5 changed files
--- a/src/main/java/com/baosight/hpjx/config/FilterConfig.java
+++ b/src/main/java/com/baosight/hpjx/config/FilterConfig.java
+package com.baosight.hpjx.config;
+
+import com.baosight.hpjx.xss.XssFilter;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * @Author wwl
+ * @Date 2024/3/11 14:20
+ */
+@Configuration
+public class FilterConfig {
+
+    @Bean
+    public FilterRegistrationBean<XssFilter> xssFilterRegistration() {
+        FilterRegistrationBean<XssFilter> registration = new FilterRegistrationBean<>();
+        registration.setFilter(new XssFilter());
+        registration.addUrlPatterns("/*");
+        registration.setOrder(1);
+        return registration;
+    }
+
+}
\ No newline at end of file
--- a/src/main/java/com/baosight/hpjx/util/StringUtils.java
+++ b/src/main/java/com/baosight/hpjx/util/StringUtils.java
@@ -2,9 +2,12 @@ package com.baosight.hpjx.util;

 import com.alibaba.fastjson.JSONObject;
 import com.baosight.iplat4j.core.exception.PlatException;
+import org.springframework.util.AntPathMatcher;

 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
+import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 import java.util.UUID;

@@ -127,5 +130,65 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils {
 		paramsText = URLDecoder.decode(paramsText, "UTF-8");
 		return JSONObject.parseObject(paramsText).getInnerMap();
 	}
-	
+
+	/**
+	 * 查找指定字符串是否匹配指定字符串列表中的任意一个字符串
+	 *
+	 * @param str 指定字符串
+	 * @param strs 需要检查的字符串数组
+	 * @return 是否匹配
+	 */
+	public static boolean matches(String str, List<String> strs)
+	{
+		if (isEmpty(str) || isEmpty(strs))
+		{
+			return false;
+		}
+		for (String pattern : strs)
+		{
+			if (isMatch(pattern, str))
+			{
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
+	 * 判断url是否与规则配置:
+	 * ? 表示单个字符;
+	 * * 表示一层路径内的任意字符串，不可跨层级;
+	 * ** 表示任意层路径;
+	 *
+	 * @param pattern 匹配规则
+	 * @param url 需要匹配的url
+	 * @return
+	 */
+	public static boolean isMatch(String pattern, String url)
+	{
+		AntPathMatcher matcher = new AntPathMatcher();
+		return matcher.match(pattern, url);
+	}
+
+	/**
+	 * * 判断一个Collection是否为空， 包含List，Set，Queue
+	 *
+	 * @param coll 要判断的Collection
+	 * @return true：为空 false：非空
+	 */
+	public static boolean isEmpty(Collection<?> coll)
+	{
+		return isNull(coll) || coll.isEmpty();
+	}
+
+	/**
+	 * * 判断一个对象是否为空
+	 *
+	 * @param object Object
+	 * @return true：为空 false：非空
+	 */
+	public static boolean isNull(Object object)
+	{
+		return object == null;
+	}
 }
--- a/src/main/java/com/baosight/hpjx/xss/HTMLFilter.java
+++ b/src/main/java/com/baosight/hpjx/xss/HTMLFilter.java
--- a/src/main/java/com/baosight/hpjx/xss/XssFilter.java
+++ b/src/main/java/com/baosight/hpjx/xss/XssFilter.java
+package com.baosight.hpjx.xss;
+
+
+import com.baosight.hpjx.util.StringUtils;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+
+
+/**
+ * xss过滤
+ */
+public class XssFilter implements Filter {
+
+    //不拦截的地址
+    private List<String> excludedList = new ArrayList<String>();
+
+    @Override
+    public void init(FilterConfig config) throws ServletException {
+
+        /*
+         * 这里只处理了需要拦截的url地址，如果想不拦截某个字段，比如富文本字段，
+         * 需要自己在XssHttpServletRequestWrapper类中去添加逻辑
+         */
+        excludedList.add("/service/HP*/*");
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        XssHttpServletRequestWrapper xssRequest = new XssHttpServletRequestWrapper(
+                (HttpServletRequest) request);
+        String url = xssRequest.getServletPath();
+        if(isExcluded(url)){
+            chain.doFilter(request, response);
+        }else{
+            //使用XSS过滤
+            chain.doFilter(xssRequest, response);
+        }
+    }
+
+    @Override
+    public void destroy() {
+    }
+
+    /**
+     * 是否不拦截
+     * @param url	请求地址
+     * @return	true不拦截，false拦截
+     */
+    private boolean isExcluded(String url){
+//        if(StringUtils.isBlank(url)){
+//            return false;
+//        }
+        if(!StringUtils.matches(url, excludedList)){
+            return true;
+        }
+//        for (String excluded : excludedList) {
+//            if(!url.contains(excluded)){
+//                return true;
+//            }
+//        }
+        return false;
+    }
+
+}
+
--- a/src/main/java/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java
+++ b/src/main/java/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java
+package com.baosight.hpjx.xss;
+
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.apache.commons.lang3.StringUtils;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import javax.servlet.ReadListener;
+import javax.servlet.ServletInputStream;
+import org.apache.commons.io.IOUtils;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+
+public class XssHttpServletRequestWrapper  extends HttpServletRequestWrapper {
+
+    // 没被包装过的HttpServletRequest（特殊场景，需求自己过滤）
+    HttpServletRequest orgRequest;
+    // html过滤
+    private final static HTMLFilter htmlFilter = new HTMLFilter();
+
+    public XssHttpServletRequestWrapper(HttpServletRequest request) {
+        super(request);
+        orgRequest = request;
+    }
+
+
+    /**
+     * 过滤json参数
+     */
+    @Override
+    public ServletInputStream getInputStream() throws IOException {
+        String contentType = super.getHeader(HttpHeaders.CONTENT_TYPE);
+        //非json类型，直接返回
+        if(!(MediaType.APPLICATION_JSON_VALUE.
+                equalsIgnoreCase(contentType) ||
+                MediaType.APPLICATION_JSON_UTF8_VALUE.
+                        equalsIgnoreCase(contentType))){
+            return super.getInputStream();
+        }
+
+        //为空，直接返回
+        String json = IOUtils.toString(super.getInputStream(), "utf-8");
+        if (StringUtils.isBlank(json)) {
+            return super.getInputStream();
+        }
+
+        //xss过滤
+        json =xssEncode(json);
+        json = StringEscapeUtils.unescapeHtml4(json);
+
+        final ByteArrayInputStream bis =
+                new ByteArrayInputStream(json.getBytes("utf-8"));
+
+        return new ServletInputStream() {
+            @Override
+            public boolean isFinished() {
+                return true;
+            }
+
+            @Override
+            public boolean isReady() {
+                return true;
+            }
+
+            @Override
+            public void setReadListener(ReadListener readListener) {
+            }
+
+            @Override
+            public int read() throws IOException {
+                return bis.read();
+            }
+        };
+    }
+
+
+    @Override
+    public String getParameter(String name) {
+        String value = super.getParameter(xssEncode(name));
+        if (StringUtils.isNotBlank(value)) {
+            value =xssEncode(value);
+        }
+
+        return StringEscapeUtils.unescapeHtml4(value);
+    }
+
+    @Override
+    public String[] getParameterValues(String name) {
+        String[] parameters = super.getParameterValues(name);
+        if (parameters == null || parameters.length == 0) {
+            return null;
+        }
+
+        for (int i = 0; i < parameters.length; i++) {
+            parameters[i] = xssEncode(parameters[i]);
+            parameters[i] = StringEscapeUtils.unescapeHtml4(parameters[i]);
+        }
+        return parameters;
+    }
+
+    @Override
+    public Map<String, String[]> getParameterMap() {
+        Map<String, String[]> map = new LinkedHashMap<>();
+        Map<String, String[]> parameters = super.getParameterMap();
+        for (String key : parameters.keySet()) {
+            String[] values = parameters.get(key);
+            for (int i = 0; i < values.length; i++) {
+                values[i] = xssEncode(values[i]);
+                values[i] = StringEscapeUtils.unescapeHtml4(values[i]);
+            }
+            map.put(key, values);
+        }
+        return map;
+    }
+
+    @Override
+    public String getHeader(String name) {
+        String value = super.getHeader(xssEncode(name));
+        if (StringUtils.isNotBlank(value)) {
+            value = xssEncode(value);
+        }
+
+        return StringEscapeUtils.unescapeHtml4(value);
+    }
+
+    private String xssEncode(String input) {
+        return htmlFilter.filter(input);
+    }
+
+    /**
+     * 获取最原始的request
+     */
+    public HttpServletRequest getOrgRequest() {
+        return orgRequest;
+    }
+
+    /**
+     * 获取最原始的request
+     */
+    public static HttpServletRequest getOrgRequest(HttpServletRequest request) {
+        if (request instanceof XssHttpServletRequestWrapper) {
+            return ((XssHttpServletRequestWrapper) request).getOrgRequest();
+        }
+
+        return request;
+    }
+
+}
+
+