Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
H
hp-smart
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
platform
hp-smart
Commits
0fd1e1c9
Commit
0fd1e1c9
authored
Mar 11, 2024
by
wuwenlong
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
防XSS注入
parent
0f07eb0f
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
320 additions
and
0 deletions
+320
-0
FilterConfig.java
src/main/java/com/baosight/hpjx/config/FilterConfig.java
+25
-0
StringUtils.java
src/main/java/com/baosight/hpjx/util/StringUtils.java
+63
-0
HTMLFilter.java
src/main/java/com/baosight/hpjx/xss/HTMLFilter.java
+0
-0
XssFilter.java
src/main/java/com/baosight/hpjx/xss/XssFilter.java
+77
-0
XssHttpServletRequestWrapper.java
...a/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java
+155
-0
No files found.
src/main/java/com/baosight/hpjx/config/FilterConfig.java
0 → 100644
View file @
0fd1e1c9
package
com
.
baosight
.
hpjx
.
config
;
import
com.baosight.hpjx.xss.XssFilter
;
import
org.springframework.boot.web.servlet.FilterRegistrationBean
;
import
org.springframework.context.annotation.Bean
;
import
org.springframework.context.annotation.Configuration
;
/**
* @Author wwl
* @Date 2024/3/11 14:20
*/
@Configuration
public
class
FilterConfig
{
@Bean
public
FilterRegistrationBean
<
XssFilter
>
xssFilterRegistration
()
{
FilterRegistrationBean
<
XssFilter
>
registration
=
new
FilterRegistrationBean
<>();
registration
.
setFilter
(
new
XssFilter
());
registration
.
addUrlPatterns
(
"/*"
);
registration
.
setOrder
(
1
);
return
registration
;
}
}
\ No newline at end of file
src/main/java/com/baosight/hpjx/util/StringUtils.java
View file @
0fd1e1c9
...
@@ -2,9 +2,12 @@ package com.baosight.hpjx.util;
...
@@ -2,9 +2,12 @@ package com.baosight.hpjx.util;
import
com.alibaba.fastjson.JSONObject
;
import
com.alibaba.fastjson.JSONObject
;
import
com.baosight.iplat4j.core.exception.PlatException
;
import
com.baosight.iplat4j.core.exception.PlatException
;
import
org.springframework.util.AntPathMatcher
;
import
java.io.UnsupportedEncodingException
;
import
java.io.UnsupportedEncodingException
;
import
java.net.URLDecoder
;
import
java.net.URLDecoder
;
import
java.util.Collection
;
import
java.util.List
;
import
java.util.Map
;
import
java.util.Map
;
import
java.util.UUID
;
import
java.util.UUID
;
...
@@ -128,4 +131,64 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils {
...
@@ -128,4 +131,64 @@ public class StringUtils extends org.apache.commons.lang3.StringUtils {
return
JSONObject
.
parseObject
(
paramsText
).
getInnerMap
();
return
JSONObject
.
parseObject
(
paramsText
).
getInnerMap
();
}
}
/**
* 查找指定字符串是否匹配指定字符串列表中的任意一个字符串
*
* @param str 指定字符串
* @param strs 需要检查的字符串数组
* @return 是否匹配
*/
public
static
boolean
matches
(
String
str
,
List
<
String
>
strs
)
{
if
(
isEmpty
(
str
)
||
isEmpty
(
strs
))
{
return
false
;
}
for
(
String
pattern
:
strs
)
{
if
(
isMatch
(
pattern
,
str
))
{
return
true
;
}
}
return
false
;
}
/**
* 判断url是否与规则配置:
* ? 表示单个字符;
* * 表示一层路径内的任意字符串,不可跨层级;
* ** 表示任意层路径;
*
* @param pattern 匹配规则
* @param url 需要匹配的url
* @return
*/
public
static
boolean
isMatch
(
String
pattern
,
String
url
)
{
AntPathMatcher
matcher
=
new
AntPathMatcher
();
return
matcher
.
match
(
pattern
,
url
);
}
/**
* * 判断一个Collection是否为空, 包含List,Set,Queue
*
* @param coll 要判断的Collection
* @return true:为空 false:非空
*/
public
static
boolean
isEmpty
(
Collection
<?>
coll
)
{
return
isNull
(
coll
)
||
coll
.
isEmpty
();
}
/**
* * 判断一个对象是否为空
*
* @param object Object
* @return true:为空 false:非空
*/
public
static
boolean
isNull
(
Object
object
)
{
return
object
==
null
;
}
}
}
src/main/java/com/baosight/hpjx/xss/HTMLFilter.java
0 → 100644
View file @
0fd1e1c9
This diff is collapsed.
Click to expand it.
src/main/java/com/baosight/hpjx/xss/XssFilter.java
0 → 100644
View file @
0fd1e1c9
package
com
.
baosight
.
hpjx
.
xss
;
import
com.baosight.hpjx.util.StringUtils
;
import
java.io.IOException
;
import
java.util.ArrayList
;
import
java.util.List
;
import
javax.servlet.Filter
;
import
javax.servlet.FilterChain
;
import
javax.servlet.FilterConfig
;
import
javax.servlet.ServletException
;
import
javax.servlet.ServletRequest
;
import
javax.servlet.ServletResponse
;
import
javax.servlet.http.HttpServletRequest
;
/**
* xss过滤
*/
public
class
XssFilter
implements
Filter
{
//不拦截的地址
private
List
<
String
>
excludedList
=
new
ArrayList
<
String
>();
@Override
public
void
init
(
FilterConfig
config
)
throws
ServletException
{
/*
* 这里只处理了需要拦截的url地址,如果想不拦截某个字段,比如富文本字段,
* 需要自己在XssHttpServletRequestWrapper类中去添加逻辑
*/
excludedList
.
add
(
"/service/HP*/*"
);
}
@Override
public
void
doFilter
(
ServletRequest
request
,
ServletResponse
response
,
FilterChain
chain
)
throws
IOException
,
ServletException
{
XssHttpServletRequestWrapper
xssRequest
=
new
XssHttpServletRequestWrapper
(
(
HttpServletRequest
)
request
);
String
url
=
xssRequest
.
getServletPath
();
if
(
isExcluded
(
url
)){
chain
.
doFilter
(
request
,
response
);
}
else
{
//使用XSS过滤
chain
.
doFilter
(
xssRequest
,
response
);
}
}
@Override
public
void
destroy
()
{
}
/**
* 是否不拦截
* @param url 请求地址
* @return true不拦截,false拦截
*/
private
boolean
isExcluded
(
String
url
){
// if(StringUtils.isBlank(url)){
// return false;
// }
if
(!
StringUtils
.
matches
(
url
,
excludedList
)){
return
true
;
}
// for (String excluded : excludedList) {
// if(!url.contains(excluded)){
// return true;
// }
// }
return
false
;
}
}
src/main/java/com/baosight/hpjx/xss/XssHttpServletRequestWrapper.java
0 → 100644
View file @
0fd1e1c9
package
com
.
baosight
.
hpjx
.
xss
;
import
org.apache.commons.lang3.StringEscapeUtils
;
import
org.apache.commons.lang3.StringUtils
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletRequestWrapper
;
import
java.util.LinkedHashMap
;
import
java.util.Map
;
import
java.io.ByteArrayInputStream
;
import
java.io.IOException
;
import
javax.servlet.ReadListener
;
import
javax.servlet.ServletInputStream
;
import
org.apache.commons.io.IOUtils
;
import
org.springframework.http.HttpHeaders
;
import
org.springframework.http.MediaType
;
public
class
XssHttpServletRequestWrapper
extends
HttpServletRequestWrapper
{
// 没被包装过的HttpServletRequest(特殊场景,需求自己过滤)
HttpServletRequest
orgRequest
;
// html过滤
private
final
static
HTMLFilter
htmlFilter
=
new
HTMLFilter
();
public
XssHttpServletRequestWrapper
(
HttpServletRequest
request
)
{
super
(
request
);
orgRequest
=
request
;
}
/**
* 过滤json参数
*/
@Override
public
ServletInputStream
getInputStream
()
throws
IOException
{
String
contentType
=
super
.
getHeader
(
HttpHeaders
.
CONTENT_TYPE
);
//非json类型,直接返回
if
(!(
MediaType
.
APPLICATION_JSON_VALUE
.
equalsIgnoreCase
(
contentType
)
||
MediaType
.
APPLICATION_JSON_UTF8_VALUE
.
equalsIgnoreCase
(
contentType
))){
return
super
.
getInputStream
();
}
//为空,直接返回
String
json
=
IOUtils
.
toString
(
super
.
getInputStream
(),
"utf-8"
);
if
(
StringUtils
.
isBlank
(
json
))
{
return
super
.
getInputStream
();
}
//xss过滤
json
=
xssEncode
(
json
);
json
=
StringEscapeUtils
.
unescapeHtml4
(
json
);
final
ByteArrayInputStream
bis
=
new
ByteArrayInputStream
(
json
.
getBytes
(
"utf-8"
));
return
new
ServletInputStream
()
{
@Override
public
boolean
isFinished
()
{
return
true
;
}
@Override
public
boolean
isReady
()
{
return
true
;
}
@Override
public
void
setReadListener
(
ReadListener
readListener
)
{
}
@Override
public
int
read
()
throws
IOException
{
return
bis
.
read
();
}
};
}
@Override
public
String
getParameter
(
String
name
)
{
String
value
=
super
.
getParameter
(
xssEncode
(
name
));
if
(
StringUtils
.
isNotBlank
(
value
))
{
value
=
xssEncode
(
value
);
}
return
StringEscapeUtils
.
unescapeHtml4
(
value
);
}
@Override
public
String
[]
getParameterValues
(
String
name
)
{
String
[]
parameters
=
super
.
getParameterValues
(
name
);
if
(
parameters
==
null
||
parameters
.
length
==
0
)
{
return
null
;
}
for
(
int
i
=
0
;
i
<
parameters
.
length
;
i
++)
{
parameters
[
i
]
=
xssEncode
(
parameters
[
i
]);
parameters
[
i
]
=
StringEscapeUtils
.
unescapeHtml4
(
parameters
[
i
]);
}
return
parameters
;
}
@Override
public
Map
<
String
,
String
[]>
getParameterMap
()
{
Map
<
String
,
String
[]>
map
=
new
LinkedHashMap
<>();
Map
<
String
,
String
[]>
parameters
=
super
.
getParameterMap
();
for
(
String
key
:
parameters
.
keySet
())
{
String
[]
values
=
parameters
.
get
(
key
);
for
(
int
i
=
0
;
i
<
values
.
length
;
i
++)
{
values
[
i
]
=
xssEncode
(
values
[
i
]);
values
[
i
]
=
StringEscapeUtils
.
unescapeHtml4
(
values
[
i
]);
}
map
.
put
(
key
,
values
);
}
return
map
;
}
@Override
public
String
getHeader
(
String
name
)
{
String
value
=
super
.
getHeader
(
xssEncode
(
name
));
if
(
StringUtils
.
isNotBlank
(
value
))
{
value
=
xssEncode
(
value
);
}
return
StringEscapeUtils
.
unescapeHtml4
(
value
);
}
private
String
xssEncode
(
String
input
)
{
return
htmlFilter
.
filter
(
input
);
}
/**
* 获取最原始的request
*/
public
HttpServletRequest
getOrgRequest
()
{
return
orgRequest
;
}
/**
* 获取最原始的request
*/
public
static
HttpServletRequest
getOrgRequest
(
HttpServletRequest
request
)
{
if
(
request
instanceof
XssHttpServletRequestWrapper
)
{
return
((
XssHttpServletRequestWrapper
)
request
).
getOrgRequest
();
}
return
request
;
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment