如何在Spring RESTful中创建过滤器以防止XSS?

vlju58qv  于 2023-11-16  发布在  Spring
关注(0)|答案(2)|浏览(139)

我从Spring 4.2.6.RELEASE开始使用,后端是REST服务。现在我不能有一个过滤器来防止XSS**
我的过滤器是:

@Component
@Order(1)
public class XSSFilter implements Filter {

  @Override
  public void init(FilterConfig filterConfig) throws ServletException {
  }

  @Override
  public void destroy() {
  }

  @Override
  public void doFilter(
        ServletRequest request, 
        ServletResponse response, 
        FilterChain chain) throws IOException, ServletException {

      chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
   }

}

字符串
XSSRequestWrapper是:

public class XSSRequestWrapper extends HttpServletRequestWrapper {

  public XSSRequestWrapper(HttpServletRequest servletRequest) {
    super(servletRequest);
  }

  @Override
  public String[] getParameterValues(String parameter) {
    String[] values = super.getParameterValues(parameter);

    if (values == null) {
        return null;
    }

    int count = values.length;
    String[] encodedValues = new String[count];
    for (int i = 0; i < count; i++) {
        encodedValues[i] = stripXSS(values[i]);
    }

    return encodedValues;
  }

  @Override
  public String getParameter(String parameter) {
    String value = super.getParameter(parameter);

    return stripXSS(value);
  }

  @Override
  public String getHeader(String name) {
    String value = super.getHeader(name);
    return stripXSS(value);
  }

  private String stripXSS(String value) {

    return StringEscapeUtils.escapeHtml(value);
  }
}


WebConfig中扩展WebMvcConfigurerAdapter 类:

// -----------------------------------------------------
// Prevent XSS
// -----------------------------------------------------

@Bean
public FilterRegistrationBean xssPreventFilter() {
    FilterRegistrationBean registrationBean = new FilterRegistrationBean();

    registrationBean.setFilter(new XSSFilter());
    registrationBean.addUrlPatterns("/*");

    return registrationBean;
}


我的休息课是:

@RestController
@RequestMapping("/personService")
public class PersonController extends BaseController<PersonDto, PersonCriteria> {

  @RequestMapping( value= "/test" )
  private void getTest2(@RequestParam String name) {

      System.out.println(name);

      System.out.println( StringEscapeUtils.escapeHtml(name) );

  }

}


但它不工作,没有任何错误或异常.我怎么能做到这一点,并创建自己的过滤器?我只使用Java Config和没有XML.在我的控制器我被迫再次使用StringEscapeUtils.escapeHtml(名称),这是坏的.

spring

2条答案

按热度按时间
xdnvmnnf

xdnvmnnf1#

我已经根据你的代码创建了一个完全可执行的示例项目。
一切都很好,你可以从我的github https://github.com/mehditahmasebi/spring/tree/master/spring-xss-filter下载完整的源代码,并运行命令“mvnw spring-boot:run”和浏览器类型:http://localhost:8080/personService/test?name=foobar,所以你可以在XSSRequestWrapper. stripXSS中看到结果。
希望这个源代码能对你有所帮助。
一些解释:
项目结构:

  • POM.xml
  • WebConfig.java for Spring web config
  • SpringBootApplication.java用于启动应用程序
  • 您的类(PersonController.java、XSSFilter.java和XSSRequestWrapper.java)

深入研究它们,但我只是复制重要行:
pom.xml

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-devtools</artifactId>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-tomcat</artifactId>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>commons-lang</groupId>
        <artifactId>commons-lang</artifactId>
        <version>2.6</version>
    </dependency>
</dependencies>

字符串
WebConfig.java你可以看到你的bean的底线):

@Configuration
@EnableWebMvc
@EnableWebSecurity
public class WebConfig extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {

    @Override
    protected void configure(HttpSecurity http) throws Exception {      
        http
            .authorizeRequests()
                .anyRequest().permitAll()
            .and().csrf().disable();
    }

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
        .allowCredentials(true)
        .allowedHeaders("*")
        .allowedMethods("GET, POST, PATCH, PUT, DELETE, OPTIONS")
        .allowedOrigins("*");
    }

    @Bean
    public FilterRegistrationBean xssPreventFilter() {
        FilterRegistrationBean registrationBean = new FilterRegistrationBean();

        registrationBean.setFilter(new XSSFilter());
        registrationBean.addUrlPatterns("/*");

        return registrationBean;
    }
}


SpringBootApplication.java启动项目):

@SpringBootApplication
public class SpringbootApplication extends SpringBootServletInitializer {

    /**
     * tomcat deployment needed
     */
    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application.sources(SpringbootApplication.class);
    }

    public static void main(String[] args) {
        SpringApplication.run(SpringbootApplication.class, args);
        System.out.println("Spring boot application started!");

    }
}


其他的java源文件和你的一样,但是有两个变化:
首先,我添加了一个sysout行来查看没有调试的代码的跟踪:

private String stripXSS(String value) {
    if(value != null)
        System.out.println("escapeHTML work successfully and escapeHTML value is : " + StringEscapeUtils.escapeHtml(value));
    return StringEscapeUtils.escapeHtml(value);
}


第二个变化是,我评论说,从PersonController escapeHtml你说的不是一个好主意:

@RequestMapping( value= "/test" )
  private void getTest2(@RequestParam String name) {

      System.out.println(name);

//      System.out.println( StringEscapeUtils.escapeHtml(name) );

  }


你可以在我的github https://github.com/mehditahmasebi/spring/tree/master/spring-xss-filter上找到所有的源代码

赞(0)分享  回复(0)举报  2023-11-16
ffvjumwh

ffvjumwh2#

一个简单的XSS过滤器实现。创建两个java类,分别命名为XSSFilterXSSRequestWrapper,并分别使用以下实现:

package com.example.config;

import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

@Component
@Order(1)
public class XSSFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {}

    @Override
    public void destroy() {}

    @Override
    public void doFilter(
        ServletRequest request,
        ServletResponse response,
        FilterChain chain) throws IOException, ServletException {
        chain.doFilter(new XSSRequestWrapper((HttpServletRequest) request), response);
    }
}

个字符
下面的代码行可以添加到应用程序的main类中:

@Bean("xssPreventFilter")
public FilterRegistrationBean < XSSFilter > xssFilterFilter() {
    FilterRegistrationBean < XSSFilter > registrationBean = new FilterRegistrationBean < XSSFilter > ();
    registrationBean.setFilter(new XSSFilter());
    registrationBean.addUrlPatterns("/*");
    return registrationBean;
}

赞(0)分享  回复(0)举报  2023-11-16
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com