跨站点脚本编制 - SpringBoot配置XSS过滤器(基于Jsoup)
1. 跨站点脚本编制
风险:可能会窃取或操纵客户会话和 cookie,它们可能用于模仿合法用户,从而使黑客能够以该用户身份查看或变更用户记录以及执行事务。
原因:未对用户输入正确执行危险字符清理。
固定值:查看危险字符注入的可能解决方案。
2. pom.xml添加依赖
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.11.3</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
3. 添加Xss包装类
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.jsoup.Jsoup;
import org.jsoup.safety.Whitelist;
import lombok.extern.slf4j.Slf4j;
/**
* Xss包装类
*
* @author CL
*
*/
@Slf4j
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
/**
* 构造请求对象
*
* @param request
*/
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
}
/**
* 获取头部参数
*
* @param v 参数值
*/
@Override
public String getHeader(String v) {
String header = super.getHeader(v);
if (header == null || "".equals(header)) {
return header;
}
return Jsoup.clean(super.getHeader(v), Whitelist.relaxed());
}
/**
* 获取参数
*
* @param v 参数值
*/
@Override
public String getParameter(String v) {
String param = super.getParameter(v);
if (param == null || "".equals(param)) {
return param;
}
return Jsoup.clean(super.getParameter(v), Whitelist.relaxed());
}
/**
* 获取参数值
*
* @param v 参数值
*/
@Override
public String[] getParameterValues(String v) {
String[] values = super.getParameterValues(v);
if (values == null) {
return values;
}
int length = values.length;
String[] resultValues = new String[length];
for (int i = 0; i < length; i++) {
// 过滤特殊字符
resultValues[i] = Jsoup.clean(values[i], Whitelist.relaxed()).trim();
if (!(resultValues[i]).equals(values[i])) {
log.debug("XSS过滤器 => 过滤前:{} => 过滤后:{}", values[i], resultValues[i]);
}
}
return resultValues;
}
}
4. 配置文件添加配置
# 信息安全
security:
xss:
enable: true
excludes:
- /login
- /logout
- /images/*
- /jquery/*
- /layui/*
5. 添加Xss过滤器
import java.io.IOException;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
/**
* Xss过滤器
*
* @author CL
*
*/
@Component
@ConfigurationProperties(prefix = "security.xss")
@WebFilter(filterName = "XssFilter", urlPatterns = "/*")
public class XssFilter implements Filter {
/**
* 过滤器配置对象
*/
FilterConfig filterConfig = null;
/**
* 是否启用
*/
private boolean enable;
public void setEnable(boolean enable) {
this.enable = enable;
}
/**
* 忽略的URL
*/
private List<String> excludes;
public void setExcludes(List<String> excludes) {
this.excludes = excludes;
}
/**
* 初始化
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
}
/**
* 拦截
*/
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
// 不启用或者已忽略的URL不拦截
if (!enable || isExcludeUrl(request.getServletPath())) {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
XssHttpServletRequestWrapper xssHttpServletRequestWrapper = new XssHttpServletRequestWrapper(request);
filterChain.doFilter(xssHttpServletRequestWrapper, servletResponse);
}
/**
* 销毁
*/
@Override
public void destroy() {
this.filterConfig = null;
}
/**
* 判断是否为忽略的URL
*
* @param urlPath URL路径
* @return true-忽略,false-过滤
*/
private boolean isExcludeUrl(String url) {
if (excludes == null || excludes.isEmpty()) {
return false;
}
return excludes.stream().map(pattern -> Pattern.compile("^" + pattern)).map(p -> p.matcher(url))
.anyMatch(Matcher::find);
}
}
