spring boot 使用 Jsoup 攔截XSS

原文鏈接

目標(biāo)

使用spring boot 的 Filter 對參數(shù)攔截,使用 Jsoup 對 參數(shù)中的 XSS進(jìn)行過濾

工具

  • spring boot 2.0
  • jsoup (可選)

實(shí)現(xiàn)原理

spring boot 的 Filter 攔截到前端的參數(shù)后進(jìn)行過濾(看著是不是很簡單??)。

說白了就是兩個(gè)功能:參數(shù)攔截、腳本過濾。

參數(shù)攔截

想要過濾XSS首先要能攔截到前端的參數(shù)。

先寫個(gè)Filter:

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
  
public class XSSEscapeFilter implements Filter {  
   
  
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
       
    }  
  
    @Override
    public void destroy() {
       
    }  
  
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
                      throws IOException, ServletException {
        //后面會有 XssHttpServletRequestWrapper 的代碼。這個(gè)類是自己定義的
        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
    }
}

這個(gè)Filter 是可以攔截到請求的,但是呢,如果想要對參數(shù)進(jìn)行修改就需要重新定義 HttpServletRequestWrapper,只有用自定義的HttpServletRequestWrapper 才能對參數(shù)進(jìn)行修改。

下面定義 XssHttpServletRequestWrapper:


import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Whitelist;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;

/**
 * 實(shí)現(xiàn)XSS過濾
 * Create by zdRan on 2018/5/8
 *
 * @author cm.zdran@gmail.com
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest orgRequest = null;

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        orgRequest = request;

    }

    @Override
    public String getParameter(String name) {
        // 對參數(shù)進(jìn)行修改
        return name;
    }

    @Override
    public Map getParameterMap() {
        // 對參數(shù)進(jìn)行修改
        return super.getParameterMap();;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] arr = super.getParameterValues(name);
        // 對參數(shù)進(jìn)行修改
        return arr;
    }

    @Override
    public String getHeader(String name) {
        //對參數(shù)進(jìn)行修改
        return super.getHeader(name);;
    }

    /**
     * 獲取最原始的request
     *
     * @return
     */
    public HttpServletRequest getOrgRequest() {
        return orgRequest;
    }

    /**
     * 獲取最原始的request的靜態(tài)方法
     *
     * @return
     */
    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
        if (req instanceof XssHttpServletRequestWrapper) {
            return ((XssHttpServletRequestWrapper) req).getOrgRequest();
        }

        return req;
    }

這樣就能對參數(shù)進(jìn)行修改了,但是,目前的情況還不能處理POST請求,或者 RequestBody 注解。

當(dāng)使用 RequestBody 注解時(shí),你會發(fā)現(xiàn),重寫的這幾個(gè)方法都沒有走,說明我們沒有重寫全方法。

找了一些資料發(fā)現(xiàn):RequestBody注解讀取參數(shù)的方法是getInputStream() 。

我們重寫一下這個(gè)方法:

 @Override
    public ServletInputStream getInputStream() throws IOException {

        BufferedReader br = new BufferedReader(new InputStreamReader(orgRequest.getInputStream()));
        String line = br.readLine();
        String result = "";
        if (line != null) {
            //對參數(shù)進(jìn)行處理
        }

        return new WrappedServletInputStream(new ByteArrayInputStream(result.getBytes()));
    }

然后啟動這個(gè) Filter


import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.servlet.DispatcherType;

/**
 * Create by zdRan on 2018/5/8
 *
 * @author cm.zdran@gmail.com
 */
@Configuration
public class XssFilterConfiguration {
    /**
     * xss過濾攔截器
     */
    @Bean
    public FilterRegistrationBean xssFilterRegistrationBean() {
        FilterRegistrationBean initXssFilterBean = new FilterRegistrationBean();
        initXssFilterBean.setFilter(new XSSEscapeFilter());
        initXssFilterBean.setOrder(1);
        initXssFilterBean.setEnabled(true);
        initXssFilterBean.addUrlPatterns("/*");
        initXssFilterBean.setDispatcherTypes(DispatcherType.REQUEST);
        return initXssFilterBean;
    }
}

到這里基本上就攔截到參數(shù)了,你可以自己定義對參數(shù)的修改規(guī)則。也可以使用jsoup對XSS進(jìn)行過濾

腳本過濾

使用 jsoup 對參數(shù)中的 標(biāo)簽進(jìn)行過濾
添加依賴

<dependency>
    <groupId>org.jsoup</groupId>
    <artifactId>jsoup</artifactId>
    <version>1.11.3</version>
</dependency>

完整的 XssHttpServletRequestWrapper 代碼:

import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Whitelist;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;

/**
 * 實(shí)現(xiàn)XSS過濾
 * Create by zdRan on 2018/5/8
 *
 * @author cm.zdran@gmail.com
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest orgRequest = null;
    /**
    * 配置可以通過過濾的白名單
    * /
    private static final Whitelist whitelist = new Whitelist();
    /**
     * 配置過濾化參數(shù),不對代碼進(jìn)行格式化
     */
    private static final Document.OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        orgRequest = request;

    }

    @Override
    public ServletInputStream getInputStream() throws IOException {

        BufferedReader br = new BufferedReader(new InputStreamReader(orgRequest.getInputStream()));
        String line = br.readLine();
        String result = "";
        if (line != null) {
            result += clean(line);
        }

        return new WrappedServletInputStream(new ByteArrayInputStream(result.getBytes()));
    }

    /**
     * 覆蓋getParameter方法,將參數(shù)名和參數(shù)值都做xss過濾。<br/>
     * 如果需要獲得原始的值,則通過super.getParameterValues(name)來獲取<br/>
     * getParameterNames,getParameterValues和getParameterMap也可能需要覆蓋
     */
    @Override
    public String getParameter(String name) {
        if (("content".equals(name) || name.endsWith("WithHtml"))) {
            return super.getParameter(name);
        }
        name = clean(name);
        String value = super.getParameter(name);
        if (StringUtils.isNotBlank(value)) {
            value = clean(value);
        }
        return value;
    }

    @Override
    public Map getParameterMap() {
        Map map = super.getParameterMap();
        // 返回值Map
        Map<String, String> returnMap = new HashMap<String, String>();
        Iterator entries = map.entrySet().iterator();
        Map.Entry entry;
        String name = "";
        String value = "";
        while (entries.hasNext()) {
            entry = (Map.Entry) entries.next();
            name = (String) entry.getKey();
            Object valueObj = entry.getValue();
            if (null == valueObj) {
                value = "";
            } else if (valueObj instanceof String[]) {
                String[] values = (String[]) valueObj;
                for (int i = 0; i < values.length; i++) {
                    value = values[i] + ",";
                }
                value = value.substring(0, value.length() - 1);
            } else {
                value = valueObj.toString();
            }
            returnMap.put(name, clean(value).trim());
        }
        return returnMap;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] arr = super.getParameterValues(name);
        if (arr != null) {
            for (int i = 0; i < arr.length; i++) {
                arr[i] = clean(arr[i]);
            }
        }
        return arr;
    }


    /**
     * 覆蓋getHeader方法,將參數(shù)名和參數(shù)值都做xss過濾。<br/>
     * 如果需要獲得原始的值,則通過super.getHeaders(name)來獲取<br/>
     * getHeaderNames 也可能需要覆蓋
     */
    @Override
    public String getHeader(String name) {

        name = clean(name);
        String value = super.getHeader(name);
        if (StringUtils.isNotBlank(value)) {
            value = clean(value);
        }
        return value;
    }

    /**
     * 獲取最原始的request
     *
     * @return
     */
    public HttpServletRequest getOrgRequest() {
        return orgRequest;
    }

    /**
     * 獲取最原始的request的靜態(tài)方法
     *
     * @return
     */
    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
        if (req instanceof XssHttpServletRequestWrapper) {
            return ((XssHttpServletRequestWrapper) req).getOrgRequest();
        }

        return req;
    }

    public String clean(String content) {
        String result = Jsoup.clean(content, "", whitelist, outputSettings);
        return result;
    }

    private class WrappedServletInputStream extends ServletInputStream {
        public void setStream(InputStream stream) {
            this.stream = stream;
        }

        private InputStream stream;

        public WrappedServletInputStream(InputStream stream) {
            this.stream = stream;
        }

        @Override
        public int read() throws IOException {
            return stream.read();
        }

        @Override
        public boolean isFinished() {
            return true;
        }

        @Override
        public boolean isReady() {
            return true;
        }

        @Override
        public void setReadListener(ReadListener readListener) {

        }
    }
}

好了。到這就算結(jié)束了,不過目前還有一個(gè)小問題。使用 jsoup 是可以過濾掉所有的html標(biāo)簽,但是也有個(gè)問題,比如參數(shù)是: {"name":"<html","passwd":"12345"},過濾后的結(jié)果是:{"name":"因?yàn)闆]有找到<html>標(biāo)簽的結(jié)束位置,所以就會過濾掉后面所有的參數(shù)。這樣就會導(dǎo)致 controller 獲取參數(shù)的時(shí)候異常。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺,僅提供信息存儲服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容