目标
使用spring boot 的 Filter 对参数拦截,使用 Jsoup 对 参数中的 XSS进行过滤
工具
- spring boot 2.0
- jsoup (可选)
实现原理
spring boot 的 Filter 拦截到前端的参数后进行过滤(看着是不是很简单??)。
说白了就是两个功能:参数拦截、脚本过滤。
参数拦截
想要过滤XSS首先要能拦截到前端的参数。
先写个Filter:
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
public class XSSEscapeFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
//后面会有 XssHttpServletRequestWrapper 的代码。这个类是自己定义的
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
}
}
这个Filter 是可以拦截到请求的,但是呢,如果想要对参数进行修改就需要重新定义 HttpServletRequestWrapper,只有用自定义的HttpServletRequestWrapper 才能对参数进行修改。
下面定义 XssHttpServletRequestWrapper:
import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Whitelist;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
/**
* 实现XSS过滤
* Create by zdRan on 2018/5/8
*
* @author cm.zdran@gmail.com
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest orgRequest = null;
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
@Override
public String getParameter(String name) {
// 对参数进行修改
return name;
}
@Override
public Map getParameterMap() {
// 对参数进行修改
return super.getParameterMap();;
}
@Override
public String[] getParameterValues(String name) {
String[] arr = super.getParameterValues(name);
// 对参数进行修改
return arr;
}
@Override
public String getHeader(String name) {
//对参数进行修改
return super.getHeader(name);;
}
/**
* 获取最原始的request
*
* @return
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 获取最原始的request的静态方法
*
* @return
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) req).getOrgRequest();
}
return req;
}
这样就能对参数进行修改了,但是,目前的情况还不能处理POST请求,或者 RequestBody 注解。
当使用 RequestBody 注解时,你会发现,重写的这几个方法都没有走,说明我们没有重写全方法。
找了一些资料发现:RequestBody注解读取参数的方法是getInputStream() 。
我们重写一下这个方法:
@Override
public ServletInputStream getInputStream() throws IOException {
BufferedReader br = new BufferedReader(new InputStreamReader(orgRequest.getInputStream()));
String line = br.readLine();
String result = "";
if (line != null) {
//对参数进行处理
}
return new WrappedServletInputStream(new ByteArrayInputStream(result.getBytes()));
}
然后启动这个 Filter
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import javax.servlet.DispatcherType;
/**
* Create by zdRan on 2018/5/8
*
* @author cm.zdran@gmail.com
*/
@Configuration
public class XssFilterConfiguration {
/**
* xss过滤拦截器
*/
@Bean
public FilterRegistrationBean xssFilterRegistrationBean() {
FilterRegistrationBean initXssFilterBean = new FilterRegistrationBean();
initXssFilterBean.setFilter(new XSSEscapeFilter());
initXssFilterBean.setOrder(1);
initXssFilterBean.setEnabled(true);
initXssFilterBean.addUrlPatterns("/*");
initXssFilterBean.setDispatcherTypes(DispatcherType.REQUEST);
return initXssFilterBean;
}
}
到这里基本上就拦截到参数了,你可以自己定义对参数的修改规则。也可以使用jsoup对XSS进行过滤
脚本过滤
使用 jsoup 对参数中的 标签进行过滤
添加依赖
<dependency>
<groupId>org.jsoup</groupId>
<artifactId>jsoup</artifactId>
<version>1.11.3</version>
</dependency>
完整的 XssHttpServletRequestWrapper 代码:
import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Whitelist;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
/**
* 实现XSS过滤
* Create by zdRan on 2018/5/8
*
* @author cm.zdran@gmail.com
*/
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private HttpServletRequest orgRequest = null;
/**
* 配置可以通过过滤的白名单
* /
private static final Whitelist whitelist = new Whitelist();
/**
* 配置过滤化参数,不对代码进行格式化
*/
private static final Document.OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);
public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
orgRequest = request;
}
@Override
public ServletInputStream getInputStream() throws IOException {
BufferedReader br = new BufferedReader(new InputStreamReader(orgRequest.getInputStream()));
String line = br.readLine();
String result = "";
if (line != null) {
result += clean(line);
}
return new WrappedServletInputStream(new ByteArrayInputStream(result.getBytes()));
}
/**
* 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
@Override
public String getParameter(String name) {
if (("content".equals(name) || name.endsWith("WithHtml"))) {
return super.getParameter(name);
}
name = clean(name);
String value = super.getParameter(name);
if (StringUtils.isNotBlank(value)) {
value = clean(value);
}
return value;
}
@Override
public Map getParameterMap() {
Map map = super.getParameterMap();
// 返回值Map
Map<String, String> returnMap = new HashMap<String, String>();
Iterator entries = map.entrySet().iterator();
Map.Entry entry;
String name = "";
String value = "";
while (entries.hasNext()) {
entry = (Map.Entry) entries.next();
name = (String) entry.getKey();
Object valueObj = entry.getValue();
if (null == valueObj) {
value = "";
} else if (valueObj instanceof String[]) {
String[] values = (String[]) valueObj;
for (int i = 0; i < values.length; i++) {
value = values[i] + ",";
}
value = value.substring(0, value.length() - 1);
} else {
value = valueObj.toString();
}
returnMap.put(name, clean(value).trim());
}
return returnMap;
}
@Override
public String[] getParameterValues(String name) {
String[] arr = super.getParameterValues(name);
if (arr != null) {
for (int i = 0; i < arr.length; i++) {
arr[i] = clean(arr[i]);
}
}
return arr;
}
/**
* 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
* 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
* getHeaderNames 也可能需要覆盖
*/
@Override
public String getHeader(String name) {
name = clean(name);
String value = super.getHeader(name);
if (StringUtils.isNotBlank(value)) {
value = clean(value);
}
return value;
}
/**
* 获取最原始的request
*
* @return
*/
public HttpServletRequest getOrgRequest() {
return orgRequest;
}
/**
* 获取最原始的request的静态方法
*
* @return
*/
public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
if (req instanceof XssHttpServletRequestWrapper) {
return ((XssHttpServletRequestWrapper) req).getOrgRequest();
}
return req;
}
public String clean(String content) {
String result = Jsoup.clean(content, "", whitelist, outputSettings);
return result;
}
private class WrappedServletInputStream extends ServletInputStream {
public void setStream(InputStream stream) {
this.stream = stream;
}
private InputStream stream;
public WrappedServletInputStream(InputStream stream) {
this.stream = stream;
}
@Override
public int read() throws IOException {
return stream.read();
}
@Override
public boolean isFinished() {
return true;
}
@Override
public boolean isReady() {
return true;
}
@Override
public void setReadListener(ReadListener readListener) {
}
}
}
好了。到这就算结束了,不过目前还有一个小问题。使用 jsoup 是可以过滤掉所有的html标签,但是也有个问题,比如参数是: {"name":"<html","passwd":"12345"},过滤后的结果是:{"name":"因为没有找到<html>标签的结束位置,所以就会过滤掉后面所有的参数。这样就会导致 controller 获取参数的时候异常。
