SpringBoot集成Hutool、mica防止XSS攻击实现

编程语言 2024-11-04 22:48:22 阅读次数: 0

一、引入maven依赖

<!-- hutool-->
<dependency>
   <groupId>cn.hutool</groupId>
   <artifactId>hutool-all</artifactId>
   <version>5.1.0</version>
</dependency>
 <!-- mica-xss攻击 -->
 <dependency>
    <groupId>net.dreamlu</groupId>
    <artifactId>mica-core</artifactId>
    <version>2.0.9-GA</version>
 </dependency>
 <dependency>
    <groupId>net.dreamlu</groupId>
    <artifactId>mica-xss</artifactId>
    <version>2.0.9-GA</version>
 </dependency>

二、定义过滤器 XssFillter继承Fillter拦截http请求


@WebFilter(urlPatterns = "/*")
public class XssFilter implements Filter {
    
    
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    
    
 
    }
 
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
    
    
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        //先进行转义在把请求返回
        XssHttpServletRequestWrapper wrapper = new XssHttpServletRequestWrapper(request);
        filterChain.doFilter(wrapper,servletResponse);
    }
 
    @Override
    public void destroy() {
    
    
 
    }
}

三、使用工具类继承 HttpServletRequestWrapper 进行请求转义

servlet

public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    
    

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
    
    
        super(request);
    }

    @Override
    public String getParameter(String name) {
    
    
        String value = super.getParameter(name);
        if (!StrUtil.hasEmpty(value)) {
    
    
            value = HtmlUtil.filter(value);
        }
        return value;
    }

    @Override
    public String[] getParameterValues(String name) {
    
    
        String[] values = super.getParameterValues(name);
        if (values != null) {
    
    
            for (int i = 0; i < values.length; i++) {
    
    
                String value = values[i];
                if (!StrUtil.hasEmpty(value)) {
    
    
                    value = HtmlUtil.filter(value);
                }
                values[i] = value;
            }
        }
        return values;
    }

    @Override
    public Map<String, String[]> getParameterMap() {
    
    
        Map<String, String[]> parameters = super.getParameterMap();
        LinkedHashMap<String, String[]> map = new LinkedHashMap();
        if (parameters != null) {
    
    
            for (String key : parameters.keySet()) {
    
    
                String[] values = parameters.get(key);
                for (int i = 0; i < values.length; i++) {
    
    
                    String value = values[i];
                    if (!StrUtil.hasEmpty(value)) {
    
    
                        //导入Hutool的依赖,进行html转义
                        value = HtmlUtil.filter(value);
                    }
                    values[i] = value;
                }
                map.put(key, values);
            }
        }
        return map;
    }

    @Override
    public String getHeader(String name) {
    
    
        String value = super.getHeader(name);
        if (!StrUtil.hasEmpty(value)) {
    
    
            value = HtmlUtil.filter(value);
        }
        return value;
    }

    @Override
    public ServletInputStream getInputStream() throws IOException {
    
    
        InputStream in = super.getInputStream();
        //指定字符集编码
        InputStreamReader reader = new InputStreamReader(in, Charset.forName("UTF-8"));
        BufferedReader buffer = new BufferedReader(reader);
        StringBuffer body = new StringBuffer();
        String line = buffer.readLine();
        while (line != null) {
    
    
            body.append(line);
            line = buffer.readLine();
        }
        buffer.close();
        reader.close();
        in.close();
        //body数据转换
        String bodyInfo = body.toString();
        Map<String, Object> map = null;
        if (bodyInfo == null || bodyInfo.trim().length() == 0){
    
    
            map = new HashMap<>(0);
        }else{
    
    
            map = JSONUtil.parseObj(body.toString());
        }
        Map<String, Object> result = new LinkedHashMap<>();
        for (String key : map.keySet()) {
    
    
            Object val = map.get(key);
            if (val instanceof String) {
    
    
                if (!StrUtil.hasEmpty(val.toString())) {
    
    
                    result.put(key, HtmlUtil.filter(val.toString()));
                }
            } else {
    
    
                result.put(key, val);
            }
        }
        String json = JSONUtil.toJsonStr(result);
        ByteArrayInputStream bain = new ByteArrayInputStream(json.getBytes());
        //匿名类实现IO流
        return new ServletInputStream() {
    
    
            @Override
            public int read() throws IOException {
    
    
                return bain.read();
            }

            @Override
            public boolean isFinished() {
    
    
                return false;
            }

            @Override
            public boolean isReady() {
    
    
                return false;
            }

            @Override
            public void setReadListener(ReadListener readListener) {
    
    

            }
        };
    }
}

四、配置文件mica过滤请求、启动类上注册Filter

//在yml配置文件中配置mica过滤xss
mica:
  xss:
    enabled: true
    path-patterns: /**
    mode: escape

//Springboot启动类上添加 @ServletComponentScan 注解,注册Filter
@ServletComponentScan
@EnableTransactionManagement(proxyTargetClass = true)
@SpringBootApplication
public class Application {
    
    

    public static void main(String[] args) {
    
    
        SpringApplication.run(Application .class,args);
    }
    
}

五、实战模拟

//springmvc绑定参数原理:
//普通参数绑定调用:HttpServletRequestWrapper.getParameterValues() 方法
@RequestMapping("/xss/{id}")
public String xss(String xss,String name){
    
    

}

//普通参数(携带注解)绑定调用:HttpServletRequestWrapper.getParameterValues() 方法
@RequestMapping("/xss/{id}")
public String xss(@RequestParam("xss")String xss,@Param("name") String name

}

//普通参数Path路径参数(携带注解)绑定调用:未调用 HttpServletRequestWrapper 中的方法
@RequestMapping("/xss/{id}")
public String xss(@PathVariable("id")String path){
    
    

}

//绑定Map集合(携带注解@RequestParam):调用 HttpServletRequestWrapper.getParameterMap 中的方法
@RequestMapping("/xss/{id}")
public String xss(@RequestParam(required = false)Map<String,Object> param){
    
    

}

//绑定Map集合(携带注解@RequestBody):调用HttpServletRequests实例获取参数 HttpServletRequestWrapper.getInputStream 中的方法
@RequestMapping("/xss/{id}")
public String xss(@RequestBody(required = false) Map<String,Object> param){
    
    
	 System.out.println( param);
}

//HttpServletRequests实例获取参数 HttpServletRequestWrapper.getParameter 中的方法
@RequestMapping("/xss/{id}")
public String xss(HttpServletRequest request){
    
    
	String xss = request.getParameter("xss")
}

//请求例子(postman):http://localhost:8080/tomcat/user/xss/123?xss=a
//postman中body --- raw
{
    
    
    "name":"王某",
    "age":12,
    "param":"<script>alert(1)<script/>",
    "xss":"<button>test</button>"
}
//@RequestParam(required = false)Map<String,Object> param1 
//与 
//@RequestBody(required = false) Map<String,Object> param2区别:
//前者仅封装get请求的url中的参数,后者仅封装post请求中body的数据

//结果:param1 = {xss=a}
//结果:param2 = {test=name, param=alert(1), name=王某, xss=test, age=12}
解决思路:
mica不能过滤reqeust.getParameter(“param”)方式的xss攻击,使用filter是为了重写 httpservlet ,springmvc做参数绑定时会调用httpservlet 中的方法进行动态绑定,在springmvc绑定参数前使用HtmlUtil.filter进行xss转义。

猜你喜欢

转载自blog.csdn.net/qq_52231508/article/details/130146070
今日推荐
周排行
业生平均薪酬在涨 国企起薪四千是民企2倍
将16进制转化为字符串
leetcode每日刷题计划--day59
已知两个线性升序表LA,LB,然后合并两个表为LC,并保持升序
新闻网大数据实时分析可视化系统项目——5、Hadoop2.X HA架构与部署
通过Spring ApplicationListener监听器触发事件
Toad for oracle 使用笔记
Hibernate3.2 断网之后报无法解析hibernate.cfg.xml错误
AcWing 282 石子合并
mongod的备份与恢复
每日归档
更多
2025-04-05(0)
2025-04-04(0)
2025-04-03(0)
2025-04-02(0)
2025-04-01(0)
2025-03-31(0)
2025-03-30(0)
2025-03-29(0)
2025-03-28(0)
2025-03-27(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022