关注JEECG发展历程 关注最新动态和版本, 记录JEECG成长点滴 更新日志 - 技术支持 - 招聘英才

JEECG最新版本下载 JEECG智能开发平台 - 显著提高开发效率 常见问题 - 入门视频 - 参与开源团队

商务QQ: 2019066212、3102411850 商务热线(5*8小时): 010-64808099 官方邮箱: jeecgos@163.com

查看: 125|回复: 0

JeecgBoot抵御XSS攻击实现方案

[复制链接]
发表于 2022-5-12 11:37:32 | 显示全部楼层 |阅读模式
1. 问题描述

jeecgboot后台启动后,在浏览器输入地址

  1. http://localhost:8080/jeecg-boot/jmreport/view/')%22οnmοuseοver=alert('hacking')%20%20(
复制代码

弹出对话框

2. 试验环境

jeecgboot 3.0



3. 增加配置类
  • 在jeecg-boot-module-system的config包下,新建xss包,并新增几个类

  • 类的具体代码如下:
  1. package org.jeecg.config.xss;

  2. import javax.servlet.*;
  3. import javax.servlet.http.HttpServletRequest;
  4. import java.io.IOException;

  5. /**
  6. * Created by sunh on 2012/12/29.
  7. * xss 过滤器只能过滤form表单形式提交的参数
  8. */
  9. public class XssFilter implements Filter {

  10.     @Override
  11.     public void init(FilterConfig filterConfig) throws ServletException {

  12.     }

  13.     @Override
  14.     public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
  15.         System.out.println("***********开始过滤");
  16.         XssHttpServletRequestWrapper xssRequest =
  17.                 new XssHttpServletRequestWrapper((HttpServletRequest) servletRequest);
  18.         filterChain.doFilter(xssRequest, servletResponse);
  19.     }

  20.     @Override
  21.     public void destroy() {

  22.     }
  23. }
复制代码
  1. package org.jeecg.config.xss;

  2. import com.fasterxml.jackson.databind.ObjectMapper;
  3. import com.fasterxml.jackson.databind.module.SimpleModule;
  4. import org.springframework.boot.web.servlet.FilterRegistrationBean;
  5. import org.springframework.context.annotation.Bean;
  6. import org.springframework.context.annotation.Configuration;
  7. import org.springframework.context.annotation.Primary;
  8. import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
  9. import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;

  10. /**
  11. * Created by sunh on 2012/12/29.
  12. * xss 自动配置类
  13. */
  14. @Configuration
  15. public class XssFilterAtuoConfig {

  16.     @Bean
  17.     public FilterRegistrationBean xssFiltrRegister() {
  18.         FilterRegistrationBean registration = new FilterRegistrationBean();
  19.         registration.setFilter(new XssFilter());
  20.         registration.addUrlPatterns("/*");
  21.         registration.setName("XssFilter");
  22.         registration.setOrder(1);
  23.         return registration;
  24.     }


  25.     @Bean
  26.     @Primary
  27.     public MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter() {
  28.         SimpleModule module = new SimpleModule();
  29.         module.addDeserializer(String.class, new XssStringJsonDeserializer());
  30.         ObjectMapper objectMapper = Jackson2ObjectMapperBuilder.json().build();
  31.         objectMapper.registerModule(module);
  32.         return new MappingJackson2HttpMessageConverter(objectMapper);
  33.     }
  34. }
复制代码
  1. package org.jeecg.config.xss;

  2. import org.springframework.web.servlet.HandlerMapping;

  3. import javax.servlet.http.HttpServletRequest;
  4. import javax.servlet.http.HttpServletRequestWrapper;
  5. import java.util.LinkedHashMap;
  6. import java.util.Map;
  7. import java.util.Objects;

  8. /**
  9. * Created by sunh on 2012/12/29.
  10. * xss 包装
  11. */
  12. public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

  13.     public XssHttpServletRequestWrapper(HttpServletRequest request) {
  14.         super(request);
  15.     }

  16.     @Override
  17.     public String getHeader(String name) {
  18.         String value = super.getHeader(name);
  19.         return XssUtil.cleanXSS(value);
  20.     }

  21.     @Override
  22.     public String getParameter(String name) {
  23.         String value = super.getParameter(name);
  24.         return XssUtil.cleanXSS(value);
  25.     }

  26.     @Override
  27.     public String[] getParameterValues(String name) {
  28.         String[] values = super.getParameterValues(name);
  29.         if (values != null) {
  30.             int length = values.length;
  31.             String[] escapseValues = new String[length];
  32.             for (int i = 0; i < length; i++) {
  33.                 escapseValues[i] = XssUtil.cleanXSS(values[i]);
  34.             }
  35.             return escapseValues;
  36.         }
  37.         return super.getParameterValues(name);
  38.     }

  39.     /**
  40.      * 主要是针对HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE 获取pathvalue的时候把原来的pathvalue经过xss过滤掉
  41.      */
  42.     @Override
  43.     public Object getAttribute(String name) {
  44.         // 获取pathvalue的值
  45.         if (HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE.equals(name)) {
  46.             Map uriTemplateVars = (Map) super.getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE);
  47.             if (Objects.isNull(uriTemplateVars)) {
  48.                 return uriTemplateVars;
  49.             }
  50.             Map newMap = new LinkedHashMap<>();
  51.             uriTemplateVars.forEach((key, value) -> {
  52.                 if (value instanceof String) {
  53.                     newMap.put(key, XssUtil.cleanXSS((String) value));
  54.                 } else {
  55.                     newMap.put(key, value);

  56.                 }
  57.             });
  58.             return newMap;
  59.         } else {
  60.             return super.getAttribute(name);
  61.         }
  62.     }
  63. }
复制代码
  1. package org.jeecg.config.xss;

  2. import com.fasterxml.jackson.databind.ObjectMapper;
  3. import com.fasterxml.jackson.databind.module.SimpleModule;

  4. /**
  5. * Created by sunh on 2012/12/29.
  6. * 创建xss的json转换器
  7. */
  8. public class XssObjectMapper extends ObjectMapper {

  9.     public XssObjectMapper() {
  10.         SimpleModule module = new SimpleModule("XSS JsonDeserializer");
  11.         module.addDeserializer(String.class, new XssStringJsonDeserializer());
  12.         this.registerModule(module);
  13.     }
  14. }
复制代码
  1. package org.jeecg.config.xss;

  2. import com.fasterxml.jackson.core.JsonParser;
  3. import com.fasterxml.jackson.databind.DeserializationContext;
  4. import com.fasterxml.jackson.databind.JsonDeserializer;
  5. import org.springframework.web.util.HtmlUtils;

  6. import java.io.IOException;

  7. /**
  8. * Created by sunh on 2012/12/29.
  9. * 基于xss的JsonDeserializer
  10. */
  11. public class XssStringJsonDeserializer extends JsonDeserializer<String> {


  12.     @Override
  13.     public Class<String> handledType() {
  14.         return String.class;
  15.     }

  16.     @Override
  17.     public String deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
  18.         return HtmlUtils.htmlEscape(jsonParser.getValueAsString());
  19.     }
  20. }
复制代码
  1. package org.jeecg.config.xss;


  2. import java.util.Objects;

  3. /**
  4. * Created by sunh on 2012/12/29
  5. * xss工具类
  6. */
  7. public class XssUtil {

  8.     public static String cleanXSS(String value) {
  9.         if (Objects.isNull(value)) {
  10.             return value;
  11.         }
  12.         //You'll need to remove the spaces from the html entities below
  13.         value = value.replaceAll("<", "& lt;").replaceAll(">", "& gt;");
  14.         value = value.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41;");
  15.         value = value.replaceAll("'", "& #39;");
  16.         value = value.replaceAll("eval\\((.*)\\)", "");
  17.         value = value.replaceAll("[\\"\\\'][\\s]*javascript:(.*)[\\"\\\']", """");
  18.         value = value.replaceAll("script", "");
  19.         return value;
  20.     }
  21. }
复制代码



4. 测试结果

启动后端,在浏览器访问地址

  1. http://localhost:8080/jeecg-boot/jmreport/view/')%22οnmοuseοver=alert('hacking')%20%20(
复制代码

未弹出对话框

启动前端,原来的服务能正常访问。


您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表