spring boot 使用 Jsoup 拦截XSS

目标

使用spring boot 的 Filter 对参数拦截,使用 Jsoup 对 参数中的 XSS进行过滤

工具

  • spring boot 2.0
  • jsoup (可选)

实现原理

spring boot 的 Filter 拦截到前端的参数后进行过滤(看着是不是很简单??)。

说白了就是两个功能:参数拦截、脚本过滤。

参数拦截

想要过滤XSS首先要能拦截到前端的参数。

先写个Filter:

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
  
public class XSSEscapeFilter implements Filter {  
   
  
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
       
    }  
  
    @Override
    public void destroy() {
       
    }  
  
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
                      throws IOException, ServletException {
        //后面会有 XssHttpServletRequestWrapper 的代码。这个类是自己定义的
        chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request), response);
    }
}

这个Filter 是可以拦截到请求的,但是呢,如果想要对参数进行修改就需要重新定义 HttpServletRequestWrapper,只有用自定义的HttpServletRequestWrapper 才能对参数进行修改。

下面定义 XssHttpServletRequestWrapper:


import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Whitelist;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;

/**
 * 实现XSS过滤
 * Create by zdRan on 2018/5/8
 *
 * @author cm.zdran@gmail.com
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest orgRequest = null;

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        orgRequest = request;

    }

    @Override
    public String getParameter(String name) {
        // 对参数进行修改
        return name;
    }

    @Override
    public Map getParameterMap() {
        // 对参数进行修改
        return super.getParameterMap();;
    }

    @Override
    public String[] getParameterValues(String name) {
        String[] arr = super.getParameterValues(name);
        // 对参数进行修改
        return arr;
    }

    @Override
    public String getHeader(String name) {
        //对参数进行修改
        return super.getHeader(name);;
    }

    /**
     * 获取最原始的request
     *
     * @return
     */
    public HttpServletRequest getOrgRequest() {
        return orgRequest;
    }

    /**
     * 获取最原始的request的静态方法
     *
     * @return
     */
    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
        if (req instanceof XssHttpServletRequestWrapper) {
            return ((XssHttpServletRequestWrapper) req).getOrgRequest();
        }

        return req;
    }

这样就能对参数进行修改了,但是,目前的情况还不能处理POST请求,或者 RequestBody 注解。

当使用 RequestBody 注解时,你会发现,重写的这几个方法都没有走,说明我们没有重写全方法。

找了一些资料发现:RequestBody注解读取参数的方法是getInputStream() 。

我们重写一下这个方法:

 @Override
    public ServletInputStream getInputStream() throws IOException {

        BufferedReader br = new BufferedReader(new InputStreamReader(orgRequest.getInputStream()));
        String line = br.readLine();
        String result = "";
        if (line != null) {
            //对参数进行处理
        }

        return new WrappedServletInputStream(new ByteArrayInputStream(result.getBytes()));
    }

然后启动这个 Filter


import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

import javax.servlet.DispatcherType;

/**
 * Create by zdRan on 2018/5/8
 *
 * @author cm.zdran@gmail.com
 */
@Configuration
public class XssFilterConfiguration {
    /**
     * xss过滤拦截器
     */
    @Bean
    public FilterRegistrationBean xssFilterRegistrationBean() {
        FilterRegistrationBean initXssFilterBean = new FilterRegistrationBean();
        initXssFilterBean.setFilter(new XSSEscapeFilter());
        initXssFilterBean.setOrder(1);
        initXssFilterBean.setEnabled(true);
        initXssFilterBean.addUrlPatterns("/*");
        initXssFilterBean.setDispatcherTypes(DispatcherType.REQUEST);
        return initXssFilterBean;
    }
}

到这里基本上就拦截到参数了,你可以自己定义对参数的修改规则。也可以使用jsoup对XSS进行过滤

脚本过滤

使用 jsoup 对参数中的 标签进行过滤
添加依赖

<dependency>
    <groupId>org.jsoup</groupId>
    <artifactId>jsoup</artifactId>
    <version>1.11.3</version>
</dependency>

完整的 XssHttpServletRequestWrapper 代码:

import org.apache.commons.lang3.StringUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.safety.Whitelist;

import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.io.*;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;

/**
 * 实现XSS过滤
 * Create by zdRan on 2018/5/8
 *
 * @author cm.zdran@gmail.com
 */
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
    private HttpServletRequest orgRequest = null;
    /**
    * 配置可以通过过滤的白名单
    * /
    private static final Whitelist whitelist = new Whitelist();
    /**
     * 配置过滤化参数,不对代码进行格式化
     */
    private static final Document.OutputSettings outputSettings = new Document.OutputSettings().prettyPrint(false);

    public XssHttpServletRequestWrapper(HttpServletRequest request) {
        super(request);
        orgRequest = request;

    }

    
    public ServletInputStream getInputStream() throws IOException {

        BufferedReader br = new BufferedReader(new InputStreamReader(orgRequest.getInputStream()));
        String line = br.readLine();
        String result = "";
        if (line != null) {
            result += clean(line);
        }

        return new WrappedServletInputStream(new ByteArrayInputStream(result.getBytes()));
    }

    /**
     * 覆盖getParameter方法,将参数名和参数值都做xss过滤。<br/>
     * 如果需要获得原始的值,则通过super.getParameterValues(name)来获取<br/>
     * getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
     */
    
    public String getParameter(String name) {
        if (("content".equals(name) || name.endsWith("WithHtml"))) {
            return super.getParameter(name);
        }
        name = clean(name);
        String value = super.getParameter(name);
        if (StringUtils.isNotBlank(value)) {
            value = clean(value);
        }
        return value;
    }

    
    public Map getParameterMap() {
        Map map = super.getParameterMap();
        // 返回值Map
        Map<String, String> returnMap = new HashMap<String, String>();
        Iterator entries = map.entrySet().iterator();
        Map.Entry entry;
        String name = "";
        String value = "";
        while (entries.hasNext()) {
            entry = (Map.Entry) entries.next();
            name = (String) entry.getKey();
            Object valueObj = entry.getValue();
            if (null == valueObj) {
                value = "";
            } else if (valueObj instanceof String[]) {
                String[] values = (String[]) valueObj;
                for (int i = 0; i < values.length; i++) {
                    value = values[i] + ",";
                }
                value = value.substring(0, value.length() - 1);
            } else {
                value = valueObj.toString();
            }
            returnMap.put(name, clean(value).trim());
        }
        return returnMap;
    }

    
    public String[] getParameterValues(String name) {
        String[] arr = super.getParameterValues(name);
        if (arr != null) {
            for (int i = 0; i < arr.length; i++) {
                arr[i] = clean(arr[i]);
            }
        }
        return arr;
    }


    /**
     * 覆盖getHeader方法,将参数名和参数值都做xss过滤。<br/>
     * 如果需要获得原始的值,则通过super.getHeaders(name)来获取<br/>
     * getHeaderNames 也可能需要覆盖
     */
    
    public String getHeader(String name) {

        name = clean(name);
        String value = super.getHeader(name);
        if (StringUtils.isNotBlank(value)) {
            value = clean(value);
        }
        return value;
    }

    /**
     * 获取最原始的request
     *
     * @return
     */
    public HttpServletRequest getOrgRequest() {
        return orgRequest;
    }

    /**
     * 获取最原始的request的静态方法
     *
     * @return
     */
    public static HttpServletRequest getOrgRequest(HttpServletRequest req) {
        if (req instanceof XssHttpServletRequestWrapper) {
            return ((XssHttpServletRequestWrapper) req).getOrgRequest();
        }

        return req;
    }

    public String clean(String content) {
        String result = Jsoup.clean(content, "", whitelist, outputSettings);
        return result;
    }

    private class WrappedServletInputStream extends ServletInputStream {
        public void setStream(InputStream stream) {
            this.stream = stream;
        }

        private InputStream stream;

        public WrappedServletInputStream(InputStream stream) {
            this.stream = stream;
        }

        
        public int read() throws IOException {
            return stream.read();
        }

        
        public boolean isFinished() {
            return true;
        }

        
        public boolean isReady() {
            return true;
        }

        
        public void setReadListener(ReadListener readListener) {

        }
    }
}

好了。到这就算结束了,不过目前还有一个小问题。使用 jsoup 是可以过滤掉所有的html标签,但是也有个问题,比如参数是: {"name":"<html","passwd":"12345"},过滤后的结果是:{"name":"因为没有找到<html>标签的结束位置,所以就会过滤掉后面所有的参数。这样就会导致 controller 获取参数的时候异常。

来源:  https://www.jianshu.com/p/206a7dea9d8d