Skip to content

Sureness
Sureness

lzh_me / Sureness
与 Fork 源项目一致

Fork自 sureness / Sureness

通知 1
Star 0
Fork 0
Sureness
Sureness

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 13a23e8d 编写于 作者: sinat_25235033's avatar sinat_25235033
浏览文件
操作

add xss, sql inject filter util

上级 d40b6bd2
隐藏空白更改
内联 并排
Showing with 183 addition and 0 deletion
core/src/main/java/com/usthe/sureness/security/XssSqlServletRequestWrapper.java 0 → 100644
浏览文件 @ 13a23e8d
package com.usthe.sureness.security;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.HashMap;
import java.util.Map;
/**
* request xss sql filter wrapper
* @author tomsun28
* @date 20:41 2018/4/15
*/
public class XssSqlServletRequestWrapper extends HttpServletRequestWrapper {
public XssSqlServletRequestWrapper(HttpServletRequest request) {
super(request);
}
@Override
public String[] getParameterValues(String parameter) {
String[] values = super.getParameterValues(parameter);
if (values == null) {
return null;
}
int count = values.length;
String[] encodedValues = new String[count];
for (int i = 0 ; i < count ; i++ ) {
encodedValues[i] = filterParamString(values[i]);
}
return encodedValues;
}
@Override
public Map<String,String[]> getParameterMap() {
Map<String,String[]> primary = super.getParameterMap();
Map<String,String[]> result = new HashMap<>(16);
for (Map.Entry<String,String[]> entry : primary.entrySet()) {
result.put(entry.getKey(),filterEntryString(entry.getValue()));
}
return result;
}
@Override
public String getParameter(String parameter) {
return filterParamString(super.getParameter(parameter));
}
@Override
public String getHeader(String name) {
return filterParamString(super.getHeader(name));
}
@Override
public Cookie[] getCookies() {
Cookie[] cookies = super.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
cookie.setValue(filterParamString(cookie.getValue()));
}
}
return cookies;
}
private String[] filterEntryString(String[] value) {
for (int i = 0; i < value.length; i++) {
value[i] = filterParamString(value[i]);
}
return value;
}
/**
* filter value xss and sql inject
* @param value content
* @return java.lang.String content
*/
private String filterParamString(String value) {
return value == null ? null : XssSqlUtil.stripSqlXss(value);
}
}
core/src/main/java/com/usthe/sureness/security/XssSqlUtil.java 0 → 100644
浏览文件 @ 13a23e8d
package com.usthe.sureness.security;
import java.util.regex.Pattern;
/**
* filter Web xss sql
* @author from internet
* @date 19:51 2018/4/15
*/
public class XssSqlUtil {
private static final String STR_SCRIPT1 = "<script>(.*?)</script>";
private static final String STR_SCRIPT2 = "</script>";
private static final String STR_SCRIPT3 = "<script(.*?)>";
private static final String STR_EVAL = "eval\\((.*?)\\)";
private static final String STR_EXP = "expression\\((.*?)\\)";
private static final String STR_JS = "javascript:";
private static final String STR_VB = "vbscript:";
private static final String STR_ON = "onload(.*?)=";
private static final String SQL = "('.+--)|(--)|(%7C)";
private static final Pattern SCRIPT1_PATTERN = Pattern.compile(STR_SCRIPT1, Pattern.CASE_INSENSITIVE);
private static final Pattern SCRIPT2_PATTERN = Pattern.compile(STR_SCRIPT2, Pattern.CASE_INSENSITIVE);
private static final Pattern SCRIPT3_PATTERN = Pattern.compile(STR_SCRIPT3,
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
private static final Pattern STR_EVAL_PATTERN = Pattern.compile(STR_EVAL,
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
private static final Pattern STR_EXP_PATTERN = Pattern.compile(STR_EXP,
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
private static final Pattern STR_JS_PATTERN = Pattern.compile(STR_JS, Pattern.CASE_INSENSITIVE);
private static final Pattern STR_VB_PATTERN = Pattern.compile(STR_VB, Pattern.CASE_INSENSITIVE);
private static final Pattern STR_ON_PATTERN = Pattern.compile(STR_ON,
Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
private static final Pattern SQL_PATTERN = Pattern.compile(SQL);
/**
* filter Web xss content
* @param value content
* @return java.lang.String content
*/
public static String stripXss(String value) {
String rlt = null;
if (null != value) {
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
rlt = value.replaceAll("", "");
// Avoid anything between script tags
rlt = SCRIPT1_PATTERN.matcher(rlt).replaceAll("");
// Remove any lonesome </script> tag
rlt = SCRIPT2_PATTERN.matcher(rlt).replaceAll("");
// Remove any lonesome <script ...> tag
rlt = SCRIPT3_PATTERN.matcher(rlt).replaceAll("");
// Avoid eval(...) expressions
rlt = STR_EVAL_PATTERN.matcher(rlt).replaceAll("");
// Avoid expression(...) expressions
rlt = STR_EXP_PATTERN.matcher(rlt).replaceAll("");
// Avoid javascript:... expressions
rlt = STR_JS_PATTERN.matcher(rlt).replaceAll("");
// Avoid vbscript:... expressions
rlt = STR_VB_PATTERN.matcher(rlt).replaceAll("");
// Avoid onload= expressions
rlt = STR_ON_PATTERN.matcher(rlt).replaceAll("");
}
return rlt;
}
/**
* filter sql inject content
* @param value content
* @return java.lang.String content
*/
public static String stripSqlInjection(String value) {
return (null == value) ? null : SQL_PATTERN.matcher(value).replaceAll("");
}
/**
* filter sql inject and xss content
*
* @param value content
* @return java.lang.String content
*/
public static String stripSqlXss(String value) {
return stripXss(stripSqlInjection(value));
}
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册