Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
sureness
Sureness
提交
13a23e8d
Sureness
项目概览
sureness
/
Sureness
大约 1 年 前同步成功
通知
32
Star
813
Fork
161
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
Sureness
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
13a23e8d
编写于
3月 09, 2021
作者:
sinat_25235033
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
add xss, sql inject filter util
上级
d40b6bd2
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
183 addition
and
0 deletion
+183
-0
core/src/main/java/com/usthe/sureness/security/XssSqlServletRequestWrapper.java
.../usthe/sureness/security/XssSqlServletRequestWrapper.java
+82
-0
core/src/main/java/com/usthe/sureness/security/XssSqlUtil.java
...src/main/java/com/usthe/sureness/security/XssSqlUtil.java
+101
-0
未找到文件。
core/src/main/java/com/usthe/sureness/security/XssSqlServletRequestWrapper.java
0 → 100644
浏览文件 @
13a23e8d
package
com.usthe.sureness.security
;
import
javax.servlet.http.Cookie
;
import
javax.servlet.http.HttpServletRequest
;
import
javax.servlet.http.HttpServletRequestWrapper
;
import
java.util.HashMap
;
import
java.util.Map
;
/**
* request xss sql filter wrapper
* @author tomsun28
* @date 20:41 2018/4/15
*/
public
class
XssSqlServletRequestWrapper
extends
HttpServletRequestWrapper
{
public
XssSqlServletRequestWrapper
(
HttpServletRequest
request
)
{
super
(
request
);
}
@Override
public
String
[]
getParameterValues
(
String
parameter
)
{
String
[]
values
=
super
.
getParameterValues
(
parameter
);
if
(
values
==
null
)
{
return
null
;
}
int
count
=
values
.
length
;
String
[]
encodedValues
=
new
String
[
count
];
for
(
int
i
=
0
;
i
<
count
;
i
++
)
{
encodedValues
[
i
]
=
filterParamString
(
values
[
i
]);
}
return
encodedValues
;
}
@Override
public
Map
<
String
,
String
[]>
getParameterMap
()
{
Map
<
String
,
String
[]>
primary
=
super
.
getParameterMap
();
Map
<
String
,
String
[]>
result
=
new
HashMap
<>(
16
);
for
(
Map
.
Entry
<
String
,
String
[]>
entry
:
primary
.
entrySet
())
{
result
.
put
(
entry
.
getKey
(),
filterEntryString
(
entry
.
getValue
()));
}
return
result
;
}
@Override
public
String
getParameter
(
String
parameter
)
{
return
filterParamString
(
super
.
getParameter
(
parameter
));
}
@Override
public
String
getHeader
(
String
name
)
{
return
filterParamString
(
super
.
getHeader
(
name
));
}
@Override
public
Cookie
[]
getCookies
()
{
Cookie
[]
cookies
=
super
.
getCookies
();
if
(
cookies
!=
null
)
{
for
(
Cookie
cookie
:
cookies
)
{
cookie
.
setValue
(
filterParamString
(
cookie
.
getValue
()));
}
}
return
cookies
;
}
private
String
[]
filterEntryString
(
String
[]
value
)
{
for
(
int
i
=
0
;
i
<
value
.
length
;
i
++)
{
value
[
i
]
=
filterParamString
(
value
[
i
]);
}
return
value
;
}
/**
* filter value xss and sql inject
* @param value content
* @return java.lang.String content
*/
private
String
filterParamString
(
String
value
)
{
return
value
==
null
?
null
:
XssSqlUtil
.
stripSqlXss
(
value
);
}
}
core/src/main/java/com/usthe/sureness/security/XssSqlUtil.java
0 → 100644
浏览文件 @
13a23e8d
package
com.usthe.sureness.security
;
import
java.util.regex.Pattern
;
/**
* filter Web xss sql
* @author from internet
* @date 19:51 2018/4/15
*/
public
class
XssSqlUtil
{
private
static
final
String
STR_SCRIPT1
=
"<script>(.*?)</script>"
;
private
static
final
String
STR_SCRIPT2
=
"</script>"
;
private
static
final
String
STR_SCRIPT3
=
"<script(.*?)>"
;
private
static
final
String
STR_EVAL
=
"eval\\((.*?)\\)"
;
private
static
final
String
STR_EXP
=
"expression\\((.*?)\\)"
;
private
static
final
String
STR_JS
=
"javascript:"
;
private
static
final
String
STR_VB
=
"vbscript:"
;
private
static
final
String
STR_ON
=
"onload(.*?)="
;
private
static
final
String
SQL
=
"('.+--)|(--)|(%7C)"
;
private
static
final
Pattern
SCRIPT1_PATTERN
=
Pattern
.
compile
(
STR_SCRIPT1
,
Pattern
.
CASE_INSENSITIVE
);
private
static
final
Pattern
SCRIPT2_PATTERN
=
Pattern
.
compile
(
STR_SCRIPT2
,
Pattern
.
CASE_INSENSITIVE
);
private
static
final
Pattern
SCRIPT3_PATTERN
=
Pattern
.
compile
(
STR_SCRIPT3
,
Pattern
.
CASE_INSENSITIVE
|
Pattern
.
MULTILINE
|
Pattern
.
DOTALL
);
private
static
final
Pattern
STR_EVAL_PATTERN
=
Pattern
.
compile
(
STR_EVAL
,
Pattern
.
CASE_INSENSITIVE
|
Pattern
.
MULTILINE
|
Pattern
.
DOTALL
);
private
static
final
Pattern
STR_EXP_PATTERN
=
Pattern
.
compile
(
STR_EXP
,
Pattern
.
CASE_INSENSITIVE
|
Pattern
.
MULTILINE
|
Pattern
.
DOTALL
);
private
static
final
Pattern
STR_JS_PATTERN
=
Pattern
.
compile
(
STR_JS
,
Pattern
.
CASE_INSENSITIVE
);
private
static
final
Pattern
STR_VB_PATTERN
=
Pattern
.
compile
(
STR_VB
,
Pattern
.
CASE_INSENSITIVE
);
private
static
final
Pattern
STR_ON_PATTERN
=
Pattern
.
compile
(
STR_ON
,
Pattern
.
CASE_INSENSITIVE
|
Pattern
.
MULTILINE
|
Pattern
.
DOTALL
);
private
static
final
Pattern
SQL_PATTERN
=
Pattern
.
compile
(
SQL
);
/**
* filter Web xss content
* @param value content
* @return java.lang.String content
*/
public
static
String
stripXss
(
String
value
)
{
String
rlt
=
null
;
if
(
null
!=
value
)
{
// NOTE: It's highly recommended to use the ESAPI library and uncomment the following line to
// avoid encoded attacks.
rlt
=
value
.
replaceAll
(
""
,
""
);
// Avoid anything between script tags
rlt
=
SCRIPT1_PATTERN
.
matcher
(
rlt
).
replaceAll
(
""
);
// Remove any lonesome </script> tag
rlt
=
SCRIPT2_PATTERN
.
matcher
(
rlt
).
replaceAll
(
""
);
// Remove any lonesome <script ...> tag
rlt
=
SCRIPT3_PATTERN
.
matcher
(
rlt
).
replaceAll
(
""
);
// Avoid eval(...) expressions
rlt
=
STR_EVAL_PATTERN
.
matcher
(
rlt
).
replaceAll
(
""
);
// Avoid expression(...) expressions
rlt
=
STR_EXP_PATTERN
.
matcher
(
rlt
).
replaceAll
(
""
);
// Avoid javascript:... expressions
rlt
=
STR_JS_PATTERN
.
matcher
(
rlt
).
replaceAll
(
""
);
// Avoid vbscript:... expressions
rlt
=
STR_VB_PATTERN
.
matcher
(
rlt
).
replaceAll
(
""
);
// Avoid onload= expressions
rlt
=
STR_ON_PATTERN
.
matcher
(
rlt
).
replaceAll
(
""
);
}
return
rlt
;
}
/**
* filter sql inject content
* @param value content
* @return java.lang.String content
*/
public
static
String
stripSqlInjection
(
String
value
)
{
return
(
null
==
value
)
?
null
:
SQL_PATTERN
.
matcher
(
value
).
replaceAll
(
""
);
}
/**
* filter sql inject and xss content
*
* @param value content
* @return java.lang.String content
*/
public
static
String
stripSqlXss
(
String
value
)
{
return
stripXss
(
stripSqlInjection
(
value
));
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录