测试 xss攻击

license/pom.xml

@@ -115,6 +115,35 @@
             <artifactId>bcprov-jdk15to18</artifactId>
             <version>1.69</version>
         </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>5.8.2</version>
+            <scope>compile</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-params</artifactId>
+            <version>5.8.2</version>
+            <scope>compile</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.owasp.antisamy</groupId>
+            <artifactId>antisamy</artifactId>
+            <version>1.6.2</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.9</version>
+        </dependency>
+
     </dependencies>
 
     <build>

license/src/main/java/iot/sixiang/license/controller/OperateController.java

@@ -54,8 +54,6 @@ public class OperateController {
     private MonitorService monitorService;
     @Autowired
     private ForwardManager forwardManager;
-    @Autowired
-    HttpServletResponse response;
 
     @InitBinder
     public void initBinder(WebDataBinder binder) {

license/src/main/java/iot/sixiang/license/xss/AntiSamyConfig.java

+package iot.sixiang.license.xss;
+
+/**
+ * Title: AntiSamyConfig
+ * Description: TODO
+ *
+ * @author tianlai3
+ * @date 2022-07-17 01:18:02
+ */
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
+
+import javax.servlet.Filter;
+
+
+@Configuration
+public class AntiSamyConfig {
+
+    /**
+     * 配置XSS过滤器
+     *
+     * @return FilterRegistrationBean
+     */
+    @Bean
+    public FilterRegistrationBean<Filter> filterRegistrationBean() {
+        FilterRegistrationBean<Filter> filterRegistrationBean = new FilterRegistrationBean<>(new XssFilter2());
+        filterRegistrationBean.addUrlPatterns("/iot_license/*");
+        filterRegistrationBean.setOrder(1);
+        return filterRegistrationBean;
+    }
+
+    /**
+     * 用于过滤Json类型数据的解析器
+     *
+     * @param builder Jackson2ObjectMapperBuilder
+     * @return ObjectMapper
+     */
+    @Bean
+    public ObjectMapper xssObjectMapper(Jackson2ObjectMapperBuilder builder) {
+        // 创建解析器
+        ObjectMapper objectMapper = builder.createXmlMapper(false).build();
+        // 注册解析器
+        SimpleModule simpleModule = new SimpleModule("XssStringJsonSerializer");
+        simpleModule.addSerializer(new XssRequestWrapper2.XssStringJsonSerializer());
+        objectMapper.registerModule(simpleModule);
+        return objectMapper;
+    }
+}
\ No newline at end of file

license/src/main/java/iot/sixiang/license/xss/XssFilter.java

@@ -16,8 +16,8 @@ import java.io.IOException;
  * @Date 2022/6/29 11:11
  * @Description
  */
-@WebFilter(filterName = "xssFilter", urlPatterns = "/iot_license/*", asyncSupported = true)
-@Component
+//@WebFilter(filterName = "xssFilter", urlPatterns = "/iot_license/*", asyncSupported = true)
+//@Component
 public class XssFilter implements Filter {
 
     /**

license/src/main/java/iot/sixiang/license/xss/XssFilter2.java

+package iot.sixiang.license.xss;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+//@WebFilter(filterName = "xssFilter", urlPatterns = "/iot_license/*", asyncSupported = true)
+//@Component
+public class XssFilter2 implements Filter {
+
+    private FilterConfig filterConfig;
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        this.filterConfig = filterConfig;
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+            throws IOException, ServletException {
+        // 拦截请求，处理XSS过滤
+        HttpServletRequest req = (HttpServletRequest) request;
+        HttpServletResponse resp = (HttpServletResponse) response;
+        XssRequestWrapper2 xssRequest = new XssRequestWrapper2(req);
+
+        chain.doFilter(xssRequest, resp);
+    }
+
+    @Override
+    public void destroy() {
+        this.filterConfig = null;
+    }
+}
\ No newline at end of file

license/src/main/java/iot/sixiang/license/xss/XssRequestWrapper2.java

+package iot.sixiang.license.xss;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.validator.html.*;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Objects;
+
+/**
+ * Title: XssRequestWrapper2
+ * Description: TODO
+ *
+ * @author tianlai3
+ * @date 2022-07-16 22:48:55
+ */
+@Slf4j
+public class XssRequestWrapper2 extends HttpServletRequestWrapper {
+    private static Policy policy = null;
+
+    static {
+        try {
+            // 获取策略文件路径，策略文件需要放到项目的classpath下
+            String antiSamyPath = Objects
+                    .requireNonNull(XssRequestWrapper2.class.getClassLoader().getResource("antisamy-ebay.xml")).getFile();
+            log.info(antiSamyPath);
+            // 获取的文件路径中有空格时，空格会被替换为%20，在new一个File对象时会出现找不到路径的错误
+            // 对路径进行解码以解决该问题
+            antiSamyPath = URLDecoder.decode(antiSamyPath, "utf-8");
+            log.info(antiSamyPath);
+            // 指定策略文件
+            policy = Policy.getInstance(antiSamyPath);
+        } catch (UnsupportedEncodingException | PolicyException e) {
+            log.warn(e.getMessage());
+        }
+    }
+
+    public XssRequestWrapper2(HttpServletRequest request) {
+        super(request);
+    }
+
+    /**
+     * 过滤请求头
+     *
+     * @param name 参数名
+     * @return 参数值
+     */
+    @Override
+    public String getHeader(String name) {
+        String header = super.getHeader(name);
+        // 如果Header为空，则直接返回，否则进行清洗
+        return StringUtils.isBlank(header) ? header : xssClean(header);
+    }
+
+    /**
+     * 过滤请求参数
+     *
+     * @param name 参数名
+     * @return 参数值
+     */
+    @Override
+    public String getParameter(String name) {
+        String parameter = super.getParameter(name);
+        // 如果Parameter为空，则直接返回，否则进行清洗
+        return StringUtils.isBlank(parameter) ? parameter : xssClean(parameter);
+    }
+
+    /**
+     * 过滤请求参数（一个参数可以有多个值）
+     *
+     * @param name 参数名
+     * @return 参数值数组
+     */
+    @Override
+    public String[] getParameterValues(String name) {
+        String[] parameterValues = super.getParameterValues(name);
+        if (parameterValues != null) {
+            int length = parameterValues.length;
+            String[] newParameterValues = new String[length];
+            for (int i = 0; i < length; i++) {
+                log.info("AntiSamy清理之前的参数值：" + parameterValues[i]);
+                // 清洗参数
+                newParameterValues[i] = xssClean(parameterValues[i]);
+                log.info("AntiSamy清理之后的参数值：" + newParameterValues[i]);
+            }
+            return newParameterValues;
+        }else{
+            return null;
+        }
+    }
+
+//    @Override
+//    public String[] getParameterValues(String parameter) {
+//
+//        String[] values = super.getParameterValues(parameter);
+//
+//        if (values == null) {
+//
+//            return null;
+//
+//        }
+//
+//        int count = values.length;
+//
+//        String[] encodedValues = new String[count];
+//
+//        for (int i = 0; i < count; i++) {
+////            cleanSQLInject(values[i]);
+//            encodedValues[i] = xssClean(values[i]);
+//
+//        }
+//
+//        return encodedValues;
+//
+//    }
+//    @Override
+//    public Map<String, String[]> getParameterMap() {
+//        Map<String, String[]> requestMap = super.getParameterMap();
+//
+//
+//        requestMap.forEach((key, value) -> {
+//            for (int i = 0; i < value.length; i++) {
+//                log.info(value[i]);
+//                value[i] = xssClean(value[i]);
+//                log.info(value[i]);
+//            }
+//        });
+//        return requestMap;
+//    }
+
+    /**
+     * 使用AntiSamy清洗数据
+     *
+     * @param value 需要清洗的数据
+     * @return 清洗后的数据
+     */
+    private String xssClean(String value) {
+        try {
+            AntiSamy antiSamy = new AntiSamy();
+            // 使用AntiSamy清洗数据
+            final CleanResults cleanResults = antiSamy.scan(value, policy);
+            // 获得安全的HTML输出
+            value = cleanResults.getCleanHTML();
+            // 对转义的HTML特殊字符（<、>、"等）进行反转义，因为AntiSamy调用scan方法时会将特殊字符转义
+            return StringEscapeUtils.unescapeHtml4(value);
+        } catch (ScanException | PolicyException e) {
+            log.warn(e.getMessage());
+        }
+        return value;
+    }
+
+    /**
+     * 通过修改Json序列化的方式来完成Json格式的XSS过滤
+     */
+    public static class XssStringJsonSerializer extends JsonSerializer<String> {
+
+        @Override
+        public Class<String> handledType() {
+            return String.class;
+        }
+
+        @Override
+        public void serialize(String value, JsonGenerator gen, SerializerProvider serializers) throws IOException {
+            if (!StringUtils.isBlank(value)) {
+                try {
+                    AntiSamy antiSamy = new AntiSamy();
+                    final CleanResults cleanResults = antiSamy.scan(value, XssRequestWrapper2.policy);
+                    gen.writeString(StringEscapeUtils.unescapeHtml4(cleanResults.getCleanHTML()));
+                } catch (ScanException | PolicyException e) {
+                    log.warn(e.getMessage());
+                }
+            }
+        }
+    }
+}
\ No newline at end of file

license/src/main/resources/antisamy.xsd

+<?xml version="1.0" encoding="UTF-8"?>
+<xsd:schema
+	xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+	<xsd:element name="anti-samy-rules">
+	
+		<xsd:complexType>
+	
+		<xsd:sequence>
+			<xsd:element name="directives" type="Directives" maxOccurs="1" minOccurs="1"/>
+			<xsd:element name="common-regexps" type="CommonRegexps" maxOccurs="1" minOccurs="1"/>
+			<xsd:element name="common-attributes" type="AttributeList" maxOccurs="1" minOccurs="1"/>
+			<xsd:element name="global-tag-attributes" type="AttributeList" maxOccurs="1" minOccurs="1"/>
+			<xsd:element name="tags-to-encode" type="TagsToEncodeList" minOccurs="0" maxOccurs="1"/>
+			<xsd:element name="tag-rules" type="TagRules" minOccurs="1" maxOccurs="1"/>
+			<xsd:element name="css-rules" type="CSSRules" minOccurs="1" maxOccurs="1"/>
+            <xsd:element name="allowed-empty-tags" type="AllowedEmptyTags" minOccurs="0" maxOccurs="1"/>
+
+		</xsd:sequence>
+
+		</xsd:complexType>
+	</xsd:element>
+	<xsd:complexType name="Directives">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="directive" type="Directive" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="Directive">
+	
+		<xsd:attribute name="name" use="required"/>
+		<xsd:attribute name="value" use="required"/>
+	
+	</xsd:complexType>
+	
+	<xsd:complexType name="CommonRegexps">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="regexp" type="RegExp" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="AttributeList">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="attribute" type="Attribute" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="TagsToEncodeList">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="tag" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="TagRules">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="tag" type="Tag" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="Tag">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="attribute" type="Attribute" minOccurs="0" />
+		</xsd:sequence>
+		
+		<xsd:attribute name="name" use="required"/>
+		<xsd:attribute name="action" use="required"/>
+		
+	</xsd:complexType>
+
+    <xsd:complexType name="AllowedEmptyTags">
+        <xsd:sequence>
+            <xsd:element name="literal-list" type="LiteralList" minOccurs="1"/>
+        </xsd:sequence>
+    </xsd:complexType>
+
+	<xsd:complexType name="Attribute">
+		<xsd:sequence>
+			<xsd:element name="regexp-list" type="RegexpList" minOccurs="0"/>
+			<xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
+		</xsd:sequence>
+		<xsd:attribute name="name" use="required"/>
+		<xsd:attribute name="description"/>
+		<xsd:attribute name="onInvalid"/>
+	</xsd:complexType>
+	
+
+	<xsd:complexType name="RegexpList">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="regexp" type="RegExp" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+	
+	<xsd:complexType name="RegExp">
+		<xsd:attribute name="name" type="xsd:string"/>
+		<xsd:attribute name="value" type="xsd:string"/>
+	</xsd:complexType>
+
+	<xsd:complexType name="LiteralList">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="literal" type="Literal" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:complexType name="Literal">
+		<xsd:attribute name="value" type="xsd:string"/>
+	</xsd:complexType>
+	
+	<xsd:complexType name="CSSRules">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="property" type="Property" minOccurs="0"/>
+		</xsd:sequence>		
+	</xsd:complexType>
+	
+	<xsd:complexType name="Property">
+		<xsd:sequence>
+			<xsd:element name="category-list" type="CategoryList" minOccurs="0"/>
+			<xsd:element name="literal-list" type="LiteralList" minOccurs="0"/>
+			<xsd:element name="regexp-list" type="RegexpList" minOccurs="0"/>
+			<xsd:element name="shorthand-list" type="ShorthandList" minOccurs="0"/>
+		</xsd:sequence>
+		<xsd:attribute name="name" type="xsd:string" use="required"/>
+		<xsd:attribute name="default" type="xsd:string"/>
+		<xsd:attribute name="description" type="xsd:string"/>
+	</xsd:complexType>
+
+	
+	<xsd:complexType name="ShorthandList">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="shorthand" type="Shorthand" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:complexType name="Shorthand">
+		<xsd:attribute name="name" type="xsd:string" use="required"/>
+	</xsd:complexType>	
+	
+	<xsd:complexType name="CategoryList">
+		<xsd:sequence maxOccurs="unbounded">
+			<xsd:element name="category" type="Category" minOccurs="0"/>
+		</xsd:sequence>
+	</xsd:complexType>
+
+	<xsd:complexType name="Category">
+		<xsd:attribute name="value" type="xsd:string" use="required"/>
+	</xsd:complexType>
+	
+
+	<xsd:complexType name="Entity">
+		<xsd:attribute name="name" type="xsd:string" use="required"/>	
+		<xsd:attribute name="cdata" type="xsd:string" use="required"/>
+	</xsd:complexType>
+</xsd:schema>