如何在java过滤器中更改servlet请求体?

问题描述 投票:0回答:2

如何在java过滤器中更改请求体以防止XSS攻击?我建立HttpServletRequestWrapper并使用getparameter进行更改,但获得流关闭异常。

java servlets xss servlet-filters
2个回答
2
投票

XSS filter.Java

public class XSSFilter implements Filter {


@Override
public void init(FilterConfig filterConfig) throws ServletException {
}

@Override
public void destroy() {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

    XSSRequestWrapper wrappedRequest = new XSSRequestWrapper(
            (HttpServletRequest) request);

    String body = IOUtils.toString(wrappedRequest.getReader());


    if(!"".equals(body))
    {
        JSONObject oldJsonObject = new JSONObject(body);
        JSONObject newJsonObject = new JSONObject();

        for(String key : oldJsonObject.keySet())
        {
            newJsonObject.put(key, XSSUtils.stripXSS(oldJsonObject.get(key).toString()));
        }
        wrappedRequest.resetInputStream(newJsonObject.toString().getBytes());

    }


    chain.doFilter(wrappedRequest, response);
 }
}

XSSRequestWrapper .java

public class XSSRequestWrapper extends HttpServletRequestWrapper {


private byte[] rawData;
private HttpServletRequest request;
private ResettableServletInputStream servletStream;

public XSSRequestWrapper(HttpServletRequest request) {
    super(request);
    this.request = request;
    this.servletStream = new ResettableServletInputStream();
}


public void resetInputStream(byte[] newRawData) {
    servletStream.stream = new ByteArrayInputStream(newRawData);
}

@Override
public ServletInputStream getInputStream() throws IOException {
    if (rawData == null) {
        rawData = IOUtils.toByteArray(this.request.getReader());
        servletStream.stream = new ByteArrayInputStream(rawData);
    }
    return servletStream;
}

@Override
public BufferedReader getReader() throws IOException {
    if (rawData == null) {
        rawData = IOUtils.toByteArray(this.request.getReader());
        servletStream.stream = new ByteArrayInputStream(rawData);
    }
    return new BufferedReader(new InputStreamReader(servletStream));
}

private class ResettableServletInputStream extends ServletInputStream {

    private InputStream stream;

    @Override
    public int read() throws IOException {
        return stream.read();
     }
   }
 }

XSSUtils .java

public class XSSUtils {

private XSSUtils()
{

}

public static String stripXSS(String value) {
    return value == null ? value : escapeHtml4(value);
  }
}
0
投票

由于我没有足够的声誉来添加评论,我将其添加为答案。 3年后,我找到了接受的答案,以节省我的时间。与此同时,我不得不解决几件问题,因此增加......

(1)一个bug(缺少对rawData的赋值)

public void resetInputStream(byte[] newRawData) {
    rawData = newRawData;
    servletStream.stream = new ByteArrayInputStream(newRawData);
}

(2)随着时间的推移需要改变。参考:https://stackoverflow.com/questions/29208456/httpservletrequestwrapper-example-implementation-for-setreadlistener-isfinish

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.