Struts2 Xss 攻击预防的处理

  1. 云栖社区>
  2. 博客列表>
  3. 正文

Struts2 Xss 攻击预防的处理

单红宇 2016-02-27 14:38:59 浏览11294 评论3

摘要: 关于XSS问题的处理,此前在博客 http://blog.csdn.net/catoop/article/details/50338259 中写过处理方法。刚好最近朋友有问到“在Struts2中按文章中那样处理无效”,后来验证了下发现,Struts2 对请求的二次封装有所不同,于是针对Struts.

关于XSS问题的处理,此前在博客 http://blog.csdn.net/catoop/article/details/50338259 中写过处理方法。刚好最近朋友有问到“在Struts2中按文章中那样处理无效”,后来验证了下发现,Struts2 对请求的二次封装有所不同,于是针对Struts2如何处理XSS问题,按照本文的方法可以解决。

其主要思路就是,重写了StrutsPrepareAndExecuteFilter过滤器。

正常情况下我们在web.xml 中配置StrutsPrepareAndExecuteFilter的代码为:

…………
    <filter>
        <filter-name>struts2</filter-name>
        <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
    </filter>
…………

将文章后面的几个类保存到项目中后,修改web.xml 的配置,指定我们新的MStrutsPrepareAndExecuteFilter类,代码如下:

…………
    <filter>
        <filter-name>struts2</filter-name>
        <filter-class>cn.gx.wedding.common.struts2.MStrutsPrepareAndExecuteFilter</filter-class>
    </filter>
…………

下面是相关的4个类源码(直接下载附件也行)
MDispatcher.java
MMultiPartRequestWrapper.java
MStrutsPrepareAndExecuteFilter.java
MStrutsRequestWrapper.java

这里说明下,因为struts2的源码中这4个类存在紧密的依赖耦合,所以只能把这4个类都重写出来,实际上其中并没有修改什么(详见MMultiPartRequestWrapper.java 和 MStrutsRequestWrapper.java)。

package cn.gx.wedding.common.struts2;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;

import org.apache.struts2.dispatcher.StrutsRequestWrapper;

import cn.gx.wedding.util.XssShieldUtil;

public class MStrutsRequestWrapper extends StrutsRequestWrapper {

    public MStrutsRequestWrapper(HttpServletRequest req) {
        super(req);
    }
    
    public MStrutsRequestWrapper(HttpServletRequest req, boolean bool) {
        super(req, bool);
    }

    @Override
    public String getParameter(String name) {
        name = XssShieldUtil.stripXss(name);
        // 返回值之前 先进行过滤
        return XssShieldUtil.stripXss(super.getParameter(name));
    }

    @Override
    public String[] getParameterValues(String name) {
        name = XssShieldUtil.stripXss(name);
        // 返回值之前 先进行过滤
        String[] values = super.getParameterValues(name);
        if(values != null){
            for (int i = 0; i < values.length; i++) {
                values[i] = XssShieldUtil.stripXss(values[i]);
            }
        }
        return values;
    }

    @Override
    public Enumeration<String> getParameterNames() {
//        Enumeration<String> names = super.getParameterNames();
//        while(names.hasMoreElements()){
//            String name = names.nextElement();
//            name = XssShieldUtil.stripXss(name);
//        }
//        return names;
        
        return super.getParameterNames();
    }
    
}
package cn.gx.wedding.common.struts2;

import java.io.File;
import java.io.IOException;
import java.util.Map;

import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;

import org.apache.struts2.StrutsConstants;
import org.apache.struts2.dispatcher.Dispatcher;
import org.apache.struts2.dispatcher.StrutsRequestWrapper;
import org.apache.struts2.dispatcher.multipart.MultiPartRequest;
import org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper;

import com.opensymphony.xwork2.LocaleProvider;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.util.logging.Logger;
import com.opensymphony.xwork2.util.logging.LoggerFactory;

public class MDispatcher extends Dispatcher {

    /**
     * Provide a logging instance.
     */
    private static final Logger LOG = LoggerFactory.getLogger(MDispatcher.class);
    
    /**
     * Store state of StrutsConstants.DISABLE_REQUEST_ATTRIBUTE_VALUE_STACK_LOOKUP setting.
     */
    private boolean disableRequestAttributeValueStackLookup;
    
    private ServletContext servletContext;
    private Map<String, String> initParams;

    private String multipartSaveDir;
    
    /**
     * Store state of StrutsConstants.STRUTS_DEVMODE setting.
     */
    private boolean devMode;
    
    public MDispatcher(ServletContext servletContext, Map<String, String> initParams) {
        super(servletContext, initParams);
        this.servletContext = servletContext;
        this.initParams = initParams;
    }
    
    @Override
    public HttpServletRequest wrapRequest(HttpServletRequest request, ServletContext servletContext)
            throws IOException {
         // don't wrap more than once
        if (request instanceof StrutsRequestWrapper) {
            return request;
        }

        String content_type = request.getContentType();
        if (content_type != null && content_type.contains("multipart/form-data")) {
            MultiPartRequest mpr = getMultiPartRequest();
            LocaleProvider provider = getContainer().getInstance(LocaleProvider.class);
            request = new MMultiPartRequestWrapper(mpr, request, getSaveDir(servletContext), provider);
        } else {
            request = new MStrutsRequestWrapper(request, disableRequestAttributeValueStackLookup);
        }

        return request;
    }

    private String getSaveDir(ServletContext servletContext) {
        String saveDir = multipartSaveDir.trim();

        if (saveDir.equals("")) {
            File tempdir = (File) servletContext.getAttribute("javax.servlet.context.tempdir");
            if (LOG.isInfoEnabled()) {
            LOG.info("Unable to find 'struts.multipart.saveDir' property setting. Defaulting to javax.servlet.context.tempdir");
            }

            if (tempdir != null) {
                saveDir = tempdir.toString();
                setMultipartSaveDir(saveDir);
            }
        } else {
            File multipartSaveDir = new File(saveDir);

            if (!multipartSaveDir.exists()) {
                if (!multipartSaveDir.mkdirs()) {
                    String logMessage;
                    try {
                        logMessage = "Could not find create multipart save directory '" + multipartSaveDir.getCanonicalPath() + "'.";
                    } catch (IOException e) {
                        logMessage = "Could not find create multipart save directory '" + multipartSaveDir.toString() + "'.";
                    }
                    if (devMode) {
                        LOG.error(logMessage);
                    } else {
                        if (LOG.isWarnEnabled()) {
                            LOG.warn(logMessage);
                        }
                    }
                }
            }
        }

        if (LOG.isDebugEnabled()) {
            LOG.debug("saveDir=" + saveDir);
        }

        return saveDir;
    }
    
    /**
     * Modify state of StrutsConstants.STRUTS_MULTIPART_SAVEDIR setting.
     * @param val New setting
     */
    @Override
    @Inject(StrutsConstants.STRUTS_MULTIPART_SAVEDIR)
    public void setMultipartSaveDir(String val) {
        multipartSaveDir = val;
    }
    
    /**
     * Modify state of StrutsConstants.STRUTS_DEVMODE setting.
     * @param mode New setting
     */
    @Override
    @Inject(StrutsConstants.STRUTS_DEVMODE)
    public void setDevMode(String mode) {
        devMode = "true".equals(mode);
    }
}
package cn.gx.wedding.common.struts2;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;

import org.apache.struts2.dispatcher.multipart.MultiPartRequest;
import org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper;

import cn.gx.wedding.util.XssShieldUtil;

import com.opensymphony.xwork2.LocaleProvider;

public class MMultiPartRequestWrapper extends MultiPartRequestWrapper {

    public MMultiPartRequestWrapper(MultiPartRequest multiPartRequest, HttpServletRequest request, String saveDir,
            LocaleProvider provider) {
        super(multiPartRequest, request, saveDir, provider);
    }

    @Override
    public String getParameter(String name) {
        name = XssShieldUtil.stripXss(name);
        // 返回值之前 先进行过滤
        return XssShieldUtil.stripXss(super.getParameter(name));
    }

    @Override
    public String[] getParameterValues(String name) {
        name = XssShieldUtil.stripXss(name);
        // 返回值之前 先进行过滤
        String[] values = super.getParameterValues(name);
        if(values != null){
            for (int i = 0; i < values.length; i++) {
                values[i] = XssShieldUtil.stripXss(values[i]);
            }
        }
        return values;
    }

    @Override
    public Enumeration<String> getParameterNames() {
//        Enumeration<String> names = super.getParameterNames();
//        while(names.hasMoreElements()){
//            String name = names.nextElement();
//            name = XssShieldUtil.stripXss(name);
//        }
//        return names;
        
        return super.getParameterNames();
    }
    
}
package cn.gx.wedding.common.struts2;

import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;

import javax.servlet.FilterConfig;
import javax.servlet.ServletException;

import org.apache.struts2.dispatcher.Dispatcher;
import org.apache.struts2.dispatcher.ng.ExecuteOperations;
import org.apache.struts2.dispatcher.ng.HostConfig;
import org.apache.struts2.dispatcher.ng.InitOperations;
import org.apache.struts2.dispatcher.ng.PrepareOperations;
import org.apache.struts2.dispatcher.ng.filter.FilterHostConfig;
import org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter;

public class MStrutsPrepareAndExecuteFilter extends StrutsPrepareAndExecuteFilter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        InitOperations init = new InitOperations();
        Dispatcher dispatcher = null;
        try {
            FilterHostConfig config = new FilterHostConfig(filterConfig);
            init.initLogging(config);
            dispatcher = initDispatcher(config);
            init.initStaticContentLoader(config, dispatcher);

            prepare = new PrepareOperations(filterConfig.getServletContext(), dispatcher);
            execute = new ExecuteOperations(filterConfig.getServletContext(), dispatcher);
            this.excludedPatterns = init.buildExcludedPatternsList(dispatcher);

            postInit(dispatcher, filterConfig);
        } finally {
            if (dispatcher != null) {
                dispatcher.cleanUpAfterInit();
            }
            init.cleanup();
        }
    }

    /**
     * Creates and initializes the dispatcher
     */
    public Dispatcher initDispatcher(HostConfig filterConfig) {
        Dispatcher dispatcher = createDispatcher(filterConfig);
        dispatcher.init();
        return dispatcher;
    }

    /**
     * Create a {@link Dispatcher}
     */
    private Dispatcher createDispatcher(HostConfig filterConfig) {
        Map<String, String> params = new HashMap<String, String>();
        for (Iterator e = filterConfig.getInitParameterNames(); e.hasNext();) {
            String name = (String) e.next();
            String value = filterConfig.getInitParameter(name);
            params.put(name, value);
        }
        return new MDispatcher(filterConfig.getServletContext(), params);
    }
}

如果使用的是springmvc、springboot等其他“非struts2”的框架,请参考 http://blog.csdn.net/catoop/article/details/50338259

附件下载: struts2-...[单红宇].1456555076.rar

用云栖社区APP,舒服~

【云栖快讯】云栖社区技术交流群汇总,阿里巴巴技术专家及云栖社区专家等你加入互动,老铁,了解一下?  详情请点击

网友评论

1F
菜鸟林

按照你写的方法,好像也没有起到过滤作用,我的qq: 1991403, 能否指导一下?

热泪盈眶

MMultiPartRequestWrapper、 MStrutsRequestWrapper这两个类需要再追加重写一个方法:public Map getParameterMap();方法:
@Override

public Map getParameterMap(){
    Map<String, String[]> paramMap = super.getParameterMap();
    Set<String> keySet = paramMap.keySet();
    for (Iterator iterator = keySet.iterator(); iterator.hasNext();) {
      String key = (String) iterator.next();
      String[] str = paramMap.get(key);
      if(str != null){
          for(int i = 0; i < str.length; i++){
              str[i] = XssShieldUtil.stripXss(str[i]);
          }
      }
     

// for(int i=0; i// str[i] = str[i]+"1";

//这里可以对页面传入的所有值进行过滤了,你想怎么处理就怎么处理。比如对出入的值进行html危险字符过滤
   }
    return paramMap ;
}
评论
2F
1850217498167868

当有上传文件的form提交时会报空指针。。

1220580302647675

是不是getsavedir报的空指针,请问怎么处理的

评论
3F
俨然

MDispatcher重写的wrapRequest的方法 应该为不带servletContext参数的:public HttpServletRequest wrapRequest(HttpServletRequest request) throws IOException

单红宇
文章245篇 | 关注92
关注
基于云安全大数据能力实现,通过防御SQL注入、XSS跨站脚本、常见Web服务器插件漏洞、木马... 查看详情
针对互联网服务器(包括非阿里云主机)在遭受大流量的DDoS攻击后导致服务不可用的情况下,推出... 查看详情
通过机器学习和数据建模发现潜在的入侵和攻击威胁,帮助客户建设自己的安全监控和防御体系,从而解... 查看详情
为您提供简单高效、处理能力可弹性伸缩的计算服务,帮助您快速构建更稳定、安全的应用,提升运维效... 查看详情
建站4折

建站4折