如何使用Spring Boot验证和清理HTTP Get? [英] How to validate and sanitize HTTP Get with Spring Boot?
问题描述
我一直从Checkmarx代码扫描器中收到这个烦人的错误,
I keep getting this annoying error from Checkmarx code scanner,
Method getTotalValue at line 220 of src\java\com\example\PeopleController.java
gets user input for the personName element. This element’s value then flows through
the code without being properly sanitized or validated and is eventually
displayed to the user. This may enable a Cross-Site-Scripting attack.
这是我的代码.我想我做了所有必要的验证.还有什么?
@Slf4j
@Configuration
@RestController
@Validated
public class PeopleController {
@Autowired
private PeopleRepository peopleRepository;
@RequestMapping(value = "/api/getTotalValue/{personName}", method = RequestMethod.GET)
@ResponseBody
public Integer getTotalValue(@Size(max = 20, min = 1, message = "person is not found")
@PathVariable(value="personName", required=true) String personName) {
PersonObject po = peopleRepository.findByPersonName(
Jsoup.clean(personName, Whitelist.basic()));
try {
return po.getTotalValue();
} catch (Exception e) {
e.printStackTrace();
return 0;
}
}
@ExceptionHandler
public String constraintViolationHandler(ConstraintViolationException ex) {
return ex.getConstraintViolations().iterator().next()
.getMessage();
}
}
必须缺少一些验证.如何使用Spring Boot正确验证HTTP GET
There must be some missing validation. How to validate HTTP GET properly with Spring Boot
推荐答案
使用这些扫描工具时需要特别小心,因为有时这些工具确实报告误报,有时不需要更改代码.我不是checkmarx的专家,但是请确保该工具确实了解您正在使用&的bean验证批注.呼叫Jsoup.clean(personName, Whitelist.basic()).
You need to be a bit careful with these scanning tools as sometimes these tools do report false positives and sometimes no code changes are required. I am no expert of checkmarx but be sure that this tool really understands bean validation annotations that you are using & the call Jsoup.clean(personName, Whitelist.basic()) .
我认为我已进行了所有必要的验证.还有什么?
I think I did ALL the validation necessary. What else???
首先,您需要了解应用程序级别之间的区别输入卫生&控制器的业务级别输入验证.您在这里所做的是第二部分&首先可能是从安全性角度&通常针对整个应用程序进行设置.
First you need to understand the different between application level input sanitation & business level input validation for a controller. What you are doing here is second part & first might be missing in your set up which is exclusively done from security perspective & usually set up for whole application.
您正在使用@Size批注来限制输入的大小,但这不能保证字符串不正确-可能导致XSS攻击的字符串.然后,您正在使用调用Jsoup.clean(personName, Whitelist.basic()))清理此已验证大小的输入.由于我不确定该调用的作用,因此您需要确保新值是XSS-Safe.您将立即将该值传递给数据库调用&然后将Integer返回给呼叫者/客户端,所以我对这里发生XSS攻击的可能性非常悲观,但是工具却这么说.
You are using @Size annotation to limit an input's size but that doesn't guarantee about bad strings - strings that can cause XSS attacks. Then, you are using call Jsoup.clean(personName, Whitelist.basic())) to clean this size validated input. As I am not sure what that call does so you need to ensure that new value is XSS - Safe. You are immediately passing that value to DB call & then returning an Integer to caller/client so I am very pessimist about any possibility of an XSS attack here but tool is saying so.
必须缺少一些验证.如何验证HTTP GET 使用Spring Boot正确地
There must be some missing validation. How to validate HTTP GET properly with Spring Boot
正如我之前解释的那样,输入验证是一个通常用于业务逻辑级别输入验证的术语,而输入清理/清理是关于安全性的.在Spring Boot环境中,通常使用 Spring Security API &启用XSS过滤器,或编写自己的XSS过滤器并将其插入应用程序.过滤器排在最前面,您的控制器在后面,因此您的控制器将始终具有消毒值&您将根据该净化后的价值进行业务验证.
As I explained earlier, input validation is a term usually meant for business logic level input validation while input sanitization / clean up is about security. In Spring Boot environment, this is usually done by using Spring Security APIs & enabling XSS filters or by writing your own XSS filter and plug it in your application. Filter comes first and your controller later so your controller will always have a sanitized value & you will apply business validations on that sanitized value.
这是一个广泛的答案&对于代码等,你可能会谷歌.还建议阅读更多有关XSS攻击的信息.只需了解有多种方法可以实现相同的目标.
This is a broad level answer & for code etc you might do google. Also suggest to read more about XSS attacks. Just understand that there are multiple ways to accomplish same goal.
最后一个链接中提到的
防止这种攻击的第一步是输入验证. 用户输入的所有内容均应经过精确验证, 因为用户的输入可能会找到通往输出的方式.
The first step in the prevention of this attack is Input validation. Everything, that is entered by the user should be precisely validated, because the user’s input may find its way to the output.
&您没有在代码中执行操作,因此我猜没有XSS.
& that you are not doing in your code so I would guess that there is no XSS.
XSS安全性有两个方面-第一,不允许对服务器端代码的恶意输入&通过使用XSS过滤器和有时,允许恶意输入没有任何危害(假设您将恶意输入保存到DB或返回API响应).
There are two aspects of XSS security - first not allowing malicious input to server side code & that would be done by having an XSS filter & Sometimes, there is no harm in allowing malicious input ( lets say you are saving that malicious input to DB or returning in API response ) .
第二个方面是指示HTML客户端进行可能的XSS攻击(如果我们确定API客户端将是HTML/UI的话),那么我们需要添加X-XSS-Protection标头&这将通过以下代码完成.这将使浏览器可以打开其XSS保护功能(如果有).
Second aspect is instructing HTML clients about possible XSS attacks ( if we know for sure that API client is going to be HTML / UI ) then we need to add X-XSS-Protection header & that would be done by below code. This will enable browser to turn on its XSS protection feature ( if present ) .
@Override 受保护的void configure(HttpSecurity http)引发异常{
@Override protected void configure(HttpSecurity http) throws Exception {
http.headers().xssProtection()....
}
什么是http-header"X-XSS-Protection" ?
默认情况下是否启用了Spring安全性中的Xss保护? /a>
Is Xss protection in Spring security enabled by default?
对于第一个方面,即编写过滤器-请此答案并在该答案中链接.
For first aspect i.e. writing filter - refer my this answer and links in that answer.
我想,我在上面错误地写道,Spring Security提供了输入卫生过滤器,我猜是没有.将会验证并告知您.我已经在回答此问题的行中写了我的自定义过滤器-在Spring中防止XSS MVC控制器
I think, I have wrongly written above that Spring Security provides input sanitation filters , I guess , it doesn't. Will verify and let you know. I have written my custom filter on the lines mentioned in answer to this question - Prevent XSS in Spring MVC controller
您还必须了解,Spring Boot也习惯于编写传统的MVC应用程序,其中服务器端也提供了HTML来呈现.对于JSON响应(REST API),UI客户端可以控制要转义的内容和不转义的内容,这会导致复杂性,因为JSON输出并不总是馈送给HTML客户端(也就是浏览器).
You have to also understand that Spring Boot gets used to write traditional MVC apps too where server side presents HTML to render too . In case of JSON responses ( REST APIs ) , UI client can control what to escape and what not, complexity arises because JSON output is not always fed to HTML clients aka browsers.
这篇关于如何使用Spring Boot验证和清理HTTP Get?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
