如何在 Jersey 2 中修改 QueryParam 和 PathParam [英] How to Modify QueryParam and PathParam in Jersey 2

问题描述

我正在尝试过滤/修改 Post 和 Put 调用，以确保从 HTML 和 JS 代码中过滤掉用户提供的所有参数，以防止 XSS 攻击.我想确保这是在 API 级别实现的，因此无论使用什么客户端，它都会受到保护.

I'm trying to filter/modify Post and Put calls to make sure all parameters provided by the user are filtered from HTML and JS code to prevent XSS attacks. I would like to make sure this is implemented at the API level so no matter what client is being used, it will be protected.

在 Jersey 1.x 中，这可以通过在它们与请求的 servlet 匹配之前实现 ContainerRequestFilter 并修改 request.getQueryParameters() 来实现.示例:http://codehustler.org/blog/jersey-cross-site-scripting-xss-filter-for-java-web-apps/

With Jersey 1.x, this was possible by implementing ContainerRequestFilter and modifying request.getQueryParameters() before they are matched with the requested servlets. Example: http://codehustler.org/blog/jersey-cross-site-scripting-xss-filter-for-java-web-apps/

然而，对于 Jersey 2，通过实现相同的接口是不可能的，因为我们不能再 getQueryParameters() 或 getPathParameters()，相反，我们只能 getUriInfo()，但是由于查询参数，它是无用的是不可变的.我查看了 Jersey 的 过滤器和拦截器，但不幸的是它们仅限于授予对标头和 cookie 的访问权限.

With Jersey 2 however, this is not possible by implementing the same interface since we can no longer getQueryParameters() or getPathParameters(), but instead, we are only able to getUriInfo(), but then it's useless since the query parameters are immutable. I looked into Jersey's Filters and Interceptors but unfortunately they are limited to giving access to the headers and maybe cookies.

我花了很多时间研究，但找不到我要找的东西.

I spent a lot of time researching but I couldn't find what I'm looking for.

是否有其他方法来过滤路径和查询参数?有什么我遗漏的吗?

Is there an alternative way to filter path and query parameters? Is there anything I'm missing?

谢谢！

推荐答案

我在下方添加了一个适用于 Jersey 2.x 的过滤器.但是，它不会对 Cookie 执行 XSS 修复，因为我还没有找到修改它们的方法.

I've added a filter below that works with Jersey 2.x. However, it doesn't perform the XSS fixing for Cookies as I haven't found a way to modify those.

重要的是要注意，这需要与 POJO 属性上的 @SafeHtml 结合使用，以便清理这些值.

Important to note that this needs to be used in combination with @SafeHtml on POJO properties in order to clean up those values.

@PreMatching
public class XSSFilter implements ContainerRequestFilter
{
    /**
     * @see ContainerRequestFilter#filter(ContainerRequest)
     */
    @Override
    public void filter( ContainerRequestContext request )
    {
        cleanQueryParams( request );
        cleanHeaders( request.getHeaders() );
    }


    /**
     * Replace the existing query parameters with ones stripped of XSS vulnerabilities
     * @param request
     */
    private void cleanQueryParams( ContainerRequestContext request )
    {
        UriBuilder builder = request.getUriInfo().getRequestUriBuilder();
        MultivaluedMap<String, String> queries = request.getUriInfo().getQueryParameters();

        for( Map.Entry<String, List<String>> query : queries.entrySet() )
        {
            String key = query.getKey();
            List<String> values = query.getValue();

            builder.replaceQueryParam( key );
            for( String value : values ) {
                builder.replaceQueryParam( key, Utils.stripXSS( value ) );
            }

        }

        request.setRequestUri( builder.build() );
    }


    /**
     * Replace the existing headers with ones stripped of XSS vulnerabilities
     * @param headers
     */
    private void cleanHeaders( MultivaluedMap<String, String> headers )
    {
        for( Map.Entry<String, List<String>> header : headers.entrySet() )
        {
            String key = header.getKey();
            List<String> values = header.getValue();

            List<String> cleanValues = new ArrayList<String>();
            for( String value : values ) {
                cleanValues.add( Utils.stripXSS( value ) );
            }

            headers.put( key, cleanValues );
        }
    }
}

stripXSS 函数如下:

The stripXSS functions are the following:

/**
 * Strips any potential XSS threats out of the value
 *
 * @param value
 * @return
 */
public static String stripXSS( String value )
{
    return stripXSS( value, Whitelist.none() );
}


/**
 * Strips any potential XSS threats out of the value excluding
 * the white listed HTML
 *
 * @param value
 * @param whitelist
 * @return
 */
public static String stripXSS( String value, Whitelist whitelist )
{
    if( StringUtils.isBlank( value ) )
        return value;

    // Use the ESAPI library to avoid encoded attacks.
    value = ESAPI.encoder().canonicalize( value );

    // Avoid null characters
    value = value.replaceAll("\0", "");

    // Clean out HTML
    Document.OutputSettings outputSettings = new Document.OutputSettings();
    outputSettings.escapeMode( EscapeMode.xhtml );
    outputSettings.prettyPrint( false );
    value = Jsoup.clean( value, "", whitelist, outputSettings );

    return value;
}

还更新了原帖:http://codehustler.org/blog/jersey-cross-site-scripting-xss-filter-for-java-web-apps/

这篇关于如何在 Jersey 2 中修改 QueryParam 和 PathParam的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！