如何在Jersey 2中修改QueryParam和PathParam [英] How to Modify QueryParam and PathParam in Jersey 2

问题描述

我正在尝试过滤/修改Post和Put调用，以确保从HTML和JS代码中过滤用户提供的所有参数，以防止XSS攻击。我想确保这是在API级别实现的，因此无论使用何种客户端，它都将受到保护。

I'm trying to filter/modify Post and Put calls to make sure all parameters provided by the user are filtered from HTML and JS code to prevent XSS attacks. I would like to make sure this is implemented at the API level so no matter what client is being used, it will be protected.

使用Jersey 1.x，这是可以通过实现ContainerRequestFilter并在与请求的servlet匹配之前修改request.getQueryParameters（）。示例： http：// codehustler。 org / blog / jersey-cross-site-scripting-xss-filter-for-java-web-apps /

With Jersey 1.x, this was possible by implementing ContainerRequestFilter and modifying request.getQueryParameters() before they are matched with the requested servlets. Example: http://codehustler.org/blog/jersey-cross-site-scripting-xss-filter-for-java-web-apps/

然而，对于Jersey 2，这是通过实现相同的接口是不可能的，因为我们不能再使用getParameters（）或getPathParameters（），而是我们只能getUriInfo（），但是由于查询参数是不可变的，所以它没用。我查看了泽西岛的过滤器和拦截器，但遗憾的是它们仅限于允许访问标题和cookie。

With Jersey 2 however, this is not possible by implementing the same interface since we can no longer getQueryParameters() or getPathParameters(), but instead, we are only able to getUriInfo(), but then it's useless since the query parameters are immutable. I looked into Jersey's Filters and Interceptors but unfortunately they are limited to giving access to the headers and maybe cookies.

我花了很多时间研究，但我找不到我想要的东西。

I spent a lot of time researching but I couldn't find what I'm looking for.

是否有其他方法可以过滤路径和查询参数？有什么我想念的吗？

Is there an alternative way to filter path and query parameters? Is there anything I'm missing?

谢谢！

推荐答案

我在下面添加了一个适用于Jersey 2.x的过滤器。但是，它没有执行Cookie的XSS修复，因为我还没有找到修改它们的方法。

I've added a filter below that works with Jersey 2.x. However, it doesn't perform the XSS fixing for Cookies as I haven't found a way to modify those.

需要注意的是，这需要与POJO属性上的@SafeHtml结合使用，以便清理这些值。

Important to note that this needs to be used in combination with @SafeHtml on POJO properties in order to clean up those values.

@PreMatching
public class XSSFilter implements ContainerRequestFilter
{
    /**
     * @see ContainerRequestFilter#filter(ContainerRequest)
     */
    @Override
    public void filter( ContainerRequestContext request )
    {
        cleanQueryParams( request );
        cleanHeaders( request.getHeaders() );
    }


    /**
     * Replace the existing query parameters with ones stripped of XSS vulnerabilities
     * @param request
     */
    private void cleanQueryParams( ContainerRequestContext request )
    {
        UriBuilder builder = request.getUriInfo().getRequestUriBuilder();
        MultivaluedMap<String, String> queries = request.getUriInfo().getQueryParameters();

        for( Map.Entry<String, List<String>> query : queries.entrySet() )
        {
            String key = query.getKey();
            List<String> values = query.getValue();

            builder.replaceQueryParam( key );
            for( String value : values ) {
                builder.replaceQueryParam( key, Utils.stripXSS( value ) );
            }

        }

        request.setRequestUri( builder.build() );
    }


    /**
     * Replace the existing headers with ones stripped of XSS vulnerabilities
     * @param headers
     */
    private void cleanHeaders( MultivaluedMap<String, String> headers )
    {
        for( Map.Entry<String, List<String>> header : headers.entrySet() )
        {
            String key = header.getKey();
            List<String> values = header.getValue();

            List<String> cleanValues = new ArrayList<String>();
            for( String value : values ) {
                cleanValues.add( Utils.stripXSS( value ) );
            }

            headers.put( key, cleanValues );
        }
    }
}

stripXSS函数如下：

The stripXSS functions are the following:

/**
 * Strips any potential XSS threats out of the value
 *
 * @param value
 * @return
 */
public static String stripXSS( String value )
{
    return stripXSS( value, Whitelist.none() );
}


/**
 * Strips any potential XSS threats out of the value excluding
 * the white listed HTML
 *
 * @param value
 * @param whitelist
 * @return
 */
public static String stripXSS( String value, Whitelist whitelist )
{
    if( StringUtils.isBlank( value ) )
        return value;

    // Use the ESAPI library to avoid encoded attacks.
    value = ESAPI.encoder().canonicalize( value );

    // Avoid null characters
    value = value.replaceAll("\0", "");

    // Clean out HTML
    Document.OutputSettings outputSettings = new Document.OutputSettings();
    outputSettings.escapeMode( EscapeMode.xhtml );
    outputSettings.prettyPrint( false );
    value = Jsoup.clean( value, "", whitelist, outputSettings );

    return value;
}

还更新了原帖： http://codehustler.org/blog/jersey-cross-site-scripting -xss-filter-for-java-web-apps /

这篇关于如何在Jersey 2中修改QueryParam和PathParam的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！