如何添加“)”}',\ n“在每个Spring JSON响应之前,以防止常见漏洞 [英] How to add ")]}',\n" before each Spring JSON response to prevent common vulnerability
问题描述
我想为servlet生成的所有JSON响应添加)]}',\ n
前缀,以防止JSON漏洞 AngularJS建议。我发现了一个方式修改响应内容。使用Spring的 OncePerRequestFilter
基类,我最终得到:
公共类JsonArrayVulnerabilityPreventorFilter延伸OncePerRequestFilter {
@覆盖
保护无效doFilterInternal(HttpServletRequest的请求,响应HttpServletResponse的,FilterChain filterChain)抛出的ServletException,IOException异常{
PrintWriter的响应输出= response.getWriter();
CharResponseWrapper responseWrapper = new CharResponseWrapper(response);
filterChain.doFilter(request,responseWrapper);
if(StringUtils.contains(responseWrapper.getHeader(Content-Type),application / json)){
responseOut.write()]}',\ n);
}
String originalServletResponse = responseWrapper.toString();
responseOut.write(originalServletResponse);
}
}
问题在于我介绍了响应包装器, Content-Type
标题(以及其他一些标题)从响应中消失。我已经确认没有包装器, response.getHeaderNames()
调用返回14个不同的头文件(包括内容类型),而使用包装器时,只有9个。它也会中断字符编码,因为使用包装器时, Content-Type
标头不会告诉浏览器内容是UTF-8。为什么?
CharResponseWrapper的来源和想法
此处和此处
公共类CharResponseWrapper延伸HttpServletResponseWrapper {
私人的CharArrayWriter输出;
public String toString(){
return output.toString();
}
public CharResponseWrapper(HttpServletResponse response){
super(response);
output = new CharArrayWriter();
}
public PrintWriter getWriter(){
return new PrintWriter(output);
}
}
实际上,我使用以下配置解决了根问题(添加)]}',\ n
前缀到每个JSON响应。
'pre>
@Configuration
@EnableWebMvc
公共类WebappConfig延伸WebMvcConfigurerAdapter {
@覆盖
公共无效configureMessageConverters(列表与LT; HttpMessageConverter< ;?>>转换器){
MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter();
converter.setJsonPrefix()]}',\ n);
converters.add(converter);
}
}
I want to add a ")]}',\n"
prefix to all JSON responses produced by servlet in order to prevent JSON vulnerability as AngularJS suggests. I found a way to modify the response content. Using the OncePerRequestFilter
base class from Spring, I have end up with:
public class JsonArrayVulnerabilityPreventorFilter extends OncePerRequestFilter {
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
PrintWriter responseOut = response.getWriter();
CharResponseWrapper responseWrapper = new CharResponseWrapper(response);
filterChain.doFilter(request, responseWrapper);
if (StringUtils.contains(responseWrapper.getHeader("Content-Type"), "application/json")) {
responseOut.write(")]}',\n");
}
String originalServletResponse = responseWrapper.toString();
responseOut.write(originalServletResponse);
}
}
The problem is that when I have introduced the response wrapper, the Content-Type
header (and few others) disappeared from the response. I have confirmed that without a wrapper, the response.getHeaderNames()
call returns 14 different headers (including content type) whereas with the wrapper, there is only 9. It also breaks character encoding, because with the wrapper the Content-Type
header does not tell the browser that the content is in UTF-8. Why?
Source and idea of the CharResponseWrapper
here and here.
public class CharResponseWrapper extends HttpServletResponseWrapper {
private CharArrayWriter output;
public String toString() {
return output.toString();
}
public CharResponseWrapper(HttpServletResponse response) {
super(response);
output = new CharArrayWriter();
}
public PrintWriter getWriter() {
return new PrintWriter(output);
}
}
Actually, I resolved the root problem (adding the )]}',\n
prefix to every JSON response) with the following configuration.
@Configuration
@EnableWebMvc
public class WebappConfig extends WebMvcConfigurerAdapter {
@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter();
converter.setJsonPrefix(")]}',\n");
converters.add(converter);
}
}
这篇关于如何添加“)”}',\ n“在每个Spring JSON响应之前,以防止常见漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!