简体   繁体   English

如何在java过滤器中更改servlet请求主体?

[英]How to change servlet request body in java filter?

How can I change request body in java filter to protect from XSS attack?如何更改 Java 过滤器中的请求正文以防止XSS攻击? I build HttpServletRequestWrapper and use getparameter for change body but get stream close exception.我构建了HttpServletRequestWrapper并使用getparameter来更改主体,但获取流关闭异常。

XSSFilter.java XSSFilter.java

public class XSSFilter implements Filter {


@Override
public void init(FilterConfig filterConfig) throws ServletException {
}

@Override
public void destroy() {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

    XSSRequestWrapper wrappedRequest = new XSSRequestWrapper(
            (HttpServletRequest) request);

    String body = IOUtils.toString(wrappedRequest.getReader());


    if(!"".equals(body))
    {
        JSONObject oldJsonObject = new JSONObject(body);
        JSONObject newJsonObject = new JSONObject();

        for(String key : oldJsonObject.keySet())
        {
            newJsonObject.put(key, XSSUtils.stripXSS(oldJsonObject.get(key).toString()));
        }
        wrappedRequest.resetInputStream(newJsonObject.toString().getBytes());

    }


    chain.doFilter(wrappedRequest, response);
 }
}

XSSRequestWrapper .java XSSRequestWrapper .java

public class XSSRequestWrapper extends HttpServletRequestWrapper {


private byte[] rawData;
private HttpServletRequest request;
private ResettableServletInputStream servletStream;

public XSSRequestWrapper(HttpServletRequest request) {
    super(request);
    this.request = request;
    this.servletStream = new ResettableServletInputStream();
}


public void resetInputStream(byte[] newRawData) {
    servletStream.stream = new ByteArrayInputStream(newRawData);
}

@Override
public ServletInputStream getInputStream() throws IOException {
    if (rawData == null) {
        rawData = IOUtils.toByteArray(this.request.getReader());
        servletStream.stream = new ByteArrayInputStream(rawData);
    }
    return servletStream;
}

@Override
public BufferedReader getReader() throws IOException {
    if (rawData == null) {
        rawData = IOUtils.toByteArray(this.request.getReader());
        servletStream.stream = new ByteArrayInputStream(rawData);
    }
    return new BufferedReader(new InputStreamReader(servletStream));
}

private class ResettableServletInputStream extends ServletInputStream {

    private InputStream stream;

    @Override
    public int read() throws IOException {
        return stream.read();
     }
   }
 }

XSSUtils .java XSSUtils .java

public class XSSUtils {

private XSSUtils()
{

}

public static String stripXSS(String value) {
    return value == null ? value : escapeHtml4(value);
  }
}

Since I do not have enough reputation to add a comment, I am adding it as an answer.由于我没有足够的声誉来添加评论,因此我将其添加为答案。 After 3 years, I found the accepted answer to save me hours. 3 年后,我找到了可以节省时间的公认答案。 At the same time, I had to fix couple of things, and hence adding...同时,我不得不修复几件事情,因此添加...

(1) A bug (missing assignment to rawData) (1) 一个错误(缺少对 rawData 的赋值)

public void resetInputStream(byte[] newRawData) {
    rawData = newRawData;
    servletStream.stream = new ByteArrayInputStream(newRawData);
}

(2) A change necessitated over time. (2) 随着时间的推移需要改变。 Reference: HttpServletRequestWrapper, example implementation for setReadListener / isFinished / isReady?参考: HttpServletRequestWrapper,setReadListener / isFinished / isReady 的示例实现?

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM