Security Vulnerabilities Solution

Source: Internet
Author: User
Filter Solution:

1. Put the Badinputfilter.java into their own source code;

Package com.accredit.common.badInput;

Import java.io.IOException;
Import Java.lang.reflect.Method;
Import java.util.ArrayList;
Import Java.util.HashMap;
Import Java.util.Iterator;
Import Java.util.Map;
Import Java.util.regex.Matcher;
Import Java.util.regex.Pattern;
Import java.util.regex.PatternSyntaxException;
Import javax.servlet.*;
Import Javax.servlet.http.HttpServletRequest;
Import Javax.servlet.http.HttpServletResponse;


/**
* Security Vulnerability Filter
*/
public class Badinputfilter implements Filter {

protected static String info = BadInputFilter.class.getName () + "/1.0";

private static final string[] String_array = new String[0];

protected Boolean escapequotes = false;

protected Boolean escapeanglebrackets = false;


protected Boolean escapejavascript = false;

Protected Hashmap<string, string> quoteshashmap = new HashMap ();

Protected Hashmap<string, string> anglebracketshashmap = new HashMap ();

Protected Hashmap<string, string> javascripthashmap = new HashMap ();

protected String allow = null;

Protected pattern[] allows = new pattern[0];

Protected pattern[] denies = new pattern[0];

protected String deny = null;

Protected Hashmap<string, string> parameterescapes = new HashMap ();

protected ServletContext ServletContext;

protected method Setlockedmethod;

Public Badinputfilter () {
This.quotesHashMap.put ("\" "," &quot; ");
This.quotesHashMap.put ("'", "& #39;");
This.quotesHashMap.put ("'", "& #96;");
This.angleBracketsHashMap.put ("<", "&lt;");
This.angleBracketsHashMap.put (">", "&gt;");
This.javaScriptHashMap.put ("Document (. *) \" (. *) Cookie "," document& #46;& #99; Ookie ");
This.javaScriptHashMap.put ("eval (\\s*) \ (", "eval& #40;");
This.javaScriptHashMap.put ("settimeout (\\s*) \ (", "settimeout$1& #40;");
This.javaScriptHashMap.put ("setinterval (\\s*) \ (", "setinterval$1& #40;");
This.javaScriptHashMap.put ("execscript (\\s*) \ (", "exexscript$1& #40;");
This.javaScriptHashMap.put ("(? i) JavaScript (? i):", "javascript& #58;");
}

public Boolean getescapequotes () {
return this.escapequotes;
}

public void Setescapequotes (Boolean escapequotes) {
This.escapequotes = escapequotes;
if (!escapequotes) return;
This.parameterEscapes.putAll (THIS.QUOTESHASHMAP);
}


public Boolean getescapeanglebrackets () {
return this.escapeanglebrackets;
}


public void Setescapeanglebrackets (Boolean escapeanglebrackets) {
This.escapeanglebrackets = escapeanglebrackets;
if (!escapeanglebrackets) return;
This.parameterEscapes.putAll (THIS.ANGLEBRACKETSHASHMAP);
}

public Boolean getescapejavascript () {
return this.escapejavascript;
}

public void Setescapejavascript (Boolean escapejavascript) {
This.escapejavascript = Escapejavascript;
if (!escapejavascript) return;
This.parameterEscapes.putAll (THIS.JAVASCRIPTHASHMAP);
}

Public String Getallow () {
return this.allow;
}


public void Setallow (String allow) {
This.allow = Allow;
This.allows = Precalculate (allow);
This.servletContext.log ("Badinputfilter:allow =" + This.deny);
}


Public String Getdeny () {
return this.deny;
}

public void Setdeny (String deny) {
This.deny = Deny;
This.denies = Precalculate (Deny);
This.servletContext.log ("Badinputfilter:deny =" + Deny);
}


public void init (Filterconfig filterconfig) throws Servletexception {
This.servletcontext = Filterconfig.getservletcontext ();
Setallow (Filterconfig.getinitparameter ("Allow"));
Setdeny (Filterconfig.getinitparameter ("Deny"));
String Initparam = Filterconfig.getinitparameter ("Escapequotes");
if (Initparam!= null) {
Boolean flag = Boolean.parseboolean (Initparam);
Setescapequotes (flag);
}
Initparam = Filterconfig.getinitparameter ("Escapeanglebrackets");
if (Initparam!= null) {
Boolean flag = Boolean.parseboolean (Initparam);
Setescapeanglebrackets (flag);
}
Initparam = Filterconfig.getinitparameter ("Escapejavascript");
if (Initparam!= null) {
Boolean flag = Boolean.parseboolean (Initparam);
Setescapejavascript (flag);
}
This.servletContext.log (toString () + "initialized.");
}

public void Dofilter (ServletRequest request, servletresponse response, Filterchain Filterchain) throws IOException, servletexception {
if ((!) ( Request instanceof HttpServletRequest) | | (! (Response instanceof HttpServletResponse))) {
Filterchain.dofilter (request, response);
Return
}
if (!processallowsanddenies (request, response)) {
Return
}
FilterParameters (Request);
Filterchain.dofilter (request, response);
}


public boolean processallowsanddenies (ServletRequest request, servletresponse response) throws IOException, servletexception {
Map Parammap = Request.getparametermap ();
Iterator y = Parammap.keyset (). iterator ();
while (Y.hasnext ()) {
String name = (string) y.next ();
String[] values = request.getparametervalues (name);
if (!checkallowsanddenies (name, response)) {
return false;
}
if (values!= null) {
for (int i = 0; i < values.length; ++i) {
String value = Values[i];
if (!checkallowsanddenies (value, response)) {
return false;
}
}
}
}
return true;
}

public boolean checkallowsanddenies (String, servletresponse response) throws IOException, Servletexception {
if ((this.denies.length = 0) && (this.allows.length = = 0)) {
return true;
}
for (int i = 0; i < this.denies.length; ++i) {
Matcher m = This.denies[i].matcher (property);
if ((!m.find ()) | | (! (Response instanceof HttpServletResponse))) Continue
HttpServletResponse hres = (httpservletresponse) response;
Hres.senderror (403);
return false;
}
for (int i = 0; i < this.allows.length; ++i) {
Matcher m = This.allows[i].matcher (property);
if (M.find ()) {
return true;
}
}
if ((This.denies.length > 0) && (this.allows.length = = 0)) {
return true;
}
if (response instanceof HttpServletResponse) {
HttpServletResponse hres = (httpservletresponse) response;
Hres.senderror (403);
}
return false;
}


public void FilterParameters (ServletRequest request) {
Map Parammap = ((httpservletrequest) request). Getparametermap ();
try {
if (This.setlockedmethod = = null) {
This.setlockedmethod = Parammap.getclass (). GetMethod ("setlocked", new class[] {boolean.type});
}
This.setLockedMethod.invoke (Parammap, new object[] {boolean.false});
catch (Exception e) {
This.servletContext.log ("Badinputfilter:cannot filter parameters!");
}
Iterator Escapesiterator = This.parameterEscapes.keySet (). iterator ();
while (Escapesiterator.hasnext ()) {
String patternstring = (string) escapesiterator.next ();
Pattern pattern = pattern.compile (patternstring);
String[] Paramnames = (string[]) Parammap.keyset (). ToArray (String_array);
for (int i = 0; i < paramnames.length; ++i) {
String name = Paramnames[i];
Some special system parameters are not filtered (XML content, SQL statement)
if (("SQL". Equals (name)) | | ("Paramsql". Equals (name)) | | "Content". Equals (name) | | "Hightcontent". Equals (name)) {
Continue
}
String[] values = ((httpservletrequest) request). Getparametervalues (name);
Matcher Matcher = pattern.matcher (name);
Boolean namematch = Matcher.matches ();
if (Namematch) {
String newName = Matcher.replaceall ((String) This.parameterEscapes.get (patternstring));
Parammap.remove (name);
Parammap.put (newName, values);
This.servletContext.log ("Parameter name" + name + "matched pattern \" + patternstring + "\"). Remote Addr: "
+ ((httpservletrequest) request). GETREMOTEADDR ());
}
if (values!= null) {
for (int j = 0; j < values.length; ++j) {
String value = Values[j];
Matcher = Pattern.matcher (value);
Boolean valuematch = Matcher.find ();
if (!valuematch) {
Continue
}
String newvalue = Matcher.replaceall ((String) This.parameterEscapes.get (patternstring));
VALUES[J] = newvalue;
This.servletContext.log ("Parameter \" "+ name +" \ "" s value \ "" + Value + "\" matched pattern \ "" + patternstring
+ "\". Remote Addr: "+ ((httpservletrequest) request). GETREMOTEADDR ());
}
}
}
}
try {
if (This.setlockedmethod = = null) {
This.setlockedmethod = Parammap.getclass (). GetMethod ("setlocked", new class[] {boolean.type});
}
This.setLockedMethod.invoke (Parammap, new object[] {boolean.true});
catch (Exception LocalException1) {
}
}


Public String toString () {
return "Badinputfilter";
}


public void Destroy () {
}


Protected pattern[] Precalculate (String list) {
if (list = = null) return to new pattern[0];
List = List.trim ();
if (List.length () < 1) return to new pattern[0];
List = list + ",";
ArrayList reList = new ArrayList ();
while (List.length () > 0) {
int comma = List.indexof (', ');
if (comma < 0) break;
String pattern = list.substring (0, comma). Trim ();
try {
Relist.add (Pattern.compile (pattern));
catch (Patternsyntaxexception e) {
IllegalArgumentException iae = new IllegalArgumentException ("Syntax Error in Request filter pattern" + pattern);
Iae.initcause (e);
Throw iae;
}
List = list.substring (comma + 1);
}
pattern[] Rearray = new pattern[relist.size ()];
Return (pattern[]) Relist.toarray (Rearray);
}
}
2. By adding in Web.xml:
<filter>
<filter-name>BadInputFilter</filter-name>
<filter-class>com.accredit.common.badInput.BadInputFilter</filter-class>
<init-param>
<param-name>deny</param-name>
<param-value> (? i) script</param-value>
</init-param>
<init-param>
<param-name>escapeQuotes</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>escapeJavaScript</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>escapeAngleBrackets</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>BadInputFilter</filter-name>
<url-pattern>/*</url-pattern>

</filter-mapping>

Complete.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.