java ssh XSS漏洞2

JAVA 漏洞

@(JAVA)[XSS漏洞]

  <filter>
        <filter-name>xxssProtection</filter-name>
        <filter-class>com.wisdombud.cqupt.edu.web.vpn.filter.XXSSProtectionFilter</filter-class>
        <init-param>
            <!-- If not specified the default is false -->
            <param-name>report-only</param-name>
            <param-value>false</param-value>
        </init-param>
        <!-- Optionally add a reporter-uri -->

        <init-param>
            <param-name>sandbox</param-name>
            <param-value>allow-forms allow-same-origin allow-scripts allow-popups allow-pointer-lock
                allow-popups-to-escape-sandbox allow-top-navigation allow-orientation-lock
            </param-value>
            <!-- true enables the sandbox behaviour - the default is false - one can also specify exceptions, e.g.
            <param-value>allow-forms allow-same-origin</param-value>
            -->
        </init-param>
        <!-- Remember that special keywords have to be put in single quotes, e.g. 'none', 'self' -->
        <init-param>
            <!-- If not specified the default is 'none' -->
            <param-name>default-src</param-name>
            <param-value>*</param-value>
        </init-param>
        <init-param>
            <param-name>img-src</param-name>
            <!--<param-value>http://job.cqupt.edu.cn</param-value>-->
            <param-value>'self' data:</param-value>
        </init-param>
        <init-param>
            <param-name>script-src</param-name>
            <!--<param-value>'self' job.cqupt.edu.cn</param-value>-->
            <param-value>'self' 'unsafe-inline' 'unsafe-eval'</param-value>
        </init-param>
        <init-param>
            <param-name>style-src</param-name>
            <param-value>'self' 'unsafe-inline'</param-value>
        </init-param>
        <init-param>
            <param-name>connect-src</param-name>
            <param-value>'self'</param-value>
        </init-param>
        <init-param>
            <param-name>font-src</param-name>
            <param-value>'self'</param-value>
        </init-param>
        <init-param>
            <param-name>object-src</param-name>
            <param-value>'self'</param-value>
        </init-param>
        <init-param>
            <param-name>media-src</param-name>
            <param-value>'self'</param-value>
        </init-param>
        <init-param>
            <param-name>frame-src</param-name>
            <param-value>'self'</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>xxssProtection</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

package com.wisdombud.cqupt.edu.web.vpn.filter;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class XXSSProtectionFilter implements Filter {

	private static final Logger LOGGER = LoggerFactory.getLogger(XXSSProtectionFilter.class);

	public static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
	public static final String CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER = "Content-Security-Policy-Report-Only";

	/**
	 * Instruct the browser to only send reports (does not block anything)
	 */
	private static final String REPORT_ONLY = "report-only";
	/**
	 * Instructs the browser to POST a reports of policy failures to this URI
	 */
	public static final String REPORT_URI = "report-uri";
	/**
	 * Enables a sandbox for the requested resource similar to the iframe
	 * sandbox attribute. The sandbox applies a same origin policy, prevents
	 * popups, plugins and script execution is blocked. You can keep the sandbox
	 * value empty to keep all restrictions in place, or add values: allow-forms
	 * allow-same-origin allow-scripts, and allow-top-navigation
	 */
	public static final String SANDBOX = "sandbox";
	/**
	 * The default policy for loading content such as JavaScript, Images, CSS,
	 * Font's, AJAX requests, Frames, HTML5 Media
	 */
	public static final String DEFAULT_SRC = "default-src";
	/**
	 * Defines valid sources of images
	 */
	public static final String IMG_SRC = "img-src";
	/**
	 * Defines valid sources of JavaScript
	 */
	public static final String SCRIPT_SRC = "script-src";
	/**
	 * Defines valid sources of stylesheets
	 */
	public static final String STYLE_SRC = "style-src";
	/**
	 * Defines valid sources of fonts
	 */
	public static final String FONT_SRC = "font-src";
	/**
	 * Applies to XMLHttpRequest (AJAX), WebSocket or EventSource
	 */
	public static final String CONNECT_SRC = "connect-src";
	/**
	 * Defines valid sources of plugins, eg <object>, <embed> or <applet>.
	 */
	public static final String OBJECT_SRC = "object-src";
	/**
	 * Defines valid sources of audio and video, eg HTML5 <audio>, <video>
	 * elements
	 */
	public static final String MEDIA_SRC = "media-src";
	/**
	 * Defines valid sources for loading frames
	 */
	public static final String FRAME_SRC = "frame-src";

	public static final String KEYWORD_NONE = "'none'";
	public static final String KEYWORD_SELF = "'self'";

	private boolean reportOnly;
	private String reportUri;
	private String defaultSrc;
	private String imgSrc;
	private String scriptSrc;
	private String styleSrc;
	private String fontSrc;
	private String connectSrc;
	private String objectSrc;
	private String mediaSrc;
	private String frameSrc;

	public void init(final FilterConfig filterConfig) {
		this.reportOnly = getParameterBooleanValue(filterConfig, REPORT_ONLY);
		this.reportUri = getParameterValue(filterConfig, REPORT_URI);
		this.defaultSrc = getParameterValue(filterConfig, DEFAULT_SRC, KEYWORD_NONE);
		this.imgSrc = getParameterValue(filterConfig, IMG_SRC);
		this.scriptSrc = getParameterValue(filterConfig, SCRIPT_SRC);
		this.styleSrc = getParameterValue(filterConfig, STYLE_SRC);
		this.fontSrc = getParameterValue(filterConfig, FONT_SRC);
		this.connectSrc = getParameterValue(filterConfig, CONNECT_SRC);
		this.objectSrc = getParameterValue(filterConfig, OBJECT_SRC);
		this.mediaSrc = getParameterValue(filterConfig, MEDIA_SRC);
		this.frameSrc = getParameterValue(filterConfig, FRAME_SRC);
	}

	@Override
	public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain)
			throws IOException, ServletException {

		final HttpServletRequest request = (HttpServletRequest) req;
		final HttpServletResponse response = (HttpServletResponse) res;

		if (response == null) {
			LOGGER.error("Unable to retrieve HttpServletResponse from invocation context");
		} else {
			response.addHeader("X-XSS-Protection", "1; mode=block");
			response.addHeader("X-Frame-Option", "SAMEORIGIN");
			final String contentSecurityPolicyHeaderName = this.reportOnly ? CONTENT_SECURITY_POLICY_REPORT_ONLY_HEADER
					: CONTENT_SECURITY_POLICY_HEADER;
			final String contentSecurityPolicy = getContentSecurityPolicy();
			LOGGER.debug("Adding Header {} = {}", contentSecurityPolicyHeaderName, contentSecurityPolicy);
			response.addHeader(contentSecurityPolicyHeaderName, contentSecurityPolicy);
			httpOnly(request, response);
		}
		chain.doFilter(request, response);
	}

	@Override
	public void destroy() {

	}

	private String getContentSecurityPolicy() {
		final StringBuilder contentSecurityPolicy = new StringBuilder(DEFAULT_SRC).append(" ").append(this.defaultSrc);

		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, IMG_SRC, this.imgSrc);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, SCRIPT_SRC, this.scriptSrc);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, STYLE_SRC, this.styleSrc);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, FONT_SRC, this.fontSrc);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, CONNECT_SRC, this.connectSrc);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, OBJECT_SRC, this.objectSrc);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, MEDIA_SRC, this.mediaSrc);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, FRAME_SRC, this.frameSrc);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, REPORT_URI, this.reportUri);
		addDirectiveToContentSecurityPolicy(contentSecurityPolicy, "plugin-types", "application/x-shockwave-flash");

		return contentSecurityPolicy.toString();
	}

	private String getParameterValue(final FilterConfig filterConfig, final String paramName,
			final String defaultValue) {
		String value = filterConfig.getInitParameter(paramName);
		if (StringUtils.isBlank(value)) {
			value = defaultValue;
		}
		return value;
	}

	private String getParameterValue(final FilterConfig filterConfig, final String paramName) {
		return filterConfig.getInitParameter(paramName);
	}

	private boolean getParameterBooleanValue(final FilterConfig filterConfig, final String paramName) {
		return "true".equalsIgnoreCase(filterConfig.getInitParameter(paramName));
	}

	private void addDirectiveToContentSecurityPolicy(final StringBuilder contentSecurityPolicy,
			final String directiveName, final String value) {
		if (StringUtils.isNotBlank(value) && !this.defaultSrc.equals(value)) {
			contentSecurityPolicy.append("; ").append(directiveName).append(" ").append(value);
		}
	}

	public void httpOnly(HttpServletRequest req, HttpServletResponse response) {
		Cookie[] cookies = req.getCookies();
		if (cookies != null) {
			for (int i = 0; i < cookies.length; i++) {
				Cookie cookie = cookies[i];
				if (cookie != null) {
					String value = cookie.getValue();
					response.addHeader("Set-Cookie", cookie.getName() + "=" + value + ";Secure;HTTPOnly;");
				}
			}
		}
	}
}