亲测有效的几种fortify扫描安全漏洞的解决方案
1、Header Manipulation:过滤请求头中的参数
public static String getFilePath(String path){
String regex = "[`~!@#$%^&*()\\+\\=||{}|:\"?><【】\\/r\\/n]";
Pattern pa = new Pattern.compile(regex);
Matcher ma = pa.matcher(path);
if(ma.find()){
path = ma.replaceAll("").trim();
}
path = path.replace("\\","/");
path = pathj.replace("../","");
return path;
}
2、Cross-Site Scripting:
(1)Reflected:由于这个错误java和jsp中都有,附上公共java方法和公共js方法中的代码
java:
final static List<String> list = new ArrayList<~>();
static{
list.add("<");
list.add(">");
list.add("(");
list.add(")");
list.add("&");
list.add("?");
list.add(";");
}
public static String Filter(String output){
String encode = Normalizer.normalize(output,Normalizer.Form.NFKC);
for(int i=;i<list.size();i++){
encode = encode.replace(list.get(i),"");
}
return encode
}
js:
charFilter(str:String){
let charArray = ["<",">","(",")","&","?",";"];
let encode = str.normalize("NFKC");
for(let i=0;i<charArray.length;i++){
encode = encode.replace(charArray[i],"");
}
return encode;
}
posted on 2021-01-20 11:37 哥撸的不是代码是刚子 阅读(2179) 评论(0) 编辑 收藏 举报