mindol1004/excel-download
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

jspblog : rucy-xss-filter

Browse Source
This commit is contained in:
kim
2021-01-21 19:47:57 +09:00
parent 269f2e3c10
commit 2ff55f1429
5 changed files with 241 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
jspblog/pom.xml
View File

@@ -60,6 +60,12 @@
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<dependency>
<groupId>com.navercorp.lucy</groupId>
<artifactId>lucy-xss-servlet</artifactId>
<version>2.0.0</version>
</dependency>
</dependencies>
<build>

6
jspblog/src/main/java/com/example/jspblog/domain/board/Board.java
View File

@@ -20,7 +20,7 @@ public class Board {
private int readCount;
private Timestamp createDate;
public String getTitle() {
return title.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
}
// public String getTitle() {
// return title.replaceAll("<", "&lt;").replaceAll(">", "&gt;");
// }
}

149
jspblog/src/main/resources/lucy-xss-sax.xml Normal file
View File

@@ -0,0 +1,149 @@
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://www.nhncorp.com/lucy-xss" >
<elementRule>
<element name="p"/>
<element name="a" />
<element name="abbr"/>
<element name="acronym"/>
<element name="adress"/>
<element name="applet"/>
<element name="area"/>
<element name="b"/>
<element name="base"/>
<element name="basefont"/>
<element name="bdo"/>
<element name="big"/>
<element name="blockquote"/>
<element name="body"/>
<element name="br"/>
<element name="button"/>
<element name="caption"/>
<element name="center"/>
<element name="cite"/>
<element name="code"/>
<element name="col"/>
<element name="colgroup"/>
<element name="dd"/>
<element name="del"/>
<element name="dfn"/>
<element name="dir"/>
<element name="div"/>
<element name="dl"/>
<element name="dt"/>
<element name="em"/>
<element name="embed"/>
<element name="fieldset"/>
<element name="font"/>
<element name="form"/>
<element name="frame"/>
<element name="frameset"/>
<element name="h1"/>
<element name="h2"/>
<element name="h3"/>
<element name="h4"/>
<element name="h5"/>
<element name="h6"/>
<element name="head"/>
<element name="hr"/>
<element name="html"/>
<element name="i"/>
<element name="iframe"/>
<element name="img"/>
<element name="input"/>
<element name="ins"/>
<element name="isindex"/>
<element name="kbd"/>
<element name="label"/>
<element name="legend"/>
<element name="li"/>
<element name="link"/>
<element name="map"/>
<element name="marquee"/>
<element name="menu"/>
<element name="meta"/>
<element name="nobr"/>
<element name="noframes"/>
<element name="noscript"/>
<element name="object"/>
<element name="ol"/>
<element name="optgroup"/>
<element name="option"/>
<element name="p"/>
<element name="param"/>
<element name="pre"/>
<element name="q"/>
<element name="rt"/>
<element name="ruby"/>
<element name="s"/>
<element name="samp"/>
<!-- <element name="script"/> -->
<element name="select"/>
<element name="small"/>
<element name="span"/>
<element name="strike"/>
<element name="strong"/>
<element name="style"/>
<element name="sub"/>
<element name="sup"/>
<element name="table"/>
<element name="tbody"/>
<element name="td"/>
<element name="textarea"/>
<element name="tfoot"/>
<element name="th"/>
<element name="thead"/>
<element name="title"/>
<element name="tr"/>
<element name="tt"/>
<element name="u"/>
<element name="ul"/>
<element name="var"/>
<element name="wbr"/>
<element name="xml"/>
<element name="xmp"/>
<!-- HTML5 added at 2012.04.10 Start-->
<element name="article"/>
<element name="aside"/>
<element name="audio"/>
<element name="bdi"/>
<element name="canvas"/>
<element name="command"/>
<element name="datalist"/>
<element name="details"/>
<element name="figcaption"/>
<element name="figure"/>
<element name="footer"/>
<element name="header"/>
<element name="hgroup"/>
<element name="keygen"/>
<element name="mark"/>
<element name="meter"/>
<element name="nav"/>
<element name="output"/>
<element name="progress"/>
<element name="rp"/>
<element name="section"/>
<element name="source"/>
<element name="summary"/>
<element name="time"/>
<element name="track"/>
<element name="video"/>
<!-- HTML5 added at 2012.04.10 End-->
<!-- IE핵 처리를 위해 추가-->
<element name="IEHackExtension" disable="ture" >
</element>
</elementRule>
<attributeRule>
<attribute name="src">
<allowedPattern><![CDATA[['"]?\s*http://.*]]></allowedPattern>
</attribute>
<attribute name="href">
<notAllowedPattern><![CDATA[(?i:script)]]></notAllowedPattern>
<notAllowedPattern><![CDATA[(?i:\.css)]]></notAllowedPattern>
</attribute>
<attribute name="style" disable="false" exceptionTagList="a"/> <!-- 2013.12.24 수정 : A 태그는 style 속성에 의한 우회 공격 이슈로 style 속성을 배제힌다. -->
</attributeRule>
</config>

74
jspblog/src/main/resources/lucy-xss-servlet-filter-rule.xml Normal file
View File

@@ -0,0 +1,74 @@
<?xml version="1.0" encoding="UTF-8"?>
<config xmlns="http://www.navercorp.com/lucy-xss-servlet">
<defenders>
<!-- XssPreventer 등록 -->
<defender>
<name>xssPreventerDefender</name>
<class>com.navercorp.lucy.security.xss.servletfilter.defender.XssPreventerDefender</class>
</defender>
<!-- XssSaxFilter 등록 -->
<defender>
<name>xssSaxFilterDefender</name>
<class>com.navercorp.lucy.security.xss.servletfilter.defender.XssSaxFilterDefender</class>
<init-param>
<param-value>lucy-xss-sax.xml</param-value> <!-- lucy-xss-filter의 sax용 설정파일 -->
<param-value>false</param-value> <!-- 필터링된 코멘트를 남길지 여부, 성능 효율상 false 추천 -->
</init-param>
</defender>
<!-- XssFilter 등록 -->
<defender>
<name>xssFilterDefender</name>
<class>com.navercorp.lucy.security.xss.servletfilter.defender.XssFilterDefender</class>
<init-param>
<param-value>lucy-xss.xml</param-value> <!-- lucy-xss-filter의 dom용 설정파일 -->
<param-value>false</param-value> <!-- 필터링된 코멘트를 남길지 여부, 성능 효율상 false 추천 -->
</init-param>
</defender>
</defenders>
<!-- default defender 선언, 별다른 defender 선언이 없으면 default defender를 사용해 필터링 한다. -->
<default>
<defender>xssPreventerDefender</defender>
</default>
<!-- global 필터링 룰 선언 -->
<global>
<!-- 모든 url에서 들어오는 globalParameter 파라메터는 필터링 되지 않으며
또한 globalPrefixParameter로 시작하는 파라메터도 필터링 되지 않는다. -->
<params>
<param name="globalParameter" useDefender="false" />
<param name="globalPrefixParameter" usePrefix="true" useDefender="false" />
</params>
</global>
<!-- url 별 필터링 룰 선언 -->
<url-rule-set>
<!-- url disable이 true이면 지정한 url 내의 모든 파라메터는 필터링 되지 않는다. -->
<url-rule>
<url disable="true">/disableUrl1.do</url>
</url-rule>
<!-- url1 내의 url1Parameter는 필터링 되지 않으며 또한 url1PrefixParameter로 시작하는 파라메터도 필터링 되지 않는다. -->
<url-rule>
<url>/url1.do</url>
<params>
<param name="url1Parameter" useDefender="false" />
<param name="url1PrefixParameter" usePrefix="true" useDefender="false" />
</params>
</url-rule>
<!-- url2 내의 url2Parameter1만 필터링 되지 않으며 url2Parameter2는 xssSaxFilterDefender를 사용해 필터링 한다. -->
<url-rule>
<url>/url2.do</url>
<params>
<param name="url2Parameter1" useDefender="false" />
<param name="url2Parameter2">
<defender>xssSaxFilterDefender</defender>
</param>
</params>
</url-rule>
</url-rule-set>
</config>

9
jspblog/src/main/webapp/WEB-INF/web.xml
View File

@@ -20,6 +20,10 @@
<filter-name>forbiddenUrlConfig</filter-name>
<filter-class>com.example.jspblog.config.ForbiddenUrlConfig</filter-class>
</filter>
<filter>
<filter-name>xssEscapeServletFilter</filter-name>
<filter-class>com.navercorp.lucy.security.xss.servletfilter.XssEscapeServletFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>charConfig</filter-name>
@@ -30,4 +34,9 @@
<filter-name>forbiddenUrlConfig</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>xssEscapeServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>