Ana Sayfa Keşfet Yardım
Giriş Yap
style24
/
style24.core
2
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

Json data에 대한 XSS Prevention 추가

gagamel 4 yıl önce
ebeveyn
9c210d7291
işleme
17c3ee9844
3 değiştirilmiş dosya ile 271 ekleme ve 203 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 207 201
      pom.xml
  2. 2 2
      src/main/java/com/style24/core/support/filter/TscServletRequestWrapper.java
  3. 62 0
      src/main/java/com/style24/core/support/text/TscHtmlCharacterEscapes.java

+ 207 - 201
pom.xml
Dosyayı Görüntüle 

@@ -1,202 +1,208 @@
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
 
-	<modelVersion>4.0.0</modelVersion>
 
-	<parent>
 
-		<groupId>com.style24</groupId>
 
-		<artifactId>root</artifactId>
 
-		<version>0.0.1-SNAPSHOT</version>
 
-	</parent>
 
-	<groupId>com.style24.core</groupId>
 
-	<artifactId>style24-core</artifactId>
 
-	<version>0.0.1</version>
 
-	<packaging>jar</packaging>
 
-	<name>style24-core</name>
 
-	<description>STYLE24 Core</description>
 
-	
-	<dependencies>
 
-		<!-- /// WEB-INF lib -->
 
-		<dependency>
 
-			<groupId>com.gagaframework</groupId>
 
-			<artifactId>gagaframework-web-core</artifactId>
 
-			<version>1.7.1-RELEASE</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/gagaframework-web-core-1.7.1-RELEASE.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>com.gagaframework</groupId>
 
-			<artifactId>gagaframework-web-security</artifactId>
 
-			<version>1.7.2-RELEASE</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/gagaframework-web-security-1.7.2-RELEASE.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>com.gagaframework</groupId>
 
-			<artifactId>gagaframework-web-parameter</artifactId>
 
-			<version>1.7-RELEASE</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/gagaframework-web-parameter-1.7-RELEASE.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>com.gagaframework</groupId>
 
-			<artifactId>gagaframework-web-rest</artifactId>
 
-			<version>1.7.1-RELEASE</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/gagaframework-web-rest-1.7-RELEASE.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>com.gagaframework</groupId>
 
-			<artifactId>gagaframework-web-util</artifactId>
 
-			<version>1.7-RELEASE</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/gagaframework-web-util-1.7-RELEASE.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>com.gagaframework</groupId>
 
-			<artifactId>gagaframework-excel</artifactId>
 
-			<version>1.7.1-RELEASE</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/gagaframework-excel-1.7.1-RELEASE.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>com.gagaframework</groupId>
 
-			<artifactId>gagaframework-shoplinker</artifactId>
 
-			<version>1.7-RELEASE</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/gagaframework-shoplinker-1.7.2-RELEASE.jar</systemPath>
 
-		</dependency>
 
-
 
-		<!-- ///KCP -->
 
-		<dependency>
 
-			<groupId>com.kcp</groupId>
 
-			<artifactId>kcp</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/jPpcliE.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>com.kcp</groupId>
 
-			<artifactId>ConnectionKCP</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/ConnectionKCP.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>kr.co.kcp.CT_CLI</groupId>
 
-			<artifactId>CT_CLI</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/CtCli-1.0.6.jar</systemPath>
 
-		</dependency>
 
-		<!-- \\\KCP -->
 
-		
-		<!-- /// USAFE 보증보험 -->
 
-		<dependency>
 
-			<groupId>com.usafe.guarantee</groupId>
 
-			<artifactId>usafe-guarantee</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/usafe.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>net.sourceforge.blowfishj</groupId>
 
-			<artifactId>usafe-blowfishj</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/usafe.jar</systemPath>
 
-		</dependency>
 
-		<!-- \\\ USAFE 보증보험 -->
 
-
 
-		<!-- 네이버페이 -->
 
-		<dependency>
 
-			<groupId>org.apache.axis</groupId>
 
-			<artifactId>axis</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/axis.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>org.bouncycastle</groupId>
 
-			<artifactId>bouncycastle</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/bcprov-jdk16-138.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>javax.xml</groupId>
 
-			<artifactId>rpc</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/jaxrpc.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>com.nhncorp</groupId>
 
-			<artifactId>SimpleCryptLib</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/SimpleCryptLib-1.1.0.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>org.apache.commons.discovery</groupId>
 
-			<artifactId>common-discovery</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/commons-discovery-0.2.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>org.apache.commons.logging</groupId>
 
-			<artifactId>common-logging</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/commons-logging-1.2.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>javax.xml.soap</groupId>
 
-			<artifactId>saaj</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/saaj.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>wsdl4j</groupId>
 
-			<artifactId>wsdl4j</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/wsdl4j.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>jsr173api</groupId>
 
-			<artifactId>jsr173api</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/jsr173_1.0_api.jar</systemPath>
 
-		</dependency>
 
-		<dependency>
 
-			<groupId>xalan</groupId>
 
-			<artifactId>xalan</artifactId>
 
-			<version>1.0</version>
 
-			<scope>system</scope>
 
-			<systemPath>${basedir}/lib/xalan.jar</systemPath>
 
-		</dependency>
 
-
 
-		<!-- \\\ WEB-INF lib -->
 
-	</dependencies>
 
-	
-	<build>
 
-		<finalName>${project.name}-${project.version}</finalName>
 
-		<resources>
 
-			<resource>
 
-				<directory>src/main/java</directory>
 
-				<includes>
 
-					<include>**/*.xml</include>
 
-				</includes>
 
-			</resource>
 
-			<resource>
 
-				<directory>src/main/resources</directory>
 
-				<includes>
 
-					<include>**/*</include>
 
-				</includes>
 
-			</resource>
 
-		</resources>
 
-	</build>
 
-	
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">

+	<modelVersion>4.0.0</modelVersion>

+	<parent>

+		<groupId>com.style24</groupId>

+		<artifactId>root</artifactId>

+		<version>0.0.1-SNAPSHOT</version>

+	</parent>

+	<groupId>com.style24.core</groupId>

+	<artifactId>style24-core</artifactId>

+	<version>0.0.1</version>

+	<packaging>jar</packaging>

+	<name>style24-core</name>

+	<description>STYLE24 Core</description>

+	

+	<dependencies>

+		<dependency>

+			<groupId>org.apache.commons</groupId>

+			<artifactId>commons-text</artifactId>

+			<version>1.8</version>

+		</dependency>

+		

+		<!-- /// WEB-INF lib -->

+		<dependency>

+			<groupId>com.gagaframework</groupId>

+			<artifactId>gagaframework-web-core</artifactId>

+			<version>1.7.1-RELEASE</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/gagaframework-web-core-1.7.1-RELEASE.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>com.gagaframework</groupId>

+			<artifactId>gagaframework-web-security</artifactId>

+			<version>1.7.2-RELEASE</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/gagaframework-web-security-1.7.2-RELEASE.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>com.gagaframework</groupId>

+			<artifactId>gagaframework-web-parameter</artifactId>

+			<version>1.7-RELEASE</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/gagaframework-web-parameter-1.7-RELEASE.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>com.gagaframework</groupId>

+			<artifactId>gagaframework-web-rest</artifactId>

+			<version>1.7.1-RELEASE</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/gagaframework-web-rest-1.7-RELEASE.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>com.gagaframework</groupId>

+			<artifactId>gagaframework-web-util</artifactId>

+			<version>1.7-RELEASE</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/gagaframework-web-util-1.7-RELEASE.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>com.gagaframework</groupId>

+			<artifactId>gagaframework-excel</artifactId>

+			<version>1.7.1-RELEASE</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/gagaframework-excel-1.7.1-RELEASE.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>com.gagaframework</groupId>

+			<artifactId>gagaframework-shoplinker</artifactId>

+			<version>1.7-RELEASE</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/gagaframework-shoplinker-1.7.2-RELEASE.jar</systemPath>

+		</dependency>

+

+		<!-- ///KCP -->

+		<dependency>

+			<groupId>com.kcp</groupId>

+			<artifactId>kcp</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/jPpcliE.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>com.kcp</groupId>

+			<artifactId>ConnectionKCP</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/ConnectionKCP.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>kr.co.kcp.CT_CLI</groupId>

+			<artifactId>CT_CLI</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/CtCli-1.0.6.jar</systemPath>

+		</dependency>

+		<!-- \\\KCP -->

+		

+		<!-- /// USAFE 보증보험 -->

+		<dependency>

+			<groupId>com.usafe.guarantee</groupId>

+			<artifactId>usafe-guarantee</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/usafe.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>net.sourceforge.blowfishj</groupId>

+			<artifactId>usafe-blowfishj</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/usafe.jar</systemPath>

+		</dependency>

+		<!-- \\\ USAFE 보증보험 -->

+

+		<!-- 네이버페이 -->

+		<dependency>

+			<groupId>org.apache.axis</groupId>

+			<artifactId>axis</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/axis.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>org.bouncycastle</groupId>

+			<artifactId>bouncycastle</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/bcprov-jdk16-138.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>javax.xml</groupId>

+			<artifactId>rpc</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/jaxrpc.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>com.nhncorp</groupId>

+			<artifactId>SimpleCryptLib</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/SimpleCryptLib-1.1.0.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>org.apache.commons.discovery</groupId>

+			<artifactId>common-discovery</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/commons-discovery-0.2.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>org.apache.commons.logging</groupId>

+			<artifactId>common-logging</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/commons-logging-1.2.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>javax.xml.soap</groupId>

+			<artifactId>saaj</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/saaj.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>wsdl4j</groupId>

+			<artifactId>wsdl4j</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/wsdl4j.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>jsr173api</groupId>

+			<artifactId>jsr173api</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/jsr173_1.0_api.jar</systemPath>

+		</dependency>

+		<dependency>

+			<groupId>xalan</groupId>

+			<artifactId>xalan</artifactId>

+			<version>1.0</version>

+			<scope>system</scope>

+			<systemPath>${basedir}/lib/xalan.jar</systemPath>

+		</dependency>

+

+		<!-- \\\ WEB-INF lib -->

+	</dependencies>

+	

+	<build>

+		<finalName>${project.name}-${project.version}</finalName>

+		<resources>

+			<resource>

+				<directory>src/main/java</directory>

+				<includes>

+					<include>**/*.xml</include>

+				</includes>

+			</resource>

+			<resource>

+				<directory>src/main/resources</directory>

+				<includes>

+					<include>**/*</include>

+				</includes>

+			</resource>

+		</resources>

+	</build>

+	

 </project>

+ 2 - 2
src/main/java/com/style24/core/support/filter/TscServletRequestWrapper.java
Dosyayı Görüntüle 

@@ -19,7 +19,7 @@ public class TscServletRequestWrapper extends HttpServletRequestWrapper {
 
 		if (values == null) {

 			return null;

 		} else {

-			List<String> removedValues = new ArrayList();

+			List<String> removedValues = new ArrayList<>();

 			String[] var4 = values;

 			int var5 = values.length;

 

@@ -44,7 +44,7 @@ public class TscServletRequestWrapper extends HttpServletRequestWrapper {
 
 	private String convertParameter(String value) {

 		value = value.replaceAll("<", "&lt;");

 		value = value.replaceAll(">", "&gt;");

-		value = value.replaceAll("script", "");

+		value = value.toLowerCase().replaceAll("script", "");

 		return value;

 	}

+ 62 - 0
src/main/java/com/style24/core/support/text/TscHtmlCharacterEscapes.java
Dosyayı Görüntüle 

@@ -0,0 +1,62 @@
 
+package com.style24.core.support.text;

+

+import java.util.Collections;

+import java.util.HashMap;

+import java.util.Map;

+

+import org.apache.commons.text.translate.AggregateTranslator;

+import org.apache.commons.text.translate.CharSequenceTranslator;

+import org.apache.commons.text.translate.EntityArrays;

+import org.apache.commons.text.translate.LookupTranslator;

+

+import com.fasterxml.jackson.core.SerializableString;

+import com.fasterxml.jackson.core.io.CharacterEscapes;

+import com.fasterxml.jackson.core.io.SerializedString;

+

+@SuppressWarnings("serial")

+public class TscHtmlCharacterEscapes extends CharacterEscapes {

+

+	private final int[] asciiEscapes;

+

+	private final CharSequenceTranslator translator;

+

+	public TscHtmlCharacterEscapes() {

+		// XSS 방지 처리할 특수 문자 지정

+		asciiEscapes = CharacterEscapes.standardAsciiEscapesForJSON();

+		asciiEscapes['<'] = CharacterEscapes.ESCAPE_CUSTOM;

+		asciiEscapes['>'] = CharacterEscapes.ESCAPE_CUSTOM;

+		asciiEscapes['&'] = CharacterEscapes.ESCAPE_CUSTOM;

+		asciiEscapes['\"'] = CharacterEscapes.ESCAPE_CUSTOM;

+//		asciiEscapes['('] = CharacterEscapes.ESCAPE_CUSTOM;

+//		asciiEscapes[')'] = CharacterEscapes.ESCAPE_CUSTOM;

+//		asciiEscapes['#'] = CharacterEscapes.ESCAPE_CUSTOM;

+		asciiEscapes['\''] = CharacterEscapes.ESCAPE_CUSTOM;

+

+		Map<CharSequence, CharSequence> lookupMap = new HashMap<>();

+		lookupMap.put("(", "&#40");

+		lookupMap.put(")", "&#41");

+		lookupMap.put("#", "&#35");

+		lookupMap.put("\\", "&#39");

+		Map<CharSequence, CharSequence> CUSTOM_ESCAPE = Collections.unmodifiableMap(lookupMap);

+

+		// XSS 방지 처리 특수문자 인코딩 값 지정

+		this.translator = new AggregateTranslator(

+			new LookupTranslator(EntityArrays.BASIC_ESCAPE), // <, >, &, "는 여기에 포함

+			new LookupTranslator(EntityArrays.ISO8859_1_ESCAPE),

+			new LookupTranslator(EntityArrays.HTML40_EXTENDED_ESCAPE),

+			new LookupTranslator(CUSTOM_ESCAPE));

+	}

+

+	@Override

+	public int[] getEscapeCodesForAscii() {

+		return asciiEscapes;

+	}

+

+	@Override

+	public SerializableString getEscapeSequence(int ch) {

+		return new SerializedString(translator.translate(Character.toString((char)ch)));

+		// 커스터마이징이 필요 없다면 아래걸 그대로 사용

+//		return new SerializedString(StringEscapeUtils.escapeHtml4(Character.toString((char)ch)));

+	}

+

+}