Servlet类中的XSS漏洞问题,用于response.getOutputStream()。write(buffer)

时间:2012-06-12 13:06:48

标签: java servlets xss

我正在修复针对我的模块的代码审核报告的问题。问题是XSS VULNERABILITIES。 它报告了语法问题 。response.getOutputStream()写(缓冲液); 怎么解决? 我做了足够的家庭工作,发现OWASP推荐的ESAPI可以帮助我修复它,但是如何实现呢?问题出在servlet类中? 或任何其他API或任何其他可以帮助我解决它? 请分享您的相关经验。 

FileOutputStream fos = null;
        FileInputStream fileInuptStream =null;
        BufferedInputStream bufferedInputStream = null;
        ByteArrayOutputStream byteArrayOutputStream =null;
        try{
           ServletContext servletContext = request.getSession().getServletContext();
            File attachmentDir = new File(servletContext.getRealPath("")+File.separator+"Reports" );
            String uploadDir=attachmentDir.getPath();
            if (!attachmentDir.exists()) {
                attachmentDir.mkdirs();
            }

            HSSFWorkbook wb= new HSSFWorkbook();
             AAAA  aaa=new AAAA();          
            wb=aaa.getExportXLS(request, response, fileName, wb);
             if(request.getSession().getAttribute("SESSION_AAAAA")!=null){
                    request.getSession().removeAttribute("SESSION_AAAAA");
            }           
              fos=new FileOutputStream(uploadDir+File.separator+fileName);
            wb.write(fos);

            File fileXls=new File(uploadDir+File.separator+fileName);
              fileInuptStream = new FileInputStream(fileXls);
              bufferedInputStream = new BufferedInputStream(fileInuptStream);
              byteArrayOutputStream = new ByteArrayOutputStream();
            int start = INT_ZERO;
            int length = ONE_ZERO_TWO_FOUR;
            int offset = MINUS_ONE;
            byte [] buffer = new byte [length];
            while ((offset = bufferedInputStream.read(buffer, start, length)) != -1)
                byteArrayOutputStream.write(buffer, start, offset);


            buffer = byteArrayOutputStream.toByteArray();

            response.setHeader("Expires", "0");
            response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
            response.setHeader("Pragma", "public");
            response.setContentType("application/xls");
            response.setHeader("Content-disposition","attachment; filename="+fileName );
            response.setContentLength((int ) fileXls.length());
            response.getOutputStream().write(buffer);  --- REPORTED AT THIS LINE
            response.getOutputStream().flush();

2 个答案:

答案 0 :(得分:1)

这是一个错误的警告。此servlet返回一个由Apache POI创建的XLS文件,而不是HTML文档。不可能有XSS攻击的手段。

然而,这段代码相当笨拙且效率低下。它在扩展的WAR文件夹中创建一个文件(无论如何在重新部署WAR时都会丢失),然后它将整个内容完全复制到服务器的内存中,而不是直接写入响应。可能这种笨拙的方法混淆了审计工具。您应该只是将HttpServletResponse#getOutputStream()传递给Workbook#write()

这是基于到目前为止发布的代码的完全重写:

HSSFWorkbook wb = new HSSFWorkbook();
AAAA aaa = new AAAA();          
wb = aaa.getExportXLS(request, response, fileName, wb);
response.setHeader("Expires", "0");
response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
response.setHeader("Pragma", "public");
response.setContentType("application/xls");
response.setHeader("Content-disposition", "attachment; filename=" + fileName);
wb.write(response.getOutputStream());

答案 1 :(得分:1)

需要验证输入和输出,因为请求直接作为方法中的输入。使用ESAPI使用ESAPI中的getValidatedFileContent()验证缓冲区字段。验证fileName注入攻击的fileName字段。此外,任何作为输入请求作为输入的输出的字段都应严格验证。

相关问题
最新问题