为什么非常大的字符串抛出java.lang.StackOverflow在针对XSS攻击模式进行验证时出现异常

时间:2013-05-17 12:30:54

标签: java regex stack-overflow

我的要求是,我使用白名单正则表达式模式来避免xss和sql注入,因为我在字符串中允许的字符为([A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|(?<!-)-)*

简而言之,下面的测试用例应该成功运行

import java.util.regex.Pattern;   
public class XSSAttackTest {

    private static Pattern xssAttackPattern;

    private static final String XSS_ATTACK_REGULAR_EXPRESSION1 = "([A-Za-z0-9,\\(\\)\\[\\]\\{\\}\"\\:./_\\s]|(?<!-)-)*";

    public static Pattern getXSSAttackPattern() {
        xssAttackPattern = Pattern.compile(XSS_ATTACK_REGULAR_EXPRESSION1);
        return xssAttackPattern;
    }

    public static boolean hasXSSAttackOrSQLInjection1(String value) {

        if (getXSSAttackPattern().matcher(value).matches()) {
            return true;
        }
        return false;
    }

    public static void main(String arg[]) {

        System.out.println(" :::::: Regular Expression ::::::");
        XSSAttackTest();

    }

    private static void XSSAttackTest() {

        String jsonWithoutDobuleQuote = "{systemaddress:10:9A:DD:54:BA:3F,name:0541cb61fe0c37002f15df342df18a912689875f75159335d936e281f9098a78c598334cf59dc9bcf55dd4614097effd874194b47d19194b5e7d0aa3a61290a2b5e90323ef3967571499a820af8424f935b35c36ea34fd83b08fdf14c3b454c6962b36e9de4b1bc75e793832b59efb9648cb04f7153e0b3c1c648e64154d9b05,number:c097a8c8a481e0b50911d96b8d15ca326bcb47c1056cfae7552f23fa6ba179bf48c4b32aecd42e23c76b148e057ce0acdacba8fb7cf93619aca18b7dfcf931511b7b7889db2703ec9b48fe68c713205f5333ffc4abbce8489d32fe6a54c518d24a1774f864964379497276f38d7b8611d54c035339922efe9ea0b1b4266a1d64,zip:521bf5503247d51cf2a2997fc7e2fd7055cb62c352bb1bacbf4d8af0e45984ab8becb4ce4ef824b2740591574317a6548231b831f2b2b73421d25a2b979ce10cebe4b52f555793909cbfa09d9617d4fdba4632f896bd43113381dea8cbc66cc8bb5cffdbd3d45b73d9e6dfb56b998f5e44568e9e7a419c75998acd3d5898f048,ssn:98c07a39f46b6fcbcc331510cb698f2fc331590b4033ef51ff86649283e99396aa48769b563511978fce652f41be98d326a62033176f9a5bfccfd9270e69316ebe3f6152d280bc83782c31d17c4b5d34df7c3107601bb5bb19968056d921b435aa62fc0855c5c57f249eedc9bb581379def31354d5afab5180c8ab63ac7a743e,Provider:xyz,deviceModel:iPhone Simulator,id:1731368714731871}";

        System.out.println("String::" + jsonWithoutDobuleQuote + "::Result::"
                + hasXSSAttackOrSQLInjection1(jsonWithoutDobuleQuote));

    }
}

当我运行上面的代码抛出异常时,我在这里尝试检查代码中的给定字符串是否包含XSS倾向字符

Exception in thread "main" java.lang.StackOverflowError
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)
at java.util.regex.Pattern$6.isSatisfiedBy(Pattern.java:4763)

1 个答案:

答案 0 :(得分:1)

这是您不应该使用自己的安全机制的主要示例。您想使用OWASP项目来解决此类问题。

documentation
 例如:

 String safe = ESAPI.encoder().encodeForHTMLAttribute  
         ( request.getParameter( "input" ) );

和消毒剂:

  import org.owasp.html.Sanitizers;
  import org.owasp.html.PolicyFactory;
  PolicyFactory sanitizer = Sanitizers.FORMATTING.and(Sanitizers.BLOCKS);
  String cleanResults = sanitizer.sanitize("<p>Hello, <b>World!</b>");