跨域资源共享漏洞怎么修复

九三
756
2021-02-07 11:23:50
栏目: 网络安全

跨域资源共享漏洞怎么修复

修复跨域资源共享漏洞的方法

修复代码如下:

public class RefererFilter implements Filter {

private static Logger logger = LoggerFactory.getLogger(RefererFilter.class);

private final String ORIGIN = "Origin";

private final String REFERER = "referer";

/** 允许访问的域名列表 */

private List allowDomainList = new ArrayList<>();

/** 过滤器忽略处理的url规则 */

private List excludes = new ArrayList<>();

@Override

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)

throws IOException, ServletException {

if (logger.isDebugEnabled()) {

logger.debug("referer filter is open");

}

// 判断该url是否需要过滤

HttpServletRequest req = (HttpServletRequest) request;

HttpServletResponse resp = (HttpServletResponse) response;

if (handleExcludeURL(req, resp)) {

chain.doFilter(request, response);

return;

}

if (null != allowDomainList && !allowDomainList.isEmpty()) {

logger.info("referer过滤");

String origin = req.getHeader(ORIGIN);

// 获取referer域

String referer = getRefererDomain(req.getHeader(REFERER));

logger.info("origin={}, referer={}", origin, referer);

if (origin == null || (allowDomainList.contains(origin) && (allowDomainList.contains(referer)))) {

// 有值,就继续执行下一个过滤链

chain.doFilter(request, response);

} else {

// 服务器拒绝

resp.setStatus(HttpStatus.FORBIDDEN.value());

}

} else {

chain.doFilter(request, response);

}

}

@Override

public void init(FilterConfig filterConfig) throws ServletException {

if (logger.isDebugEnabled()) {

logger.debug("referer filter init ====================");

}

String excludesTemp = filterConfig.getInitParameter("excludes");

if (excludesTemp != null) {

String[] url = excludesTemp.split(",");

for (int i = 0; url != null && i < url.length; i++) {

excludes.add(url[i]);

}

}

logger.info("excludes={}", excludes);

String allowDomainListTemp = filterConfig.getInitParameter("allowDomainList");

if (allowDomainListTemp != null) {

String[] url = allowDomainListTemp.split(",");

for (int i = 0; url != null && i < url.length; i++) {

allowDomainList.add(url[i]);

}

}

logger.info("allowDomainList={}", allowDomainList);

}

/**

* @param request

* @param response

* @return

*/

private boolean handleExcludeURL(HttpServletRequest request, HttpServletResponse response) {

if (excludes == null || excludes.isEmpty()) {

return false;

}

String url = request.getServletPath();

logger.info("校验{}是否需要referer过滤。", url);

for (String pattern : excludes) {

Pattern p = Pattern.compile("^" + pattern);

Matcher m = p.matcher(url);

if (m.find()) {

return true;

}

}

return false;

}

/**

* 获取referer域名

*

* @param refererUrl

* @return

*/

private static String getRefererDomain(String referer) {

String result = referer;

if (StringUtils.isNotBlank(referer)) {

if (referer.startsWith("https://")) {

int i = referer.substring(8).indexOf("/");

if (i > 0) {

result = referer.substring(0, 8 + i);

}

} else if (referer.startsWith("http://")) {

int i = referer.substring(7).indexOf("/");

if (i > 0) {

result = referer.substring(0, 7 + i);

}

}

}

return result;

}

}

0
看了该问题的人还看了