我正在针对模块的代码审核报告修复问题。问题是XSS漏洞。
它已报告语法问题
response.getOutputStream()。write(buffer);
如何解决?
我做了足够的家庭作业,发现OWASP建议的ESAPI可以帮助我修复它,但是如何实现呢?问题出在servlet类中吗?
或任何其他api或其他任何可以帮助我修复它的东西?
请分享您的相关经验。
FileOutputStream fos = null;
FileInputStream fileInuptStream =null;
BufferedInputStream bufferedInputStream = null;
ByteArrayOutputStream byteArrayOutputStream =null;
try{
ServletContext servletContext = request.getSession().getServletContext();
File attachmentDir = new File(servletContext.getRealPath("")+File.separator+"Reports" );
String uploadDir=attachmentDir.getPath();
if (!attachmentDir.exists()) {
attachmentDir.mkdirs();
}
HSSFWorkbook wb= new HSSFWorkbook();
AAAA aaa=new AAAA();
wb=aaa.getExportXLS(request, response, fileName, wb);
if(request.getSession().getAttribute("SESSION_AAAAA")!=null){
request.getSession().removeAttribute("SESSION_AAAAA");
}
fos=new FileOutputStream(uploadDir+File.separator+fileName);
wb.write(fos);
File fileXls=new File(uploadDir+File.separator+fileName);
fileInuptStream = new FileInputStream(fileXls);
bufferedInputStream = new BufferedInputStream(fileInuptStream);
byteArrayOutputStream = new ByteArrayOutputStream();
int start = INT_ZERO;
int length = ONE_ZERO_TWO_FOUR;
int offset = MINUS_ONE;
byte [] buffer = new byte [length];
while ((offset = bufferedInputStream.read(buffer, start, length)) != -1)
byteArrayOutputStream.write(buffer, start, offset);
buffer = byteArrayOutputStream.toByteArray();
response.setHeader("Expires", "0");
response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
response.setHeader("Pragma", "public");
response.setContentType("application/xls");
response.setHeader("Content-disposition","attachment; filename="+fileName );
response.setContentLength((int ) fileXls.length());
response.getOutputStream().write(buffer); --- REPORTED AT THIS LINE
response.getOutputStream().flush();
最佳答案
这是一个错误的警告。该Servlet返回的是由Apache POI创建的XLS文件,而不是HTML文档。不可能存在XSS攻击的手段。
但是,此代码非常笨拙且效率低下。它正在扩展的WAR文件夹中创建一个文件(无论何时重新部署WAR都会丢失该文件),然后将其全部内容完全复制到服务器的内存中,而不是直接写入响应。这种笨拙的方法可能使审计工具感到困惑。您应该只将HttpServletResponse#getOutputStream()
传递给Workbook#write()
。
这是基于到目前为止发布的代码的完整重写:
HSSFWorkbook wb = new HSSFWorkbook();
AAAA aaa = new AAAA();
wb = aaa.getExportXLS(request, response, fileName, wb);
response.setHeader("Expires", "0");
response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
response.setHeader("Pragma", "public");
response.setContentType("application/xls");
response.setHeader("Content-disposition", "attachment; filename=" + fileName);
wb.write(response.getOutputStream());