Added more filters on XSS and implemented basic SQL injection filter

References #151791
eea · Jul 11, 2022 · 2e6efc7 · 2e6efc7
1 parent 530fa01
commit 2e6efc7
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 2 deletions.
diff --git a/web/src/main/java/ro/finsiel/eunis/security/SqlInjectFilter.java b/web/src/main/java/ro/finsiel/eunis/security/SqlInjectFilter.java
@@ -0,0 +1,72 @@
+package ro.finsiel.eunis.security;
+
+import org.apache.log4j.Logger;
+import java.io.IOException;
+import java.util.Enumeration;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * SQL injection filter
+ *
+ * @author CSDN: seesun2012
+ */
+public class SqlInjectFilter implements Filter {
+
+    private String[] filters;
+    private static Logger logger = Logger.getLogger(SqlInjectFilter.class);
+
+    /**
+     * Filers request parameters for SQL injection attempts
+     * @param request HTTP request
+     * @param response HTTP response
+     * @param chain Filter chain
+     * @throws IOException
+     * @throws ServletException
+     */
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletRequest httprequest = (HttpServletRequest) request;
+        Enumeration<?> params = httprequest.getParameterNames();
+        StringBuilder sql = new StringBuilder();
+        while(params.hasMoreElements()) {
+            String name = params.nextElement().toString();
+            String[] value = httprequest.getParameterValues(name);
+            for (String s : value) {
+                sql.append(s);
+            }
+        }
+
+        if(containsFilteredChars(sql.toString())) {
+            HttpServletResponse r = (HttpServletResponse) response;
+            r.sendError(HttpServletResponse.SC_BAD_REQUEST);
+        } else{
+            chain.doFilter(request, response);
+        }
+    }
+
+    private boolean containsFilteredChars(String str) {
+        for (String badStr : filters) {
+            if (str.contains(badStr)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+        String sqlInjectStrList = filterConfig.getInitParameter("sqlInjectStrList");
+        filters = sqlInjectStrList.split("\\|");
+    }
+
+    @Override
+    public void destroy() {
+    }
+}
diff --git a/web/src/main/java/ro/finsiel/eunis/security/XSSRequestWrapper.java b/web/src/main/java/ro/finsiel/eunis/security/XSSRequestWrapper.java
@@ -38,6 +38,8 @@ public class XSSRequestWrapper extends HttpServletRequestWrapper {
             // onload(...)=... onload(.*?)=(.*?)
             Pattern.compile("onload=prompt(.*?)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
             Pattern.compile("onload(.*?)=(.*?)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+            Pattern.compile("\"(.*?)>", Pattern.CASE_INSENSITIVE),
+            Pattern.compile("'(.*?)>", Pattern.CASE_INSENSITIVE),
     };
 
     public XSSRequestWrapper(HttpServletRequest servletRequest) {

diff --git a/web/src/main/webapp/META-INF/context.xml b/web/src/main/webapp/META-INF/context.xml
@@ -5,9 +5,9 @@
         name="jdbc/liquibase"
         auth="Container"
         type="javax.sql.DataSource"
-        maxActive="30"
+        maxTotal="30"
         maxIdle="30"
-        maxWait="10000"
+        maxWaitMillis="10000"
         username="${mysql.user}"
         password="${mysql.password}"
         driverClassName="${mysql.driver}"

diff --git a/web/src/main/webapp/WEB-INF/web.xml b/web/src/main/webapp/WEB-INF/web.xml
@@ -467,6 +467,20 @@
         <filter-class>ro.finsiel.eunis.security.XSSFilter</filter-class>
     </filter>
 
+    <filter>
+        <filter-name>SqlInjectFilter</filter-name>
+        <filter-class>ro.finsiel.eunis.security.SqlInjectFilter</filter-class>
+        <!-- Filter the parameters passed in the foreground, you can manually add or delete, split by "|" -->
+        <init-param>
+            <param-name>sqlInjectStrList</param-name>
+            <param-value>"|'|‘|;|-|--|+|//|/|*|%|#</param-value>
+        </init-param>
+    </filter>
+    <filter-mapping>
+        <filter-name>SqlInjectFilter</filter-name>
+        <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <filter>
         <filter-name>RdfFilter</filter-name>
         <filter-class>eionet.eunis.rdf.RdfFilter</filter-class>