ESAPI自定义配置文件路径
原文链接文章目录前言一、pom依赖二、ESAPI配置文件1.ESAPI.properties2.validation.properties3.esapi-java-logging.properties4.antisamy-esapi.xml5.配置文件放置位置6.自定义配置文件路径,封装ESAPI方法一、pom依赖<dependency><groupId>org.owasp
·
文章目录
前言
一、pom依赖
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.3.0</version>
<!-- 如果项目中没有引入其他日志框架,可以不排除 -->
<exclusions>
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
</exclusion>
</exclusions>
</dependency>
为什么需要排除slf4j,因为我的项目中用了logback日志框架,如果不排除slf4j则项目中有两个日志实现框架,这样项目将启动失败
二、ESAPI配置文件
1.ESAPI.properties
2.validation.properties
3.esapi-java-logging.properties
4.antisamy-esapi.xml
5.配置文件放置位置
6.自定义配置文件路径,封装ESAPI方法
二、ESAPI配置文件
官方配置文件都在github官网上。
官网链接
1.ESAPI.properties
ESAPI.printProperties=true
# 这个地方是配置ESAPI的实现类,项目中用到那个就选择性配置即可
ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder
ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator
# 以下是选择性配置,可以在官网找到对应的介绍
ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory
Encoder.AllowMultipleEncoding=false
Encoder.AllowMixedEncoding=false
Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
Logger.ApplicationName=ExampleApplication
Logger.LogEncodingRequired=false
Logger.LogApplicationName=true
Logger.LogServerIP=true
Logger.LogFileName=ESAPI_logging_file
Logger.MaxLogFileSize=10000000
Logger.UserInfo=true
Logger.ClientInfo=true
2.validation.properties
Validator.SafeString=^[.\\p{Alnum}\\p{Space}]{0,1024}$
Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\\.[a-zA-Z]{2,4}$
Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$
Validator.URL=^(ht|f)tp(s?)\\:\\/\\/[0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*(:(0-9)*)*(\\/?)([a-zA-Z0-9\\-\\.\\?\\,\\:\\'\\/\\\\\\+=&;%\\$#_]*)?$
Validator.CreditCard=^(\\d{4}[- ]?){3}\\d{4}$
Validator.SSN=^(?!000)([0-6]\\d{2}|7([0-6]\\d|7[012]))([ -]?)(?!00)\\d\\d\\3(?!0000)\\d{4}$
3.esapi-java-logging.properties
handlers= java.util.logging.ConsoleHandler.level= INFO
java.util.logging.ConsoleHandler.level = INFO
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.SimpleFormatter.format=[%1$tF %1$tT] [%3$-7s] %5$s %n
4.antisamy-esapi.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
W3C rules retrieved from:
http://www.w3.org/TR/html401/struct/global.html
-->
<!--
Slashdot allowed tags taken from "Reply" page:
<b> <i> <p> <br> <a> <ol> <ul> <li> <dl> <dt> <dd> <em> <strong> <tt> <blockquote> <div> <ecode> <quote>
-->
<anti-samy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="antisamy.xsd">
<directives>
<directive name="omitXmlDeclaration" value="true"/>
<directive name="omitDoctypeDeclaration" value="true"/>
<directive name="maxInputSize" value="500000"/>
<directive name="embedStyleSheets" value="false"/>
</directives>
<common-regexps>
<!--
From W3C:
This attribute assigns a class name or set of class names to an
element. Any number of elements may be assigned the same class
name or names. Multiple class names must be separated by white
space characters.
-->
<regexp name="htmlTitle" value="[a-zA-Z0-9\s-_',:\[\]!\./\\\(\)]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
<regexp name="onsiteURL" value="([\w\\/\.\?=&;\#-~]+|\#(\w)+)"/>
<regexp name="offsiteURL" value="(\s)*((ht|f)tp(s?)://|mailto:)[A-Za-z0-9]+[~a-zA-Z0-9-_\.@#$%&;:,\?=/\+!]*(\s)*"/>
</common-regexps>
<!--
Tag.name = a, b, div, body, etc.
Tag.action = filter: remove tags, but keep content, validate: keep content as long as it passes rules, remove: remove tag and contents
Attribute.name = id, class, href, align, width, etc.
Attribute.onInvalid = what to do when the attribute is invalid, e.g., remove the tag (removeTag), remove the attribute (removeAttribute), filter the tag (filterTag)
Attribute.description = What rules in English you want to tell the users they can have for this attribute. Include helpful things so they'll be able to tune their HTML
-->
<!--
Some attributes are common to all (or most) HTML tags. There aren't many that qualify for this. You have to make sure there's no
collisions between any of these attribute names with attribute names of other tags that are for different purposes.
-->
<common-attributes>
<attribute name="lang" description="The 'lang' attribute tells the browser what language the element's attribute values and content are written in">
<regexp-list>
<regexp value="[a-zA-Z]{2,20}"/>
</regexp-list>
</attribute>
<attribute name="title" description="The 'title' attribute provides text that shows up in a 'tooltip' when a user hovers their mouse over the element">
<regexp-list>
<regexp name="htmlTitle"/>
</regexp-list>
</attribute>
<attribute name="href" onInvalid="filterTag">
<regexp-list>
<regexp name="onsiteURL"/>
<regexp name="offsiteURL"/>
</regexp-list>
</attribute>
<attribute name="align" description="The 'align' attribute of an HTML element is a direction word, like 'left', 'right' or 'center'">
<literal-list>
<literal value="center"/>
<literal value="left"/>
<literal value="right"/>
<literal value="justify"/>
<literal value="char"/>
</literal-list>
</attribute>
</common-attributes>
<!--
This requires normal updates as browsers continue to diverge from the W3C and each other. As long as the browser wars continue
this is going to continue. I'm not sure war is the right word for what's going on. Doesn't somebody have to win a war after
a while?
-->
<global-tag-attributes>
<attribute name="title"/>
<attribute name="lang"/>
</global-tag-attributes>
<tag-rules>
<!-- Tags related to JavaScript -->
<tag name="script" action="remove"/>
<tag name="noscript" action="remove"/>
<!-- Frame & related tags -->
<tag name="iframe" action="remove"/>
<tag name="frameset" action="remove"/>
<tag name="frame" action="remove"/>
<tag name="noframes" action="remove"/>
<!-- All reasonable formatting tags -->
<tag name="p" action="validate">
<attribute name="align"/>
</tag>
<tag name="div" action="validate"/>
<tag name="i" action="validate"/>
<tag name="b" action="validate"/>
<tag name="em" action="validate"/>
<tag name="blockquote" action="validate"/>
<tag name="tt" action="validate"/>
<tag name="br" action="truncate"/>
<!-- Custom Slashdot tags, though we're trimming the idea of having a possible mismatching end tag with the endtag="" attribute -->
<tag name="quote" action="validate"/>
<tag name="ecode" action="validate"/>
<!-- Anchor and anchor related tags -->
<tag name="a" action="validate">
<attribute name="href" onInvalid="filterTag"/>
<attribute name="nohref">
<literal-list>
<literal value="nohref"/>
<literal value=""/>
</literal-list>
</attribute>
<attribute name="rel">
<literal-list>
<literal value="nofollow"/>
</literal-list>
</attribute>
</tag>
<!-- List tags -->
<tag name="ul" action="validate"/>
<tag name="ol" action="validate"/>
<tag name="li" action="validate"/>
</tag-rules>
<!-- No CSS on Slashdot posts -->
<css-rules>
</css-rules>
</anti-samy-rules>
5.配置文件放置位置
如果我们对配置文件路径没有自定义配置,那么ESAPI会从默认路径中读取配置文件。
默认路径如下:
esapi.jar路径:Not found in ‘org.owasp.esapi.resources’ directory or file not readable
系统资源路径: Not found in SystemResource Directory/resourceDirectory: .esapi\validation.properties
系统user.name目录: Not found in ‘user.home’ (C:\Users\myhome) directory: C:\Users\myhome\esapi\validation.properties
我们如果把配置文件放在以上默认读取路径上,ESAPI读取到配置文件后也是可以正常执行的。但关键是这并不能满足我们的要求,我们希望项目在打包时把配置文件打进jar包、war包。
ESAPI的设计者也一定想到了这一点,所以给了我们设置自定义配置文件路径的方式。
默认读取的配置方法:
如果不自定义配置,那么ESAPI将走这个默认配置。而默认实现是 DefaultSecurityConfiguration。这个配置文件的读取配置文件的方式是:
// 此时我们如果把配置文件放在/src/main/resource目录下
this.getResourceFile(filename);
// 读取不到我们的配置文件,因为他的类加载方式与springBoot不一样。具体没有深究,研究完类加载机制的双亲委派模型之后再来补充。
第一步我们先重写读取配置的方法:
```java
package com.github.common.config;
import org.owasp.esapi.reference.DefaultSecurityConfiguration;
import java.io.IOException;
import java.io.InputStream;
/**
* 重写ESAPI读取配置文件方法
*
* @author utrix
*/
public class ESAPIConfiguration extends DefaultSecurityConfiguration {
@Override
public InputStream getResourceStream(String filename) throws IOException {
// 通过类加载器读取resource目录下的配置文件,这个filename就是ESAPI.properties
return ClassLoader.getSystemResourceAsStream(filename);
}
}
第二步使我们的重写方法生效:
重写配置的静态方法:
至此只要通过ESAPI的override()方法注入我们自定义的ESAPIConfiguration 类即可。
6.自定义配置文件路径,封装ESAPI方法:
```java
package com.github.util;
import cn.hutool.core.util.StrUtil;
import com.github.pig.admin.common.config.ESAPIConfiguration;
import lombok.SneakyThrows;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Validator;
/**
* ESAPI工具类
*
* @author utrix
*/
public class EsapiUtil {
private static final Validator VALIDATOR;
/**
* 请求体最大报文长度10万字符
*/
private static final int MAX_MESSAGE_LENGTH = 10 * 10000;
static {
// 通过静态方法注入我们重写读取配置文件的类
ESAPI.override(new ESAPIConfiguration());
VALIDATOR = ESAPI.validator();
}
/**
* 对输入的文本,如果存在xss攻击,则转义
*
* @param str 输入的文本
* @return java.lang.String 如果输入的为空,则返回
*/
@SneakyThrows
public static String xssEncode(String str) {
return StrUtil.isEmpty(str) ? str : VALIDATOR.getValidSafeHTML(EsapiUtil.class.getSimpleName(), str, MAX_MESSAGE_LENGTH, true);
}
}
至此:我们就可以把ESAPI的配置文件放到项目/src/main/resource目录下,并打入jar、war包了
为开发者提供学习成长、分享交流、生态实践、资源工具等服务,帮助开发者快速成长。
更多推荐
5
1- 0
已为社区贡献1条内容
所有评论(0)