java - response.getOutputStream().write(buffer) 的 Servlet 类中的 XSS 漏洞问题

Question

我正在针对我的模块的代码审计报告修复问题。问题是 XSS 漏洞。它报告了语法 response.getOutputStream().write(buffer); 的问题。如何解决？我做了足够的功课，发现 OWASP 推荐的 ESAPI 可以帮助我修复它，但是如何实现呢？问题出在 servlet 类中？或任何其他api或其他任何东西可以帮助我修复它？请分享您的相关经验。

FileOutputStream fos = null;
        FileInputStream fileInuptStream =null;
        BufferedInputStream bufferedInputStream = null;
        ByteArrayOutputStream byteArrayOutputStream =null;
        try{
           ServletContext servletContext = request.getSession().getServletContext();
            File attachmentDir = new File(servletContext.getRealPath("")+File.separator+"Reports" );
            String uploadDir=attachmentDir.getPath();
            if (!attachmentDir.exists()) {
                attachmentDir.mkdirs();
            }

            HSSFWorkbook wb= new HSSFWorkbook();
             AAAA  aaa=new AAAA();          
            wb=aaa.getExportXLS(request, response, fileName, wb);
             if(request.getSession().getAttribute("SESSION_AAAAA")!=null){
                    request.getSession().removeAttribute("SESSION_AAAAA");
            }           
              fos=new FileOutputStream(uploadDir+File.separator+fileName);
            wb.write(fos);

            File fileXls=new File(uploadDir+File.separator+fileName);
              fileInuptStream = new FileInputStream(fileXls);
              bufferedInputStream = new BufferedInputStream(fileInuptStream);
              byteArrayOutputStream = new ByteArrayOutputStream();
            int start = INT_ZERO;
            int length = ONE_ZERO_TWO_FOUR;
            int offset = MINUS_ONE;
            byte [] buffer = new byte [length];
            while ((offset = bufferedInputStream.read(buffer, start, length)) != -1)
                byteArrayOutputStream.write(buffer, start, offset);


            buffer = byteArrayOutputStream.toByteArray();

            response.setHeader("Expires", "0");
            response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
            response.setHeader("Pragma", "public");
            response.setContentType("application/xls");
            response.setHeader("Content-disposition","attachment; filename="+fileName );
            response.setContentLength((int ) fileXls.length());
            response.getOutputStream().write(buffer);  --- REPORTED AT THIS LINE
            response.getOutputStream().flush(); 

Answer 1

Need to validate the input and output as request is directly taken as input in the method. use ESAPI to validate the buffer field using getValidatedFileContent() from ESAPI. validate the fileName field for the fileName Injection attack. Also any filed that is taken as output from the method having request as input should be validated strictly.

Answer 2

这是一个错误的警告。此 servlet 返回由 Apache POI 创建的 XLS 文件，而不是 HTML 文档。不可能有 XSS 攻击的手段。

然而，此代码相当笨拙且效率低下。它在扩展的 WAR 文件夹中创建一个文件（当重新部署 WAR 时无论如何都会丢失），然后它将其全部内容完全复制到服务器的内存中，而不是直接写入响应。可能这种笨拙的方法混淆了审计工具。你应该只是传递HttpServletResponse#getOutputStream()给Workbook#write()。

这是基于迄今为止发布的代码的完整重写：

HSSFWorkbook wb = new HSSFWorkbook();
AAAA aaa = new AAAA();          
wb = aaa.getExportXLS(request, response, fileName, wb);
response.setHeader("Expires", "0");
response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
response.setHeader("Pragma", "public");
response.setContentType("application/xls");
response.setHeader("Content-disposition", "attachment; filename=" + fileName);
wb.write(response.getOutputStream());