1

我正在使用 Checkmarx 来分析我的项目,唯一剩下的中等严重性项目是Missing_HSTS_Filter,目标名称是HSTSFilter。在我的web.xml,我有:

<filter>
    <filter-name>HSTSFilter</filter-name> <!-- checkmarx says problem is here -->
    <filter-class>c.h.i.c.web.security.HSTSFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>HSTSFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

HSTSFilter班级:

public class HSTSFilter implements Filter {
    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;
        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");
        chain.doFilter(req, resp);
    }
}

所以我尝试了其他方法,因为我使用的是 Tomcat 7,所以我尝试在以下位置添加以下内容web.xml

<filter> <!-- checkmarx now complains here -->
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31622400</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Checkmarx 仍然在抱怨,说这次的目的地名称是StatementCollection. 我不明白那是什么意思。

我错过了什么?

4

2 回答 2

0 
I got this error in check Marx violations in the JSP where a scriptlet tag is used to execute java source code in JSP. Syntax is as follows: <% java source code %>

So I fixed it just by providing 

<% response.setHeader("Strict-Transport-Security" ,"max-age=7776000" ); %>

Also made changes in java code , a class file and web.xml changes : 

web.xml : 

    <filter>
        <filter-name>HSTSFilter</filter-name>
        <filter-class>com.abc.gbm.test.config.HSTSFilter</filter-class>
        <init-param>
            <param-name>maxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>

        <init-param>
            <param-name>includeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>HSTSFilter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>
    

Java class filter : 
package com.abc.gbm.test.config;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class HSTSFilter implements Filter {
 private static final String HEADER_NAME = "Strict-Transport-Security";
 private static final String MAX_AGE_DIRECTIVE = "max-age=%s";
 private static final String INCLUDE_SUB_DOMAINS_DIRECTIVE = "includeSubDomains";
 private static final Logger logger = LoggerFactory.getLogger(HSTSFilter.class);

 private int maxAgeSeconds = 0;
 private boolean includeSubDomains = false;
 private String directives;

 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
   throws IOException, ServletException {
  logger.info("request.isSecure() :: {}" , request.isSecure());

  if (request.isSecure() && response instanceof HttpServletResponse) {
   HttpServletResponse res = (HttpServletResponse) response;
   res.addHeader(HEADER_NAME, this.directives);
  }
  chain.doFilter(request, response);
 }

 public void init(FilterConfig filterConfig) throws ServletException {
  maxAgeSeconds = Integer.parseInt(filterConfig.getInitParameter("maxAgeSeconds"));
  includeSubDomains = "true".equals(filterConfig.getInitParameter("includeSubDomains"));

  if (this.maxAgeSeconds <= 0) {
   throw new ServletException("Invalid maxAgeSeconds value :: " + maxAgeSeconds);
  }

  this.directives = String.format(MAX_AGE_DIRECTIVE, this.maxAgeSeconds);
  if (this.includeSubDomains) {
   this.directives += (" ; " + INCLUDE_SUB_DOMAINS_DIRECTIVE);
  }
  System.out.println("directives :: "+directives);
 }

 @Override
 public void destroy() {
 }
}
于 2021-12-30T05:47:56.700 回答
0

奇怪的事情。您确实使用了正确的配置。根据这个 Checkmarx 规则,我在一些扫描中发现了很多 False Positive。无论如何,尝试将此行添加到过滤器配置中的 web.xml 中:

<init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
</init-param>

<init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
</init-param>
于 2019-10-04T09:11:45.817 回答