spring
spring lucy-xss-servlet-filter 적용
개몽구리
2019. 1. 23. 18:21
구성 환경 : spring5 / maven / jdk1.7 / tomcat 7.0
step 1 )
pom.xml
1 2 3 4 5 6 | <!-- xss servlet filter --> <dependency> <groupId>com.navercorp.lucy</groupId> <artifactId>lucy-xss-servlet</artifactId> <version>2.0.0</version> </dependency> | cs |
xss servlet filter 추가
step 2 )
web.xml
1 2 3 4 5 6 7 8 9 | <!-- xss servlet filter --> <filter> <filter-name>xssEscapeServletFilter</filter-name> <filter-class>com.navercorp.lucy.security.xss.servletfilter.XssEscapeServletFilter</filter-class> </filter> <filter-mapping> <filter-name>xssEscapeServletFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> | cs |
xssEscapeServletFilter 추가
(xssEscapeServletFilter는 CharacterEncodingFilter 뒤에 위치해야 한다.)
step 3 )
resources 디렉토리에 lucy-xss-sax.xml 파일 생성
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://www.navercorp.com/lucy-xss-servlet"> <defenders> <!-- XssPreventer 등록 --> <defender> <name>xssPreventerDefender</name> <class>com.navercorp.lucy.security.xss.servletfilter.defender.XssPreventerDefender</class> </defender> <!-- XssSaxFilter 등록 --> <defender> <name>xssSaxFilterDefender</name> <class>com.navercorp.lucy.security.xss.servletfilter.defender.XssSaxFilterDefender</class> <init-param> <param-value>lucy-xss-sax.xml</param-value> <!-- lucy-xss-filter의 sax용 설정파일 --> <param-value>false</param-value> <!-- 필터링된 코멘트를 남길지 여부, 성능 효율상 false 추천 --> </init-param> </defender> <!-- XssFilter 등록 --> <defender> <name>xssFilterDefender</name> <class>com.navercorp.lucy.security.xss.servletfilter.defender.XssFilterDefender</class> <init-param> <param-value>lucy-xss.xml</param-value> <!-- lucy-xss-filter의 dom용 설정파일 --> <param-value>false</param-value> <!-- 필터링된 코멘트를 남길지 여부, 성능 효율상 false 추천 --> </init-param> </defender> </defenders> <!-- default defender 선언, 별다른 defender 선언이 없으면 default defender를 사용해 필터링 한다. --> <default> <defender>xssSaxFilterDefender</defender> </default> <!-- global 필터링 룰 선언 --> <global> <!-- 모든 url에서 들어오는 globalParameter 파라메터는 필터링 되지 않으며 또한 globalPrefixParameter로 시작하는 파라메터도 필터링 되지 않는다. --> <params> <param name="globalParameter" useDefender="false" /> <param name="globalPrefixParameter" usePrefix="true" useDefender="false" /> </params> </global> <!-- url 별 필터링 룰 선언 --> <url-rule-set> <!-- url disable이 true이면 지정한 url 내의 모든 파라메터는 필터링 되지 않는다. <url-rule> <url disable="true">/disableUrl1.do</url> </url-rule> url1 내의 url1Parameter는 필터링 되지 않으며 또한 url1PrefixParameter로 시작하는 파라메터도 필터링 되지 않는다. <url-rule> <url>/url1.do</url> <params> <param name="url1Parameter" useDefender="false" /> <param name="url1PrefixParameter" usePrefix="true" useDefender="false" /> </params> </url-rule> url2 내의 url2Parameter1만 필터링 되지 않으며 url2Parameter2는 xssSaxFilterDefender를 사용해 필터링 한다. <url-rule> <url>/url2.do</url> <params> <param name="url2Parameter1" useDefender="false" /> <param name="url2Parameter2"> <defender>xssSaxFilterDefender</defender> </param> </params> </url-rule> --> </url-rule-set> </config> | cs |
url 별 필터링 룰이 필요할 경우 주석부분 설정
step 4 )
에디터로 글 작성 시에 필요한 태그 html까지 걸러짐으로 elementRule에 대한 디테일한 설정이 필요한 경우
step 3 동일 위치에 lucy-xss-sax.xml 파일 생성
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 | <?xml version="1.0" encoding="UTF-8"?> <config xmlns="http://www.nhncorp.com/lucy-xss" > <elementRule> <element name="p"/> <element name="a" /> <element name="abbr"/> <element name="acronym"/> <element name="adress"/> <element name="applet"/> <element name="area"/> <element name="b"/> <element name="base"/> <element name="basefont"/> <element name="bdo"/> <element name="big"/> <element name="blockquote"/> <element name="body"/> <element name="br"/> <element name="button"/> <element name="caption"/> <element name="center"/> <element name="cite"/> <element name="code"/> <element name="col"/> <element name="colgroup"/> <element name="dd"/> <element name="del"/> <element name="dfn"/> <element name="dir"/> <element name="div"/> <element name="dl"/> <element name="dt"/> <element name="em"/> <element name="embed"/> <element name="fieldset"/> <element name="font"/> <element name="form"/> <element name="frame"/> <element name="frameset"/> <element name="h1"/> <element name="h2"/> <element name="h3"/> <element name="h4"/> <element name="h5"/> <element name="h6"/> <element name="head"/> <element name="hr"/> <element name="html"/> <element name="i"/> <element name="iframe"/> <element name="img"/> <element name="input"/> <element name="ins"/> <element name="isindex"/> <element name="kbd"/> <element name="label"/> <element name="legend"/> <element name="li"/> <element name="link"/> <element name="map"/> <element name="marquee"/> <element name="menu"/> <element name="meta"/> <element name="nobr"/> <element name="noframes"/> <element name="noscript"/> <element name="object"/> <element name="ol"/> <element name="optgroup"/> <element name="option"/> <element name="p"/> <element name="param"/> <element name="pre"/> <element name="q"/> <element name="rt"/> <element name="ruby"/> <element name="s"/> <element name="samp"/> <!-- <element name="script"/> --> <element name="select"/> <element name="small"/> <element name="span"/> <element name="strike"/> <element name="strong"/> <element name="style"/> <element name="sub"/> <element name="sup"/> <element name="table"/> <element name="tbody"/> <element name="td"/> <element name="textarea"/> <element name="tfoot"/> <element name="th"/> <element name="thead"/> <element name="title"/> <element name="tr"/> <element name="tt"/> <element name="u"/> <element name="ul"/> <element name="var"/> <element name="wbr"/> <element name="xml"/> <element name="xmp"/> <!-- HTML5 added at 2012.04.10 Start--> <element name="article"/> <element name="aside"/> <element name="audio"/> <element name="bdi"/> <element name="canvas"/> <element name="command"/> <element name="datalist"/> <element name="details"/> <element name="figcaption"/> <element name="figure"/> <element name="footer"/> <element name="header"/> <element name="hgroup"/> <element name="keygen"/> <element name="mark"/> <element name="meter"/> <element name="nav"/> <element name="output"/> <element name="progress"/> <element name="rp"/> <element name="section"/> <element name="source"/> <element name="summary"/> <element name="time"/> <element name="track"/> <element name="video"/> <!-- HTML5 added at 2012.04.10 End--> <!-- IE핵 처리를 위해 추가--> <element name="IEHackExtension" disable="ture" > </element> </elementRule> <attributeRule> <attribute name="src"> <allowedPattern><![CDATA[['"]?\s*http://.*]]></allowedPattern> </attribute> <attribute name="href"> <notAllowedPattern><![CDATA[(?i:script)]]></notAllowedPattern> <notAllowedPattern><![CDATA[(?i:\.css)]]></notAllowedPattern> </attribute> <attribute name="style" disable="false" exceptionTagList="a"/> <!-- 2013.12.24 수정 : A 태그는 style 속성에 의한 우회 공격 이슈로 style 속성을 배제힌다. --> </attributeRule> </config> | cs |
script 는 필터링 되야 함으로 주석 제외시킴
적용완료
적용은 완료되었으나 multipart/form-data 로 filterMultipartResolver를 거치는 경우에는
lucy xss filter가 적용되지 않는 이슈가 발생
해결 : web.xml 에서 필터 순서를 변경
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | <!-- multipartFilter --> <filter> <filter-name>MultipartFilter</filter-name> <filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class> </filter> <filter-mapping> <filter-name>MultipartFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- xss servlet filter --> <filter> <filter-name>xssEscapeServletFilter</filter-name> <filter-class>com.navercorp.lucy.security.xss.servletfilter.XssEscapeServletFilter</filter-class> </filter> <filter-mapping> <filter-name>xssEscapeServletFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> | cs |
multipart filter 밑에 xss servlet filter를 적용
참고