-
Notifications
You must be signed in to change notification settings - Fork 250
/
Xpath 注入
61 lines (61 loc) · 1.66 KB
/
Xpath 注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
XPath注入,XPath中存在用户输入的字符串。
<b>修复建议</b>
去除用户数据中的特殊字符。
<b>修复示例</b>
如:
<pre>
public int risk(HttpServletRequest request, Document doc,
XPath xpath ,org.apache.log4j.Logger logger) {
int len = 0;
String path = request.getParameter("path");
try {
XPathExpression expr = xpath.compile(path);
Object result = expr.evaluate(doc, XPathConstants.NODESET);
NodeList nodes = (NodeList) result;
len = nodes.getLength();
} catch (XPathExpressionException e) {
logger.warn(“Exception”, e);
}
return len;
}
</pre>
修复为:
<pre>
public int fix(HttpServletRequest request,
Document doc, XPath xpath ,org.apache.log4j.Logger logger) {
int len = 0;
String path = request.getParameter("path");
try {
String filtedXPath = filterForXPath(path);
XPathExpression expr = xpath.compile(filtedXPath);
Object result = expr.evaluate(doc, XPathConstants.NODESET);
NodeList nodes = (NodeList) result;
len = nodes.getLength();
} catch (XPathExpressionException e) {
logger.warn(“Exception”, e);
}
return len;
}
// 去除XPath语法控制字符
public String filterForXPath(String input) {
if (input == null) {
return null;
}
StringBuilder out = new StringBuilder();
for (int i = 0; i < input.length(); i++) {
char c = input.charAt(i);
if (c >= 'A' && c <= 'Z') {
out.append(c);
} else if (c >= 'a' && c <= 'z') {
out.append(c);
} else if (c >= '0' && c <= '9') {
out.append(c);
} else if (c == '_' || c == '-') {
out.append(c);
} else if (c >= 0x4e00 && c <= 0x9fa5) {
out.append(c);
}
}
return out.toString();
}
</pre>