[ISSUE #7359] Add xss filter (#7364)

- Set response header 'Content-Security-Policy'
2022-03-14 10:34:16 +08:00 · 2022-03-14 10:34:16 +08:00 · cd6d7e33b9
commit cd6d7e33b9
parent 13032a253c
3 changed files with 104 additions and 0 deletions
--- a/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java
+++ b/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java
@ -16,6 +16,7 @@

 package com.alibaba.nacos.console.config;

+import com.alibaba.nacos.console.filter.XssFilter;
 import com.alibaba.nacos.core.code.ControllerMethodsCache;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer;
@ -69,6 +70,11 @@ public class ConsoleConfig {
        return new CorsFilter(source);
    }
    
+    @Bean
+    public XssFilter xssFilter() {
+        return new XssFilter();
+    }
+    
    @Bean
    public Jackson2ObjectMapperBuilderCustomizer jacksonObjectMapperCustomization() {
        return jacksonObjectMapperBuilder -> jacksonObjectMapperBuilder.timeZone(ZoneId.systemDefault().toString());
--- a/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java
+++ b/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java
@ -0,0 +1,44 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.filter;
+
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * XSS filter.
+ * @author onewe
+ */
+public class XssFilter extends OncePerRequestFilter {
+    
+    private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
+    
+    private static final String CONTENT_SECURITY_POLICY = "script-src 'self'";
+    
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+        
+        response.setHeader(CONTENT_SECURITY_POLICY_HEADER, CONTENT_SECURITY_POLICY);
+        filterChain.doFilter(request, response);
+    }
+}
--- a/console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java
+++ b/console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java
@ -0,0 +1,54 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.filter;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class XssFilterTest {
+    
+    private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
+    
+    private static final String CONTENT_SECURITY_POLICY = "script-src 'self'";
+    
+    @Mock
+    private HttpServletRequest request;
+    
+    @Mock
+    private HttpServletResponse response;
+    
+    @Mock
+    private FilterChain filterChain;
+    
+    @Test
+    public void testSetResponseHeader() throws ServletException, IOException {
+        XssFilter xssFilter = new XssFilter();
+        xssFilter.doFilterInternal(request, response, filterChain);
+        Mockito.verify(response).setHeader(CONTENT_SECURITY_POLICY_HEADER, CONTENT_SECURITY_POLICY);
+    }
+    
+}