diff --git a/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java b/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java index ea9258c60..8803956da 100644 --- a/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java +++ b/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java @@ -16,6 +16,7 @@ package com.alibaba.nacos.console.config; +import com.alibaba.nacos.console.filter.XssFilter; import com.alibaba.nacos.core.code.ControllerMethodsCache; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer; @@ -69,6 +70,11 @@ public class ConsoleConfig { return new CorsFilter(source); } + @Bean + public XssFilter xssFilter() { + return new XssFilter(); + } + @Bean public Jackson2ObjectMapperBuilderCustomizer jacksonObjectMapperCustomization() { return jacksonObjectMapperBuilder -> jacksonObjectMapperBuilder.timeZone(ZoneId.systemDefault().toString()); diff --git a/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java b/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java new file mode 100644 index 000000000..192a609ac --- /dev/null +++ b/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java @@ -0,0 +1,44 @@ +/* + * Copyright 1999-2018 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.alibaba.nacos.console.filter; + +import org.springframework.web.filter.OncePerRequestFilter; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +/** + * XSS filter. + * @author onewe + */ +public class XssFilter extends OncePerRequestFilter { + + private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy"; + + private static final String CONTENT_SECURITY_POLICY = "script-src 'self'"; + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + + response.setHeader(CONTENT_SECURITY_POLICY_HEADER, CONTENT_SECURITY_POLICY); + filterChain.doFilter(request, response); + } +} diff --git a/console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java b/console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java new file mode 100644 index 000000000..452124456 --- /dev/null +++ b/console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java @@ -0,0 +1,54 @@ +/* + * Copyright 1999-2018 Alibaba Group Holding Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package com.alibaba.nacos.console.filter; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.mockito.junit.MockitoJUnitRunner; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +@RunWith(MockitoJUnitRunner.class) +public class XssFilterTest { + + private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy"; + + private static final String CONTENT_SECURITY_POLICY = "script-src 'self'"; + + @Mock + private HttpServletRequest request; + + @Mock + private HttpServletResponse response; + + @Mock + private FilterChain filterChain; + + @Test + public void testSetResponseHeader() throws ServletException, IOException { + XssFilter xssFilter = new XssFilter(); + xssFilter.doFilterInternal(request, response, filterChain); + Mockito.verify(response).setHeader(CONTENT_SECURITY_POLICY_HEADER, CONTENT_SECURITY_POLICY); + } + +}