From cd6d7e33b94f24814701f3faf8b632e5e85444c5 Mon Sep 17 00:00:00 2001
From: onewe <admin@onew.me>
Date: Mon, 14 Mar 2022 10:34:16 +0800
Subject: [PATCH] [ISSUE #7359] Add xss filter (#7364)

- Set response header 'Content-Security-Policy'
---
 .../nacos/console/config/ConsoleConfig.java   |  6 +++
 .../nacos/console/filter/XssFilter.java       | 44 +++++++++++++++
 .../nacos/console/filter/XssFilterTest.java   | 54 +++++++++++++++++++
 3 files changed, 104 insertions(+)
 create mode 100644 console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java
 create mode 100644 console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java

diff --git a/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java b/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java
index ea9258c60..8803956da 100644
--- a/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java
+++ b/console/src/main/java/com/alibaba/nacos/console/config/ConsoleConfig.java
@@ -16,6 +16,7 @@
 
 package com.alibaba.nacos.console.config;
 
+import com.alibaba.nacos.console.filter.XssFilter;
 import com.alibaba.nacos.core.code.ControllerMethodsCache;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer;
@@ -69,6 +70,11 @@ public class ConsoleConfig {
         return new CorsFilter(source);
     }
     
+    @Bean
+    public XssFilter xssFilter() {
+        return new XssFilter();
+    }
+    
     @Bean
     public Jackson2ObjectMapperBuilderCustomizer jacksonObjectMapperCustomization() {
         return jacksonObjectMapperBuilder -> jacksonObjectMapperBuilder.timeZone(ZoneId.systemDefault().toString());
diff --git a/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java b/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java
new file mode 100644
index 000000000..192a609ac
--- /dev/null
+++ b/console/src/main/java/com/alibaba/nacos/console/filter/XssFilter.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.filter;
+
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * XSS filter.
+ * @author onewe
+ */
+public class XssFilter extends OncePerRequestFilter {
+    
+    private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
+    
+    private static final String CONTENT_SECURITY_POLICY = "script-src 'self'";
+    
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+        
+        response.setHeader(CONTENT_SECURITY_POLICY_HEADER, CONTENT_SECURITY_POLICY);
+        filterChain.doFilter(request, response);
+    }
+}
diff --git a/console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java b/console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java
new file mode 100644
index 000000000..452124456
--- /dev/null
+++ b/console/src/test/java/com/alibaba/nacos/console/filter/XssFilterTest.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 1999-2018 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.console.filter;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@RunWith(MockitoJUnitRunner.class)
+public class XssFilterTest {
+    
+    private static final String CONTENT_SECURITY_POLICY_HEADER = "Content-Security-Policy";
+    
+    private static final String CONTENT_SECURITY_POLICY = "script-src 'self'";
+    
+    @Mock
+    private HttpServletRequest request;
+    
+    @Mock
+    private HttpServletResponse response;
+    
+    @Mock
+    private FilterChain filterChain;
+    
+    @Test
+    public void testSetResponseHeader() throws ServletException, IOException {
+        XssFilter xssFilter = new XssFilter();
+        xssFilter.doFilterInternal(request, response, filterChain);
+        Mockito.verify(response).setHeader(CONTENT_SECURITY_POLICY_HEADER, CONTENT_SECURITY_POLICY);
+    }
+    
+}