【HTTP】防XSS+SQL注入：自定义HttpMessageConverter过滤链深度解决方案

一、安全威胁模型分析

二、自定义HttpMessageConverter架构设计

2.1 技术栈组成

• 核心框架：Spring Boot 3.x
• 安全组件：OWASP Java Encoder + SQLFilter
• 监控工具：Micrometer + Prometheus
• 防御机制：深度防御链（Defense in Depth）

三、完整实现代码

3.1 安全过滤工具类

import org.owasp.encoder.Encode;
import org.owasp.html.PolicyFactory;
import org.owasp.html.Sanitizers;

public class SecurityFilterUtils {
    
    // HTML标签白名单策略
    private static final PolicyFactory HTML_SANITIZER = Sanitizers.FORMATTING
        .and(Sanitizers.BLOCKS)
        .and(Sanitizers.STYLES)
        .and(Sanitizers.LINKS);
    
    /**
     * XSS过滤（输入净化）
     */
    public static String sanitizeInput(String input) {
        if (input == null) return null;
        return HTML_SANITIZER.sanitize(input);
    }
    
    /**
     * XSS防御（输出编码）
     */
    public static String encodeForOutput(String output) {
        if (output == null) return null;
        return Encode.forHtmlContent(output);
    }
    
    /**
     * SQL注入检测与过滤
     */
    public static String filterSqlInjection(String input) {
        if (input == null) return null;
        
        // 危险字符黑名单
        String[] dangerousPatterns = {
            "'", "\"", ";", "--", "/*", "*/", 
            "xp_", "sp_", "exec", "union", "select", 
            "insert", "update", "delete", "drop", "truncate"
        };
        
        String sanitized = input;
        for (String pattern : dangerousPatterns) {
            sanitized = sanitized.replace(pattern, "");
        }
        
        // 正则检测复杂注入
        if (sanitized.matches("(?i).*\\b(OR|AND)\\s+\\d+\\s*=\\s*\\d+.*")) {
            throw new SecurityException("检测到SQL注入特征");
        }
        
        return sanitized;
    }
}

3.2 自定义HttpMessageConverter

import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.http.HttpInputMessage;
import org.springframework.http.HttpOutputMessage;
import org.springframework.http.MediaType;
import org.springframework.http.converter.AbstractHttpMessageConverter;
import org.springframework.http.converter.HttpMessageNotReadableException;
import org.springframework.http.converter.HttpMessageNotWritableException;

import java.io.IOException;
import java.lang.reflect.Type;
import java.util.Map;

public class SecurityFilterHttpMessageConverter extends AbstractHttpMessageConverter<Object> {

    private final ObjectMapper objectMapper;
    
    public SecurityFilterHttpMessageConverter(ObjectMapper objectMapper) {
        super(MediaType.APPLICATION_JSON);
        this.objectMapper = objectMapper;
    }

    @Override
    protected boolean supports(Class<?> clazz) {
        return true; // 支持所有类型
    }

    @Override
    protected Object readInternal(Class<?> clazz, HttpInputMessage inputMessage) 
            throws IOException, HttpMessageNotReadableException {
        
        // 1. 反序列化原始数据
        Object rawObject = objectMapper.readValue(inputMessage.getBody(), clazz);
        
        // 2. 递归安全过滤
        return deepSanitize(rawObject);
    }

    @Override
    protected void writeInternal(Object object, HttpOutputMessage outputMessage) 
            throws IOException, HttpMessageNotWritableException {
        
        // 1. 递归安全编码
        Object safeObject = deepEncode(object);
        
        // 2. 序列化安全数据
        objectMapper.writeValue(outputMessage.getBody(), safeObject);
    }
    
    /**
     * 深度净化输入数据
     */
    private Object deepSanitize(Object obj) {
        if (obj == null) return null;
        
        if (obj instanceof String) {
            String str = (String) obj;
            // 先过滤SQL注入
            str = SecurityFilterUtils.filterSqlInjection(str);
            // 再净化HTML
            return SecurityFilterUtils.sanitizeInput(str);
        }
        
        if (obj instanceof Map) {
            Map<?, ?> map = (Map<?, ?>) obj;
            map.forEach((key, value) -> {
                if (value != null) {
                    map.put(key, deepSanitize(value));
                }
            });
            return map;
        }
        
        if (obj instanceof Iterable) {
            Iterable<?> iterable = (Iterable<?>) obj;
            iterable.forEach(this::deepSanitize);
            return iterable;
        }
        
        // 处理自定义对象
        return objectMapper.convertValue(obj, obj.getClass());
    }
    
    /**
     * 深度编码输出数据
     */
    private Object deepEncode(Object obj) {
        if (obj == null) return null;
        
        if (obj instanceof String) {
            return SecurityFilterUtils.encodeForOutput((String) obj);
        }
        
        if (obj instanceof Map) {
            Map<?, ?> map = (Map<?, ?>) obj;
            map.forEach((key, value) -> {
                if (value != null) {
                    map.put(key, deepEncode(value));
                }
            });
            return map;
        }
        
        if (obj instanceof Iterable) {
            Iterable<?> iterable = (Iterable<?>) obj;
            iterable.forEach(this::deepEncode);
            return iterable;
        }
        
        return obj;
    }
}

3.3 Spring安全配置

import com.fasterxml.jackson.databind.ObjectMapper;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

import java.util.List;

@Configuration
public class SecurityWebConfig implements WebMvcConfigurer {

    private final ObjectMapper objectMapper;
    
    public SecurityWebConfig(ObjectMapper objectMapper) {
        this.objectMapper = objectMapper;
    }
    
    @Override
    public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
        // 移除默认的Jackson转换器
        converters.removeIf(converter -> 
            converter.getClass().getName().contains("MappingJackson2HttpMessageConverter")
        );
        
        // 添加安全过滤转换器
        converters.add(new SecurityFilterHttpMessageConverter(objectMapper));
    }
}

四、深度防御增强方案

4.1 SQL注入参数化查询

@Repository
public class UserRepository {
    
    @Autowired
    private JdbcTemplate jdbcTemplate;
    
    // 安全查询示例
    public User findByUsername(String username) {
        String sql = "SELECT * FROM users WHERE username = ?";
        return jdbcTemplate.queryForObject(sql, new Object[]{username}, User.class);
    }
    
    // 不安全查询示例（绝对避免！）
    public User unsafeFind(String username) {
        // 警告：存在SQL注入风险！
        String sql = "SELECT * FROM users WHERE username = '" + username + "'";
        return jdbcTemplate.queryForObject(sql, User.class);
    }
}

4.2 CSP内容安全策略

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class ContentSecurityPolicyConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers()
            .contentSecurityPolicy("default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;")
            .and()
            .xssProtection().block(true);
    }
}

4.3 安全监控与告警

import io.micrometer.core.instrument.Counter;
import io.micrometer.core.instrument.MeterRegistry;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class SecurityMonitoringFilter extends OncePerRequestFilter {
    
    private final Counter xssAttemptCounter;
    private final Counter sqlInjectionCounter;
    
    public SecurityMonitoringFilter(MeterRegistry registry) {
        this.xssAttemptCounter = Counter.builder("security.xss.attempt")
            .description("XSS攻击尝试次数")
            .register(registry);
        
        this.sqlInjectionCounter = Counter.builder("security.sql.attempt")
            .description("SQL注入尝试次数")
            .register(registry);
    }
    
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) 
            throws ServletException, IOException {
        
        // 检测XSS特征
        if (containsXssIndicators(request)) {
            xssAttemptCounter.increment();
            logger.warn("检测到XSS攻击尝试: " + request.getRequestURI());
        }
        
        // 检测SQL注入特征
        if (containsSqlInjectionIndicators(request)) {
            sqlInjectionCounter.increment();
            logger.warn("检测到SQL注入尝试: " + request.getRequestURI());
        }
        
        filterChain.doFilter(request, response);
    }
    
    private boolean containsXssIndicators(HttpServletRequest request) {
        return request.getQueryString() != null && 
              (request.getQueryString().contains("<script>") || 
               request.getQueryString().contains("javascript:"));
    }
    
    private boolean containsSqlInjectionIndicators(HttpServletRequest request) {
        return request.getQueryString() != null && 
              (request.getQueryString().contains("' OR '1'='1") || 
               request.getQueryString().contains("; DROP TABLE"));
    }
}

五、多维度防御策略

5.1 输入验证层

import javax.validation.Constraint;
import javax.validation.Payload;
import java.lang.annotation.*;

@Documented
@Constraint(validatedBy = SafeInputValidator.class)
@Target({ElementType.FIELD, ElementType.PARAMETER})
@Retention(RetentionPolicy.RUNTIME)
public @interface SafeInput {
    String message() default "包含危险字符";
    Class<?>[] groups() default {};
    Class<? extends Payload>[] payload() default {};
}

public class SafeInputValidator implements ConstraintValidator<SafeInput, String> {
    @Override
    public boolean isValid(String value, ConstraintValidatorContext context) {
        if (value == null) return true;
        return !SecurityFilterUtils.containsDangerousPatterns(value);
    }
}

// 在DTO中使用
public class UserDTO {
    @SafeInput
    private String username;
    
    @SafeInput
    private String bio;
}

5.2 输出编码层

<!-- Thymeleaf安全输出 -->
<div th:text="${SecurityFilterUtils.encodeForOutput(user.bio)}"></div>

<!-- FreeMarker安全输出 -->
<#escape x as SecurityFilterUtils.encodeForOutput(x)>
  <div>${user.bio}</div>
</#escape>

5.3 数据库防护层

-- 使用存储过程防御SQL注入
CREATE PROCEDURE GetUserByUsername
    @Username NVARCHAR(50)
AS
BEGIN
    SELECT * FROM Users WHERE Username = @Username
END

-- 最小权限原则
CREATE USER 'app_user'@'localhost' IDENTIFIED BY 'password';
GRANT SELECT, INSERT, UPDATE ON mydb.users TO 'app_user'@'localhost';
REVOKE DROP, ALTER, CREATE ON mydb.* FROM 'app_user'@'localhost';

六、压力测试与性能优化

6.1 性能测试结果

6.2 性能优化技巧

// 1. 启用过滤缓存
private final Map<String, String> sanitizeCache = new LRUCache<>(1000);

public String sanitizeInput(String input) {
    if (input == null) return null;
    return sanitizeCache.computeIfAbsent(input, 
        key -> HTML_SANITIZER.sanitize(key));
}

// 2. 并行处理集合
private Object deepSanitize(Object obj) {
    if (obj instanceof Collection) {
        Collection<?> collection = (Collection<?>) obj;
        return collection.parallelStream()
            .map(this::deepSanitize)
            .collect(Collectors.toList());
    }
    // 其他处理逻辑
}

// 3. 危险模式检测优化
public static boolean containsDangerousPatterns(String input) {
    // 使用预编译正则
    private static final Pattern SQL_INJECTION_PATTERN = 
        Pattern.compile("(?i)\\b(OR|AND)\\s+\\d+\\s*=\\s*\\d+");
    
    return SQL_INJECTION_PATTERN.matcher(input).find();
}

七、企业级部署方案

7.1 安全架构全景

7.2 Kubernetes部署配置

# security-policy.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: security-filter-policy
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - NET_RAW
  volumes:
    - 'configMap'
    - 'secret'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535

7.3 安全审计配置

@Aspect
@Component
public class SecurityAuditAspect {
    
    @AfterReturning(pointcut = "execution(* com.example..*Controller.*(..))", 
                    returning = "result")
    public void auditSuccess(JoinPoint joinPoint, Object result) {
        String method = joinPoint.getSignature().toShortString();
        Object[] args = joinPoint.getArgs();
        
        // 记录安全审计日志
        logger.info("安全操作审计: 方法={}, 参数={}, 结果={}", 
            method, Arrays.toString(args), result);
    }
    
    @AfterThrowing(pointcut = "execution(* com.example..*.*(..))", 
                   throwing = "ex")
    public void auditException(JoinPoint joinPoint, Throwable ex) {
        if (ex instanceof SecurityException) {
            String method = joinPoint.getSignature().toShortString();
            Object[] args = joinPoint.getArgs();
            
            // 告警关键安全事件
            alertService.sendSecurityAlert(
                "安全拦截事件", 
                String.format("方法: %s\n参数: %s\n异常: %s", 
                    method, Arrays.toString(args), ex.getMessage())
            );
        }
    }
}

八、最佳实践总结

8.1 防御层级矩阵

8.2 关键配置参数

# application-security.properties

# XSS过滤级别
security.filter.xss.level=strict
# SQL注入检测模式
security.filter.sql.mode=block
# 最大递归深度（防DoS）
security.filter.max.depth=20
# 缓存大小
security.filter.cache.size=1000

8.3 应急响应流程

终极建议：
1. 每季度进行安全审计
2. 使用OWASP ZAP进行渗透测试
3. 保持依赖库更新（特别是安全组件）
4. 生产环境禁用开发工具（如H2 Console）
通过本方案，可构建企业级的安全防护体系，有效抵御XSS和SQL注入攻击，同时保持系统高性能运行。实际部署时建议结合具体业务场景调整过滤策略。