coverity security library
1.0.0
Coverity Security Library(CSL)是一组轻量级的逃避例程,用于修复跨站点脚本(XSS),SQL注入和Java Web应用程序中的其他安全缺陷。
这就是为什么值得检查的原因:
这很安全:我们认真对待CSL的安全性。通过包括手动代码审查,静态分析,模糊测试和单元测试的过程,仔细仔细检查了每个更改。
它很方便: CSL包含XSS和SQL注入的ESCAPER,这些逃脱器在Apache Commons和Java EE等标准库中缺少。我们使用具有简短,直观名称的快速,易于调用的静态方法。我们还提供表达语言(EL)的钩子,以使其易于在JSP中使用。
它很小: CSL没有外部依赖性,并且是一个简约的库。这意味着它是快速的,并且不需要任何配置,除了将jar放在正确的位置或修改构建以执行此操作之外。
它是免费的: CSL根据BSD式许可分发。我们会很高兴将补丁发送回我们,但这不是必需的。
Coverity Security Advisor的用户根据CSL中的逃避例程获得补救指导。但是,CSL是一个独立的项目,对安全顾问没有依赖性。
Escape类包含Web内容的几个逃脱器。这些逃脱的功能有助于补救数据插入HTML元素,HTML属性值,URI,JavaScript字符串,SQL(如从句)等时发生的常见缺陷(主要是跨站点脚本)。更多信息可在Escape目录中提供更多信息。
在使用任何这些方法之前,您应该了解插入数据的上下文(或嵌套上下文)。存储库中提供了几个带有解释的模型示例,我们的博客将提供更多模型。如果您想测试库以了解其如何进行安全攻击,我们的功能测试套件是构建/部署/测试的正确应用程序。
准备使用它了吗?最后一步是直接在Github上查看最新的Javadoc。
要将此库包括在您的Maven项目中,请添加以下内容:
< dependency >
< groupId >com.coverity.security</ groupId >
< artifactId >coverity-escapers</ artifactId >
< version >1.1.1</ version >
</ dependency >或将JAR文件放在WEB-INF/lib目录中。
然后,您可以直接在JSP中使用它:
<%@ taglib uri = " http://coverity.com/security " prefix = " cov " %>
< script type = " text/javascript " >
var x = ' ${ cov : jsStringEscape(param . tainted) } ' ;
</ script >
< div onclick = " alert(' ${ cov : htmlEscape(cov : jsStringEscape(param . tainted)) } ') " >
${ cov : htmlEscape(param . tainted) }
</ div >或在您的Java程序中:
import com . coverity . security . Escape ;
// ...
return "<div onclick='alert( " "
+ Escape . html ( Escape . jsString ( request . getParameter ( "tainted" )))
+ " " )'>"
+ Escape . html ( request . getParameter ( "tainted" ))
+ "</div>" ;要联系SRL,请通过[email protected]向我们发送电子邮件。分叉,我们期待您的拉力请求!
Copyright (c) 2012-2016, Coverity, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or other
materials provided with the distribution.
- Neither the name of Coverity, Inc. nor the names of its contributors may be used
to endorse or promote products derived from this software without specific prior
written permission from Coverity, Inc.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND INFRINGEMENT ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
