coverity security library
1.0.0
Coverity Security Library(CSL)是一組輕量級的逃避例程,用於修復跨站點腳本(XSS),SQL注入和Java Web應用程序中的其他安全缺陷。
這就是為什麼值得檢查的原因:
這很安全:我們認真對待CSL的安全性。通過包括手動代碼審查,靜態分析,模糊測試和單元測試的過程,仔細仔細檢查了每個更改。
它很方便: CSL包含XSS和SQL注入的ESCAPER,這些逃脫器在Apache Commons和Java EE等標準庫中缺少。我們使用具有簡短,直觀名稱的快速,易於調用的靜態方法。我們還提供表達語言(EL)的鉤子,以使其易於在JSP中使用。
它很小: CSL沒有外部依賴性,並且是一個簡約的庫。這意味著它是快速的,並且不需要任何配置,除了將jar放在正確的位置或修改構建以執行此操作之外。
它是免費的: CSL根據BSD式許可分發。我們會很高興將補丁發送回我們,但這不是必需的。
Coverity Security Advisor的用戶根據CSL中的逃避例程獲得補救指導。但是,CSL是一個獨立的項目,對安全顧問沒有依賴性。
Escape類包含Web內容的幾個逃脫器。這些逃脫的功能有助於補救數據插入HTML元素,HTML屬性值,URI,JavaScript字符串,SQL(如從句)等時發生的常見缺陷(主要是跨站點腳本)。更多信息可在Escape目錄中提供更多信息。
在使用任何這些方法之前,您應該了解插入數據的上下文(或嵌套上下文)。存儲庫中提供了幾個帶有解釋的模型示例,我們的博客將提供更多模型。如果您想測試庫以了解其如何進行安全攻擊,我們的功能測試套件是構建/部署/測試的正確應用程序。
準備使用它了嗎?最後一步是直接在Github上查看最新的Javadoc。
要將此庫包括在您的Maven項目中,請添加以下內容:
< dependency >
< groupId >com.coverity.security</ groupId >
< artifactId >coverity-escapers</ artifactId >
< version >1.1.1</ version >
</ dependency >或將JAR文件放在WEB-INF/lib目錄中。
然後,您可以直接在JSP中使用它:
<%@ taglib uri = " http://coverity.com/security " prefix = " cov " %>
< script type = " text/javascript " >
var x = ' ${ cov : jsStringEscape(param . tainted) } ' ;
</ script >
< div onclick = " alert(' ${ cov : htmlEscape(cov : jsStringEscape(param . tainted)) } ') " >
${ cov : htmlEscape(param . tainted) }
</ div >或在您的Java程序中:
import com . coverity . security . Escape ;
// ...
return "<div onclick='alert( " "
+ Escape . html ( Escape . jsString ( request . getParameter ( "tainted" )))
+ " " )'>"
+ Escape . html ( request . getParameter ( "tainted" ))
+ "</div>" ;要聯繫SRL,請通過[email protected]向我們發送電子郵件。分叉,我們期待您的拉力請求!
Copyright (c) 2012-2016, Coverity, Inc.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this
list of conditions and the following disclaimer in the documentation and/or other
materials provided with the distribution.
- Neither the name of Coverity, Inc. nor the names of its contributors may be used
to endorse or promote products derived from this software without specific prior
written permission from Coverity, Inc.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND INFRINGEMENT ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
