今天扫代码发现漏洞,
暂定解决方法:
//全局交易流水号 String esbTranNo = StringUtils.isNotBlank(getRequest().getHeader("ESB-TRANNO")) ? getRequest().getHeader("ESB-TRANNO") : ""; //检验Header Manipulation 输入验证并验证 其属性是否正确 if (StringUtils.isNotEmpty(esbTranNo)) { try { esbTranNo = new String(esbTranNo.getBytes("UTF-8"), "ISO-8859-1"); String regex = "[`~!@#$%^&*()\\+\\=\\{}|:\"?><【】\\/r\\/n]"; Pattern pa = Pattern.compile(regex); Matcher ma = pa.matcher(esbTranNo); if (ma.find()) { esbTranNo = ma.replaceAll(""); } getResponse().setHeader("ESB-TRANNO", URLEncoder.encode(esbTranNo, "UTF-8")); } catch (UnsupportedEncodingException e) { logger.error(e.getMessage(), e); throw new ResponseMsgException(ResponseMsg.COMMON_ERROR_MSG); } }