checkmarx 报告中缺少 HSTS 标头答案

【问题标题】：Missing HSTS header in checkmarx reportcheckmarx 报告中缺少 HSTS 标头
【发布时间】：2020-02-01 13:20:13
【问题描述】：

我正在使用 Checkmarx 分析我的项目，剩下的唯一中等严重性项目是 Missing_HSTS_Filter，目标名称是 HSTSFilter。在我的web.xml 中，我有：

<filter>
    <filter-name>HSTSFilter</filter-name> <!-- checkmarx says problem is here -->
    <filter-class>c.h.i.c.web.security.HSTSFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>HSTSFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

HSTSFilter 类：

public class HSTSFilter implements Filter {
    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;
        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");
        chain.doFilter(req, resp);
    }
}

所以我尝试了其他方法，因为我使用的是 Tomcat 7，所以我尝试在 web.xml 中添加以下内容：

<filter> <!-- checkmarx now complains here -->
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>hstsMaxAgeSeconds</param-name>
        <param-value>31622400</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Checkmarx 仍然抱怨，称这次的目的地名称是StatementCollection。我不明白这是什么意思。

我错过了什么？

【问题讨论】：

标签： java security tomcat hsts checkmarx

【解决方案1】：

奇怪的东西。您确实使用了正确的配置。根据这个 Checkmarx 规则，我在某些扫描中发现了很多 False Positive。无论如何，尝试在过滤器配置中将此行添加到您的 web.xml 中：

<init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
</init-param>

<init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
</init-param>

【讨论】：

我在 Checkmarx 查询中调查并在评论中看到。此查询验证 xml 文件中 HSTS 配置的值：_检查“启用”是否设置为“真”_ + 检查“最大年龄”是否设置为等于或大于 31536000 秒的值 + 检查“includeSubDomains”是否设置为true 如果这些条件中的任何一个失败，结果将是验证失败的xml节点
它是开源的吗？您在哪里找到 Checkmarx 查询？谢谢

【解决方案2】：

I got this error in check Marx violations in the JSP where a scriptlet tag is used to execute java source code in JSP. Syntax is as follows: <% java source code %>

So I fixed it just by providing 

<% response.setHeader("Strict-Transport-Security" ,"max-age=7776000" ); %>

Also made changes in java code , a class file and web.xml changes : 

web.xml : 

    <filter>
        <filter-name>HSTSFilter</filter-name>
        <filter-class>com.abc.gbm.test.config.HSTSFilter</filter-class>
        <init-param>
            <param-name>maxAgeSeconds</param-name>
            <param-value>31536000</param-value>
        </init-param>

        <init-param>
            <param-name>includeSubDomains</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>HSTSFilter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>
    

Java class filter : 
package com.abc.gbm.test.config;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class HSTSFilter implements Filter {
 private static final String HEADER_NAME = "Strict-Transport-Security";
 private static final String MAX_AGE_DIRECTIVE = "max-age=%s";
 private static final String INCLUDE_SUB_DOMAINS_DIRECTIVE = "includeSubDomains";
 private static final Logger logger = LoggerFactory.getLogger(HSTSFilter.class);

 private int maxAgeSeconds = 0;
 private boolean includeSubDomains = false;
 private String directives;

 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
   throws IOException, ServletException {
  logger.info("request.isSecure() :: {}" , request.isSecure());

  if (request.isSecure() && response instanceof HttpServletResponse) {
   HttpServletResponse res = (HttpServletResponse) response;
   res.addHeader(HEADER_NAME, this.directives);
  }
  chain.doFilter(request, response);
 }

 public void init(FilterConfig filterConfig) throws ServletException {
  maxAgeSeconds = Integer.parseInt(filterConfig.getInitParameter("maxAgeSeconds"));
  includeSubDomains = "true".equals(filterConfig.getInitParameter("includeSubDomains"));

  if (this.maxAgeSeconds <= 0) {
   throw new ServletException("Invalid maxAgeSeconds value :: " + maxAgeSeconds);
  }

  this.directives = String.format(MAX_AGE_DIRECTIVE, this.maxAgeSeconds);
  if (this.includeSubDomains) {
   this.directives += (" ; " + INCLUDE_SUB_DOMAINS_DIRECTIVE);
  }
  System.out.println("directives :: "+directives);
 }

 @Override
 public void destroy() {
 }
}

【讨论】：