JP2009244926A - Information processing apparatus, information processing method, and information processing program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processing apparatus or the like for safely and quickly checking input items while reducing the load on a developer. <P>SOLUTION: This information processing apparatus includes: a JSP file reading part 211 for reading check information described as comments for each input item in a JSP file according to a prescribed format; a comparison processing part 223 for comparing input data with the check information read by the JSP file reading part 211 for each input item; a determination processing part 224 for determining whether or not the input data are proper data on design on the basis of the comparison result of the comparison processing part 223; and a check result corresponding part 225 for executing corresponding processing on the basis of the determination result of the determination processing part 224. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an information processing apparatus or the like that determines whether or not input data is appropriate data for system design.

  The following techniques are known as techniques for checking data input from a client.

  As a first technique, a technique is known that can efficiently develop a Web system by unifying and automating a series of processes of extracting, checking, and storing data from input information from the client side. (For example, refer to Patent Document 1). This technology is necessary for system construction when input keyword check pattern information is embedded in HTML data in advance and input information sent from the client side is processed on the server side to construct a system. On the basis of various data items, a process for extracting data from the input information, a process for checking the extracted data, and a process for storing the checked data in a predetermined area are performed.

  As a second technology, even users without programming knowledge can easily generate complex web applications with input support functions that can prevent erroneous input / incorrect registration from the framework of business specifications. In addition, there is known a technique that can significantly reduce development work of web applications and change maintenance work resulting from changes in business specifications, and can significantly shorten the development period (see, for example, Patent Document 2). In this technique, based on the definition information of a plurality of data items in the input / output table and the attribute information of each data item, the code generation unit can specify that “the data corresponding to each data item is the attribute of each data item. "Item display program that performs input processing in accordance with input format", "Data check program that performs check processing according to attribute of each data item for input data corresponding to each data item", "In each data item The present invention is characterized in that an “input data shaping display program for outputting corresponding data in an output format corresponding to the attribute of each data item” is generated.

  As a third technique, there is known a technique that can quickly correct a program source and apply a correction patch, which is a fundamental countermeasure against a buffer overflow (see, for example, Patent Document 3). When this technology detects the occurrence of a buffer overflow attack, it extracts information about the location of the attacked buffer and information about the function that secured the buffer as analysis information provided to the program developer. At the same time, if the function call history information from the buffer reservation to the buffer overflow attack can be extracted, the information is extracted. In response to this analysis information, the program developer modifies the program and creates countermeasure information. Therefore, the countermeasure information is stored in the known analysis information storage means in association with the analysis information, and the extracted analysis information is known analysis information. When the storage means is registered, the countermeasure processing for the buffer overflow attack is executed based on the countermeasure information associated with the analysis information.

As a fourth technique, there is known a technique for detecting a buffer overflow vulnerability without imposing any burden on the programmer, with no detection omission, and with a small number of false detections (see, for example, Patent Document 4). This technique detects an area access expression including an area expression indicating a reserved area and an exponent expression specifying a position to be accessed in the area indicated by the area expression from a program to be analyzed. When the size formula of the indicated area is detected and an instruction including the area access formula is executed, a buffer overflow that causes an access outside the area indicated by the area formula occurs. The buffer overflow is determined based on an assignment instruction arranged on the execution path from the instruction arranged upstream of the source program to the instruction including the area access expression. The condition is retroactive to the upstream of the execution path, and the upstream expression of the buffer overflow condition is obtained. That.
Japanese Patent No. 3624248 JP 2005-55951 A JP 2006-53760 A JP 2006-31363 A

  However, in the first technique, in order to check the data input on the client side, the input keyword check pattern information is added to the input data and transmitted, so that in the case of a malicious client, falsification is performed. And has security issues.

  In addition, the second technology can greatly reduce development work and change maintenance work caused by changes in business specifications with respect to program generation. However, a check program is generated because a check program is generated for each input item and attribute. When the program developer performs a review or the like after the program is generated, the work is troublesome, so that the work is not sufficiently reduced.

  Furthermore, since the third technique provides the analysis result to the program developer after the buffer overflow occurs, and the program developer corrects the program based on the analysis result, the response to the buffer overflow is delayed. Therefore, there is a problem that damage may be increased.

  Furthermore, since the fourth technique needs to analyze a program, it takes time to develop a program for analyzing the program, resulting in an increase in work man-hours.

  Therefore, the present invention has been made to solve the above-described problem, and an information processing apparatus, an information processing method, and an information processing apparatus capable of safely and quickly checking input items while reducing a developer's burden. An object is to provide an information processing program.

(1. Describe the check information as a comment in the dynamic document generation file)
The information processing apparatus disclosed in the present application includes a reading unit that reads check information described as a comment for each input item according to a predetermined format from a dynamic document generation file in which information is dynamically generated to generate a document; Comparing means for comparing the input data inputted and the check information read by the reading means for each input item, and whether the input data is design-appropriate data based on the result of comparison by the comparing means A determination means for determining whether or not and a corresponding process execution means for executing a corresponding process based on a result determined by the determination means. Here, the dynamic document generation file refers to, for example, a JSP (Java Server Pages: “Java” is a registered trademark) file.

  As described above, in the information processing apparatus disclosed in the present application, check information is described as a comment for each input item in the dynamic document generation file, and determination means for determining appropriateness of input data based on the check information is provided. Therefore, it is possible to close the process on the administrator side, and it is possible to avoid the risk of tampering by the user and maintain security.

  In addition, it is not necessary to generate a program such as a check logic for each input item simply by describing the check contents as a comment in the dynamic document generation file. There is an effect that can be reduced.

  Further, since the check information is described as a comment, it may be described at any position on the file. For example, by adding a JSP code and check information for each input item, visibility can be improved. There is an effect that maintenance, maintenance work, and the like can be performed efficiently.

  Furthermore, since the check information is described as a comment, it is possible to suppress the use of extra memory when expanding the dynamic document generation file, and it is possible to effectively use system resources. .

  Furthermore, since the corresponding processing execution means for executing the corresponding processing according to the result of determining the appropriateness of the input data is provided, for example, when processing that requires urgency is required, it is possible to respond quickly. If there is no need for urgency, it will be possible to respond later. In other words, there is an effect that it is possible to respond flexibly according to input data.

  For example, when the input data transmitted from the user terminal is inappropriate and a response requiring urgency is required, a process for releasing the session itself may be performed. By doing so, the spread of damage can be minimized.

(2. Check information holding means)
The information processing apparatus includes an information holding unit that holds the check information read by the reading unit, and a writing unit that writes the check information read by the reading unit into the information holding unit, and the comparing unit includes the input The data is compared with the check information held in the information holding means.

(3. Determination of input size and input character code)
In the information processing apparatus, the check information includes at least one of information that restricts the size of the input data and information that restricts the type of character code.
In a system using a Web application, the number of characters and the character code are generally limited for input items. Nevertheless, if data on the number of characters violation or character code violation is input, it can be regarded as a malicious attack using a special tool. Therefore, by including the check information, it is possible to detect a malicious attack and perform a corresponding action (such as session release).

(4. Check data size when XSS is included)
The information processing apparatus includes XSS (Cross Site Scripting) detoxifying means for detoxifying the cross-site scripting when the input data includes cross-site scripting, and the comparing means is the XSS detoxifying means. Based on the detoxified result, the information for limiting the size of the input data included in the check information or the information on the size of the input data is changed for comparison.

  When changing the limit value for the number of characters in the check information, processing is performed to add the number of characters increased by detoxification of the XSS to the limit value, and when changing the size value of the input data, the destabilization of the XSS is performed. The number of characters increased by the above is subtracted from the size value of the input data.

(5. Check input data according to processing type)
The information processing apparatus includes processing type information in which the input data and the check information specify a processing type, and the comparison unit selects the input data and the check information based on the processing type information and performs a comparison process. Is what you do.

(6. Means for describing check information)
The information processing apparatus includes check information description means for describing the check information as a comment in the dynamic document generation file based on a code described in the dynamic document generation file.

  Although the present invention has been shown as an apparatus so far, as will be apparent to those skilled in the art, the present invention can also be understood as a method and a program. These outlines of the invention do not enumerate the features essential to the present invention, and a sub-combination of these features can also be an invention.

  Embodiments of the present invention will be described below. The present invention can be implemented in many different forms. Therefore, the present invention should not be construed based only on the description of the present embodiment. Also, the same reference numerals are given to the same elements throughout the present embodiment.

  In the following embodiments, the apparatus will be mainly described. However, as is apparent to those skilled in the art, the present invention can also be implemented as a method and a program for operating a computer. In addition, the present invention can be implemented in hardware, software, or hardware and software embodiments. The program can be recorded on any computer-readable medium such as a hard disk, CD-ROM, DVD-ROM, optical storage device, or magnetic storage device. Furthermore, the program can be recorded on another computer via a network.

(First embodiment of the present invention)
(1. Configuration and function)
(1-1 Hardware configuration)
FIG. 1 is a hardware configuration diagram of the information processing apparatus according to the present embodiment. The information processing apparatus 100 includes a CPU (Central Processing Unit) 101, a RAM (Random Access Memory) 102, a ROM (Read Only Memory) 103, a flash memory (Flash memory) 104, an HD (Hard disk) 105 as an external storage device, A LAN (Local Area Network) card 106, a mouse 107, a keyboard 108, a video card 109, a display 109a that is a display device electrically connected to the video card 109, a sound card 110, and an electrical connection to the sound card 110. It comprises a speaker 110a, which is a sound output device, and a drive 111 for reading and writing a storage medium such as a flexible disk, CD-ROM, DVD-ROM or the like.
Note that the above hardware configuration is merely an example, and it is natural that the components can be changed.

(1-2 Module configuration and functions)
FIG. 2 is a module configuration diagram of the information processing apparatus according to the present embodiment. The information processing apparatus 100 includes a check information extraction unit 210, a check processing unit 220, a JSP file 230, and a check file 240. The check information extraction unit 210 includes a JSP file reading unit 211, a check file creation unit 212, a check information acquisition unit 213, and a check information writing unit 214. The check processing unit 220 includes a data input unit 221, A check pattern determination unit 222, a comparison processing unit 223, a determination processing unit 224, and a check result treatment unit 225 are provided.

  The JSP file reading unit 211 performs processing for reading the JSP file 230. The JSP file is created in advance by the developer, and check information is described for each input item as a comment according to a predetermined format. Specific examples of the check information include, for example, a size limit value for checking the size of the input item, information for limiting the character code used for the input item, and the like.

  The check file creation unit 212 performs processing for creating a check file corresponding to the JSP file to be checked. Specifically, the file name of the JSP file is acquired as information for specifying the JSP file to be checked from the information read by the JSP file reading unit 211, and the check file corresponding to the file name exists in the check file 240. Check whether or not. If the corresponding check file exists, nothing is done. If the corresponding check file does not exist, a check file is created.

The check information acquisition unit 213 performs processing for extracting and acquiring check information from the information read by the JSP file reading unit 211.
The check information writing unit 214 performs processing for writing the check information acquired by the check information acquisition unit 213 into the check file. Here, with respect to items already written in the check file, the latest information is overwritten with priority.

The data input unit 221 performs processing for receiving input data input from the user.
Based on the input data received by the data input unit 221, the check pattern determination unit 222 performs processing for extracting check information corresponding to each input item to be checked from the check file 240 and determining it.

The comparison processing unit 223 performs processing for comparing the input data received by the data input unit 221 and the check information determined by the check pattern determination unit 222 for each input item.
The determination processing unit 224 performs processing for determining whether or not the input data is design appropriate data based on the result of the comparison performed by the comparison processing unit 223. The determination as to whether the data is appropriate in design is made based on, for example, whether or not the limit on the number of characters that can be input to the input item is satisfied, and whether or not the limit on the usable character code is satisfied.

  The check result treatment unit 225 performs a process of determining and executing a treatment corresponding to the result determined by the determination processing unit 224. For example, if the determination result is a malicious attack, the session is immediately released, or a warning is displayed if there is an input error.

  The JSP file 230 is a file in which a code for generating an operation to generate a Web page and display it on the user's terminal is described. In the present embodiment, check information of input items is described in the JSP file as a comment according to a predetermined format. Since the check information is described as a comment, it does not affect the generation of the Web page. Moreover, since it is a comment, memory is not consumed by check information. Further, if the predetermined format is simplified, the developer can easily describe the check information.

  The check file 240 is a file in which check information described in the JSP file is written. Only the part of the check information is extracted from the JSP file and described. This check file 240 is created for each JSP file to be checked.

  The check file 240, the check file creation unit 212, the check information writing unit 214, and the check pattern determination unit 222 are not necessarily provided. In that case, the comparison processing unit 223 may compare the information acquired by the check information acquisition unit 213 with the input data received by the data input unit 221.

(2. Operation)
(2-1 Outline of operation of information processing apparatus)
The operation of the information processing apparatus according to this embodiment will be described below. FIG. 3 is a diagram schematically illustrating the operation of the information processing apparatus according to the present embodiment. A JSP file is opened when the apparatus is started, the file name of the JSP to be checked is acquired, and the existence of the check file corresponding to the file name is confirmed. If there is no check file, create a new one. Next, check information for each input item is acquired from the JSP file and written to the corresponding check file. The processing so far is the processing executed when the apparatus is activated, and is the processing executed by the check information extraction unit 210.

Next, input data is checked. Suppose that illegal mass data as shown in FIG. 3 is input. Input data is checked for each item based on a check file. Here, assuming that the input item A includes a large amount of illegal data, the input item A is input and the check information of the input item A is read from the check file. Then, the input data and the check information are compared, and it is determined that the attack is caused by a large amount of illegal data.
A specific determination method will be described later.

  An attack with a large amount of illegal data is likely to cause memory depletion and cause a great deal of damage to the system. Therefore, the session information 1 in the memory area (here, a large amount of illegal data is transmitted from session 1) is immediately received. Free up to prevent memory exhaustion. When normal data is input and transmitted, normal processing such as business processing is continued.

(2-2 Details of operation of information processing apparatus)
Details of the processing operation will be described with reference to a flowchart. FIG. 4 is a flowchart showing the operation of the check information extraction unit, and FIG. 5 is a flowchart showing the operation of the check processing unit.
First, the operation of the check information extraction unit 210 will be described. The Web application service is activated, and all JSP file names under the designated folder are acquired (step S401). At this time, the JSP file including the subfolder is searched. The acquired files are opened one by one (step S402), and the JSP name to be checked described in the first line of the file is acquired (step S403). It is determined whether or not a check file with a JSP name to be checked exists (step S404). If there is no check file, a check file is created with the acquired JSP name (step S405). Check information for each input item described by a comment in the JSP file is acquired (step S406), and the acquired check information is written into the check file (step S407). When the check file creation process is completed for all files, the service activation of the Web application is terminated.

  Next, processing of the check processing unit 220 will be described. When the check process is started, the input data transmitted to the Web application is accepted (step S501). A check file to be used is determined from the JSP name to be processed (step S502), and the determined check file is opened (step S503). The check target items written in the check file are checked one by one (step S504). The subsequent processing is repeated until the processing is completed for all check items.

  It is determined whether or not the input data exceeds the limit capacity (step S505), and if it exceeds the limit capacity, all session information and variable values with the input source client are released (step S506), and a check process is performed. Exit. If the limit capacity is not exceeded, it is determined whether or not the input data is appropriate data (step S507), and if it is not appropriate data, sanitization processing or warning (including caution and error) processing is performed (step S508). A value is set for a part as data for business processing, and when processing is completed for all items to be checked, the check processing ends.

(2-3 Relationship between check information extraction and check processing)
Here, the relationship between the check information extraction process and the check process will be described in more detail. FIG. 6 is a diagram illustrating a processing relationship between the check information extraction unit and the check processing unit. In FIG. 6, the JSP file 230 is sample01. jsp, sample02. jsp and sample02_1. jsp. sample02_1. jsp is sample02. There is an input item which is a JSP file corresponding to the sub-screen of jsp and whose check contents are duplicated. Read each JSP file, and from the first line of each JSP file, [name assigned to @@ pack]. Check whether a check file named pattern (for example, samp0le1.pattern) exists, and if not, sample01. Create a check file named pattern.

  If the check file 214 exists or is generated, check information is acquired from the JSP file and written to the check file. Here, the check information is a portion surrounded by “<% −−” to “−−%>”. This means a comment on the code of the JSP file, has no effect on the operation of the JSP file, and can be freely written by the developer. Therefore, it is also possible to improve the visibility of the developer by describing the logic relating to the input item and the check information as shown in the figure. The acquired check information (Txt_Data01 = byte ¥: 10; N;) is sample01. A check file is prepared by writing to the pattern file.

  sample02. jsp, sample02_1. The same processing is performed for jsp, sample02. A check file named “pattern” is prepared. At this time, sample02. jsp and sample02_1. Check information about Txt_Data03 is included in all of jsp. In such a case, sample02. “pattern” is additionally written / overwritten. That is, a check file is prepared with the contents processed later.

  In addition, sample02. jsp and sample02_1. Although the check files of jsp are the same check file, the check files may be prepared individually.

In addition, when the same check information exists, it is added / overwritten with the contents of post-processing. However, information with a stricter check content (for example, 80 bytes if the limited capacity is 100 bytes and 80 bytes, If the character code is full-width + half-width and half-width only, half-width) may be preferentially written to the check file.
Furthermore, based on the update date of the file, check information described in the file with the latest update date may be preferentially written to the check file.

  Check processing is performed using the check file generated in this way (flow at the right end of the figure). sample01. When a value is input and submitted on the Web screen of jsp, sample01. The pattern file is read and a check process is performed based on the check information. Here, it is checked whether Txt_Data01 is within 10 bytes and Txt_Data02 is within 4 bytes. If exceeded, it is considered invalid and the session is terminated. When the byte count check is cleared, a character code check and an XSS check are performed as necessary. Here, it is checked whether Txt_Data01 is full-width only, whether Txt_Data02 is only half-width numeric values, and whether each contains XSS. If there is a violation, a sanitization process or a warning message is displayed. sample02. jsp, sample02_1. A similar check is performed for the jsp file. When all input data clears the check, the process shifts to internal processing such as business processing.

  As described above, according to the information processing apparatus according to the present embodiment, the check information is described as a comment for each input item in the JSP file, and provided with a determination unit that determines the appropriateness of the input data based on the check information. Therefore, the processing can be closed on the administrator side, and security can be maintained by avoiding risks such as tampering by the user.

  In addition, it is not necessary to generate a program such as check logic for each input item simply by describing the check contents as a comment in the JSP file, so that the work of the developer can be greatly reduced and the number of work steps can be reduced. be able to.

  Furthermore, since the check information is described as a comment, it may be described at any position on the file. By adding the JSP code and the check information for each input item, the visibility is improved for review and maintenance. Maintenance work and the like can be performed efficiently.

  Furthermore, since the check information is described as a comment, the use of extra memory can be suppressed when developing the JSP file, and system resources can be effectively utilized.

  Furthermore, since the corresponding processing execution means for executing the corresponding processing according to the result of determining the appropriateness of the input data is provided, for example, when a process requiring urgency is required, the session is released. It is possible to respond promptly, and if it is not urgent, it can be handled later. That is, it is possible to respond to the occasion according to the input data.

  Furthermore, since the check file 240 holds the check information acquired by the check information acquisition unit 213, it is not necessary to refer to the entire contents of the JSP file when checking input data, and the check file 240 is stored in the check file 240. Only the information needs to be referred to, and the processing time can be shortened. In particular, when the JSP file has a large file size or a large amount of code other than comments is described, this can be a great effect.

  Furthermore, since the input data is checked based on at least one of the information that restricts the size of the input data and the information that restricts the character code type, it is possible to detect attacks such as buffer overflow using a tool. , Can enhance security.

(Second embodiment of the present invention)
Hereinafter, a second embodiment of the present invention will be described. Here, the first embodiment is assumed, and the description of the same parts as those in the first embodiment is omitted.
(1. Configuration and function)
FIG. 7 is a module configuration diagram of the information processing apparatus according to the present embodiment. The difference from the first embodiment is that the comparison processing unit 223 includes an XSS detoxification processing unit 223a, an information change processing unit 223b, and a comparison unit 223c.

  The XSS detoxification processing unit 223a performs a process of sanitizing the XSS when the input data includes XSS. Specifically, when HTML control codes such as “<” and “&” are included in the input data, a process for replacing with other predetermined characters is performed so as not to harm the Web application. . For example, “<” is replaced with “&lt;”.

  The information change processing unit 223b performs processing for changing the size of the limited capacity or the capacity of the input data according to the result of sanitization by the XSS detoxification processing unit 223a. When the XSS detoxification processing unit 223a sanitizes, the size of the character string of the input data may increase. In the above example, if “<” is replaced with “&lt;”, the number of characters increases by three. In such a case, the information is increased or decreased in order to determine that the input data is normal even if the limit capacity is exceeded.

  When changing the limit value for the number of characters in the check information, processing is performed to add the number of characters increased by detoxification of the XSS to the limit value, and when changing the size value of the input data, the destabilization of the XSS is performed. The number of characters increased by the above is subtracted from the size value of the input data.

The comparison unit 223c performs a process of comparing the input data with the check information based on the information changed by the information change processing unit 223b.
Since other components are the same as those in the first embodiment, description thereof will be omitted.

(2. Operation)
The operation of the information processing apparatus according to this embodiment will be described below. The operation of the check processing unit 220 is different from that of the first embodiment. Since the operation of the check information extraction unit 210 is the same as that of the first embodiment, description thereof is omitted.

  FIG. 8 is a flowchart showing the operation of the check processing unit 220. Since the processing from step S501 to step S504 is the same as that of the first embodiment, description thereof is omitted. In step S504, loop processing is entered. First, it is determined whether or not XSS is included in the input data (step S504a). If not included, the process proceeds to step S505. If it is included, the sanitization process is performed (step S504b), the limit capacity of the check information or the capacity of the input data is changed (step S504c), and the process proceeds to step S505.

  In step S505, it is determined whether the input data exceeds the limit capacity. If the limit data exceeds the limit capacity, all session information, variable values, etc. with the input source client are released (step S506), and check processing is performed. finish. If the limit capacity is not exceeded, it is determined whether or not the input data is appropriate data (step S507), and if it is not appropriate data, warning (including caution and error) processing is performed (step S508). A value is set for a part as data for business processing, and when processing is completed for all items to be checked, the check processing ends. Note that the process after step S505 differs from the first embodiment in that the sanitization process is not performed in step S508a. This is because the sanitization process has already been performed in step S504b.

  As described above, according to the information processing apparatus according to the present embodiment, since the XSS detoxification processing unit 223a that detoxifies XSS is provided, XSS can be detoxified and the number of characters of input data can be made harmless. Even if the limit value is exceeded, it can be determined as normal input data by changing the limit value of the number of characters in the check information or the size value of the input data, and there is a discrepancy in system operation. (Situation where it is determined that the buffer overflows despite the normal data) can be prevented.

(Third embodiment of the present invention)
Hereinafter, a third embodiment of the present invention will be described. Here, the first embodiment or the second embodiment is premised, and overlaps with the first embodiment or the second embodiment. Description of the portion is omitted.

  The configuration and operation of the information processing apparatus according to this embodiment are the same as those of the first embodiment or the second embodiment, but the configuration of input data and the configuration of a check file are different. FIG. 9 is a diagram illustrating processing of the information processing apparatus according to the present embodiment. In FIG. 9, sample01. jsp is a file for generating the screen 901. A screen 901 is a screen for performing three types of processing (registration, update, and deletion). In the case of registration processing and update processing, it is necessary to check all of the input data, and in the case of deletion processing, only the code need be checked. That is, since the input items to be checked vary depending on the type of processing, the contents of the JSP file and the check file are added so that unnecessary check processing is not performed.

  Specifically, a keyword for identifying a processing type is set for each input item, and a check process is performed according to the keyword. In FIG. 9, for Txt_Data01, since it is necessary to perform a check process in all cases of registration, update, and deletion, no keyword is set. Regarding Txt_Data02, since it is necessary to perform a check process in the case of registration and update, keywords such as “INSERT” and “UPDATE” are described in the check file. In the comparison process, it is determined from the submit information on the screen 901 which one of the three processes has been executed, and only the input items corresponding to the process are read from the check file and checked. Process.

  As described above, according to the information processing apparatus according to the present embodiment, the target input data and the check information are selected and processed according to the type of the process, so that only the necessary check process is executed. , Processing can be performed efficiently.

(Fourth embodiment of the present invention)
Hereinafter, the fourth embodiment of the present invention will be described. Here, the first embodiment, the second embodiment, or the third embodiment is assumed, and the first embodiment, the second embodiment, and the like are assumed. Description of the same parts as those of the third embodiment or the third embodiment will be omitted.

FIG. 10 is a module configuration diagram of the information processing apparatus according to the present embodiment. The difference from the first embodiment is that a check information description unit 1010 is provided.
The check information description unit 1010 performs processing for generating and describing check information based on the program code described in the JSP file 213. In the JSP file, information on input items is described for each item based on a predetermined rule. For example, sample01. In the jsp file, information on input items defined by the names Txt_Data01 and Txt_Data02 is described as input items. Each input item is described by defining information such as a character type, a size, and a maximum character length. By analyzing these pieces of information, check information as comments in the JSP file can be generated and described.

  As described above, according to the information processing apparatus according to the present embodiment, the check information is generated based on the code described in the JSP file. Therefore, the burden on the developer can be reduced and the work man-hour can be reduced.

(Other embodiments)
FIG. 11 is a diagram illustrating an application example of the information processing apparatus according to the present embodiment. The processing of the information processing apparatus 100 corresponds to Web security countermeasure processing in the preprocessing in the Web application framework. In this way, by performing security checks on input data in advance within the framework, it is no longer necessary to create data check logic for business applications, so the work man-hours of business application developers can be reduced. Can do.

  Although the present invention has been described with the above embodiments, the technical scope of the present invention is not limited to the scope described in the embodiments, and various modifications or improvements can be added to these embodiments. . And embodiment which added such a change or improvement is also contained in the technical scope of the present invention. This is apparent from the claims and the means for solving the problems.

It is a hardware block diagram of the information processing apparatus which concerns on 1st Embodiment. It is a module block diagram of the information processing apparatus which concerns on 1st Embodiment. It is the figure which showed typically operation | movement of the information processing apparatus which concerns on 1st Embodiment. It is a flowchart which shows operation | movement of the check information extraction part of the information processing apparatus which concerns on 1st Embodiment. It is a flowchart which shows operation | movement of the check process part of the information processing apparatus which concerns on 1st Embodiment. It is a figure which shows the processing relationship of the check information extraction part of the information processing apparatus which concerns on 1st Embodiment, and a check process part. It is a module block diagram of the information processing apparatus which concerns on 2nd Embodiment. It is a flowchart which shows operation | movement of the check process part of the information processing apparatus which concerns on 2nd Embodiment. It is a figure which shows the process of the information processing apparatus which concerns on 3rd Embodiment. It is a module block diagram of the information processing apparatus which concerns on 4th Embodiment. It is a figure which shows the utilization example of the information processing apparatus which concerns on other embodiment.

Explanation of symbols

100 Information processing apparatus 101 CPU
102 RAM
103 ROM
104 Flash memory 105 HD
106 LAN card 107 Mouse 108 Keyboard 109 Video card 109a Display 110 Sound card 110a Speaker 111 Drive 210 Check information extraction unit 211 JSP file reading unit 212 Check file creation unit 213 Check information acquisition unit 214 Check information writing unit 220 Check processing unit 221 Data input unit 222 Check pattern determination unit 223 Comparison processing unit 223a XSS detoxification processing unit 223b Information change processing unit 223c Comparison unit 224 Judgment processing unit 225 Check result handling unit 230 JSP file 240 Check file 1010 Check information description unit

Claims (8)

Reading means for reading check information described as a comment for each input item according to a predetermined format from a dynamic document generation file in which information for dynamically generating a document is described;
Comparison means for comparing the input data inputted for each input item with the check information read by the reading means;
A determination unit that determines whether the input data is design appropriate data based on a result of the comparison performed by the comparison unit;
An information processing apparatus comprising: a corresponding process execution unit that executes a corresponding process based on a result determined by the determination unit. The information processing apparatus according to claim 1,
Information holding means for holding check information read by the reading means;
Writing means for writing the check information read by the reading means into the information holding means,
An information processing apparatus in which the comparison unit compares the input data with check information held in the information holding unit. The information processing apparatus according to claim 1 or 2,
An information processing apparatus in which the check information includes at least one of information that restricts a size of the input data and information that restricts a type of a character code. The information processing apparatus according to claim 3, further comprising: XSS detoxifying means for detoxifying the cross-site scripting when the input data includes cross-site scripting.
Information processing in which the comparison means performs comparison by changing information that restricts the size of input data included in the check information or information on the size of the input data based on the result of detoxification by the XSS detoxification means apparatus. The information processing apparatus according to any one of claims 1 to 4,
The input data and the check information include processing type information for specifying a processing type,
An information processing apparatus in which the comparison means performs comparison processing by selecting the input data and check information based on the processing type information. The information processing apparatus according to any one of claims 1 to 5,
An information processing apparatus comprising check information description means for describing the check information as a comment in the dynamic document generation file based on a code described in the dynamic document generation file. A reading step for reading check information described as a comment for each input item according to a predetermined format from a dynamic document generation file in which information for dynamically generating a document is described;
A data input step for receiving input data for each input item;
A comparison step for comparing the input data received in the data input step with the check information read in the read step;
A determination step of determining whether the input data is design appropriate data based on the result of the comparison in the comparison step;
An information processing method including a corresponding process execution step for executing a corresponding process based on the result determined in the determination step. Computer
Reading means for reading check information described as a comment for each input item according to a predetermined format from a dynamic document generation file in which information for dynamically generating a document is described;
Data input means for receiving input data for each input item;
A comparison means for comparing the input data received by the data input means with the check information read by the reading means;
A determination unit that determines whether the input data is design appropriate data based on a result of the comparison performed by the comparison unit;
An information processing program for causing a function to function as corresponding process execution means for executing a corresponding process based on a result determined by the determination means.

Images