X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=validation.git;a=blobdiff_plain;f=ui%2Fsrc%2Fmain%2Fjava%2Forg%2Fakraino%2Fvalidation%2Fui%2Ffilter%2FSecurityXssFilter.java;fp=ui%2Fsrc%2Fmain%2Fjava%2Forg%2Fakraino%2Fvalidation%2Fui%2Ffilter%2FSecurityXssFilter.java;h=e9afd05a42773ccdd5774bc1bda9481bbca2d2dc;hp=0000000000000000000000000000000000000000;hb=2879b2ee5e1e2815e5f43cb802352bf2878397af;hpb=ce4ad29dc48317cc7cb60fe433072ac46dea2ebb diff --git a/ui/src/main/java/org/akraino/validation/ui/filter/SecurityXssFilter.java b/ui/src/main/java/org/akraino/validation/ui/filter/SecurityXssFilter.java new file mode 100644 index 0000000..e9afd05 --- /dev/null +++ b/ui/src/main/java/org/akraino/validation/ui/filter/SecurityXssFilter.java @@ -0,0 +1,178 @@ +/*- + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * + */ +package org.akraino.validation.ui.filter; + +import java.io.BufferedReader; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStreamReader; +import java.nio.charset.StandardCharsets; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; + +import javax.servlet.FilterChain; +import javax.servlet.ReadListener; +import javax.servlet.ServletException; +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.io.IOUtils; +import org.apache.commons.lang.StringUtils; +import org.apache.http.HttpStatus; +import org.onap.portalapp.util.SecurityXssValidator; +import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; +import org.springframework.web.filter.OncePerRequestFilter; + +public class SecurityXssFilter extends OncePerRequestFilter { + + private static final EELFLoggerDelegate LOGGER = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); + + private static final String APPLICATION_JSON = "application/json"; + + private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}"; + + private SecurityXssValidator validator = SecurityXssValidator.getInstance(); + + public class RequestWrapper extends HttpServletRequestWrapper { + + private ByteArrayOutputStream cachedBytes; + + private Map parameter = new HashMap(); + + @SuppressWarnings("unchecked") + public RequestWrapper(HttpServletRequest request) { + super(request); + Enumeration parameterNames = request.getParameterNames(); + while (parameterNames.hasMoreElements()) { + String paramName = parameterNames.nextElement(); + String paramValue = request.getParameter(paramName); + parameter.put(paramName, paramValue); + } + } + + @Override + public String getParameter(String name) { + if (parameter != null) { + return (String) parameter.get(name); + } + return null; + } + + @Override + public ServletInputStream getInputStream() throws IOException { + if (cachedBytes == null) + cacheInputStream(); + + return new CachedServletInputStream(); + } + + @Override + public BufferedReader getReader() throws IOException { + return new BufferedReader(new InputStreamReader(getInputStream())); + } + + private void cacheInputStream() throws IOException { + cachedBytes = new ByteArrayOutputStream(); + IOUtils.copy(super.getInputStream(), cachedBytes); + } + + public class CachedServletInputStream extends ServletInputStream { + private ByteArrayInputStream input; + + public CachedServletInputStream() { + input = new ByteArrayInputStream(cachedBytes.toByteArray()); + } + + @Override + public int read() throws IOException { + return input.read(); + } + + @Override + public boolean isFinished() { + return false; + } + + @Override + public boolean isReady() { + return false; + } + + @Override + public void setReadListener(ReadListener readListener) { + + } + + } + } + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + if (validateRequestType(request)) { + request = new RequestWrapper(request); + String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString()); + try { + if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { + response.setContentType(APPLICATION_JSON); + response.setStatus(HttpStatus.SC_BAD_REQUEST); + response.getWriter().write(ERROR_BAD_REQUEST); + throw new SecurityException(ERROR_BAD_REQUEST); + } + } catch (Exception e) { + LOGGER.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); + response.getWriter().close(); + return; + } + filterChain.doFilter(request, response); + + } else { + filterChain.doFilter(request, response); + } + + } + + private boolean validateRequestType(HttpServletRequest request) { + return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT") + || request.getMethod().equalsIgnoreCase("DELETE")); + } +}