diff options
author | rb7147 <rb7147@att.com> | 2017-12-04 16:45:55 -0500 |
---|---|---|
committer | rb7147 <rb7147@att.com> | 2017-12-08 10:45:57 -0500 |
commit | 428150834ee60899b9a8da019bae3c8bf009adf1 (patch) | |
tree | 7197eb324477cad918cf527c7a479302cb5029f7 /ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | |
parent | 775f45908025e46a40c9c147fca2066af5c8c5b8 (diff) |
Upgraded the latest ONAP SDK
Upgraded latest ONAP SDK Code.
Change-Id: I669d6cfcefe068b1e4c078889d7d6c77ce788e2e
Issue-ID: POLICY-432
Signed-off-by: rb7147 <rb7147@att.com>
Diffstat (limited to 'ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java')
-rw-r--r-- | ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java new file mode 100644 index 000000000..9843f604a --- /dev/null +++ b/ONAP-SDK-APP/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -0,0 +1,90 @@ +/*- + * ================================================================================ + * ONAP Portal SDK + * ================================================================================ + * Copyright (C) 2017 AT&T Intellectual Property + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ================================================================================ + */ +package org.onap.portalapp.filter; + +import java.io.IOException; +import java.io.UnsupportedEncodingException; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringUtils; +import org.onap.portalapp.util.SecurityXssValidator; +import org.springframework.web.filter.OncePerRequestFilter; +import org.springframework.web.util.ContentCachingRequestWrapper; +import org.springframework.web.util.ContentCachingResponseWrapper; +import org.springframework.web.util.WebUtils; + +public class SecurityXssFilter extends OncePerRequestFilter { + + private static final String BAD_REQUEST = "BAD_REQUEST"; + + private SecurityXssValidator validator = SecurityXssValidator.getInstance(); + + private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException { + String payload = null; + ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); + } + } + return payload; + } + + private static String getResponseData(final HttpServletResponse response) throws IOException { + String payload = null; + ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response, + ContentCachingResponseWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); + wrapper.copyBodyToResponse(); + } + } + return payload; + } + + @SuppressWarnings("unused") + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + + if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) { + + HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request); + HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response); + filterChain.doFilter(requestToCache, responseToCache); + String requestData = getRequestData(requestToCache); + String responseData = getResponseData(responseToCache); + if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { + throw new SecurityException(BAD_REQUEST); + } + + } else { + filterChain.doFilter(request, response); + } + + } +} |