summaryrefslogtreecommitdiffstats
path: root/ecomp-portal-BE-os/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'ecomp-portal-BE-os/src/main')
-rw-r--r--ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java185
-rw-r--r--ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java207
2 files changed, 0 insertions, 392 deletions
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
deleted file mode 100644
index 703019f9..00000000
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ /dev/null
@@ -1,185 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * Modifications Copyright (c) 2019 Samsung
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- *
- */
-
-package org.onap.portalapp.filter;
-
-import java.io.BufferedReader;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.nio.charset.StandardCharsets;
-import java.util.Enumeration;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ReadListener;
-import javax.servlet.ServletInputStream;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang.StringUtils;
-import org.apache.http.HttpStatus;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.springframework.web.filter.OncePerRequestFilter;
-
-public class SecurityXssFilter extends OncePerRequestFilter {
-
- private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
- private static final String APPLICATION_JSON = "application/json";
-
- private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}";
-
- private SecurityXssValidator validator = SecurityXssValidator.getInstance();
-
- public class RequestWrapper extends HttpServletRequestWrapper {
-
- private ByteArrayOutputStream cachedBytes;
-
- public RequestWrapper(HttpServletRequest request) {
- super(request);
- }
-
- @Override
- public ServletInputStream getInputStream() throws IOException {
- if (cachedBytes == null)
- cacheInputStream();
-
- return new CachedServletInputStream();
- }
-
- @Override
- public BufferedReader getReader() throws IOException {
- return new BufferedReader(new InputStreamReader(getInputStream()));
- }
-
- private void cacheInputStream() throws IOException {
- cachedBytes = new ByteArrayOutputStream();
- IOUtils.copy(super.getInputStream(), cachedBytes);
- }
-
- public class CachedServletInputStream extends ServletInputStream {
- private ByteArrayInputStream input;
-
- public CachedServletInputStream() {
- input = new ByteArrayInputStream(cachedBytes.toByteArray());
- }
-
- @Override
- public int read() throws IOException {
- return input.read();
- }
-
- @Override
- public boolean isFinished() {
- return false;
- }
-
- @Override
- public boolean isReady() {
- return false;
- }
-
- @Override
- public void setReadListener(ReadListener readListener) {
- // do nothing
- }
- }
- }
-
- @Override
- protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
- throws IOException {
- StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString());
- String queryString = request.getQueryString();
- String requestUrl;
-
- if (queryString == null) {
- requestUrl = requestURL.toString();
- } else {
- requestUrl = requestURL.append('?').append(queryString).toString();
- }
-
- validateRequest(requestUrl, response);
- StringBuilder headerValues = new StringBuilder();
- Enumeration<String> headerNames = request.getHeaderNames();
-
- while (headerNames.hasMoreElements()) {
- String key = headerNames.nextElement();
- String value = request.getHeader(key);
- headerValues.append(value);
- }
-
- validateRequest(headerValues.toString(), response);
-
- if (validateRequestType(request)) {
- request = new RequestWrapper(request);
- String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
- validateRequest(requestData, response);
- }
-
- try {
- filterChain.doFilter(request, response);
- } catch (Exception e) {
- sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e);
- response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request");
- }
- }
-
- private boolean validateRequestType(HttpServletRequest request) {
- return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")
- || request.getMethod().equalsIgnoreCase("DELETE"));
- }
-
- private void validateRequest(String text, HttpServletResponse response) throws IOException {
- try {
- if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) {
- response.setContentType(APPLICATION_JSON);
- response.setStatus(HttpStatus.SC_BAD_REQUEST);
- response.getWriter().write(ERROR_BAD_REQUEST);
- throw new SecurityException(ERROR_BAD_REQUEST);
- }
- } catch (Exception e) {
- sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
- response.getWriter().close();
- }
- }
-}
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
deleted file mode 100644
index c203f1f0..00000000
--- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
+++ /dev/null
@@ -1,207 +0,0 @@
-/*-
- * ============LICENSE_START==========================================
- * ONAP Portal
- * ===================================================================
- * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * ===================================================================
- *
- * Unless otherwise specified, all software contained herein is licensed
- * under the Apache License, Version 2.0 (the "License");
- * you may not use this software except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Unless otherwise specified, all documentation contained herein is licensed
- * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
- * you may not use this documentation except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * https://creativecommons.org/licenses/by/4.0/
- *
- * Unless required by applicable law or agreed to in writing, documentation
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * ============LICENSE_END============================================
- *
- *
- */
-package org.onap.portalapp.filter;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.concurrent.locks.Lock;
-import java.util.concurrent.locks.ReentrantLock;
-import java.util.regex.Pattern;
-
-import org.apache.commons.lang.NotImplementedException;
-import org.apache.commons.lang.StringUtils;
-import org.apache.commons.lang3.StringEscapeUtils;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-import org.onap.portalsdk.core.util.SystemProperties;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.codecs.Codec;
-import org.owasp.esapi.codecs.MySQLCodec;
-import org.owasp.esapi.codecs.MySQLCodec.Mode;
-import org.owasp.esapi.codecs.OracleCodec;
-
-public class SecurityXssValidator {
-
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
-
- private static final String MYSQL_DB = "mysql";
- private static final String ORACLE_DB = "oracle";
- private static final String MARIA_DB = "mariadb";
- private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
- static SecurityXssValidator validator = null;
- private static Codec instance;
- private static final Lock lock = new ReentrantLock();
-
- public static SecurityXssValidator getInstance() {
-
- if (validator == null) {
- lock.lock();
- try {
- if (validator == null)
- validator = new SecurityXssValidator();
- } finally {
- lock.unlock();
- }
- }
-
- return validator;
- }
-
- private SecurityXssValidator() {
- // Avoid anything between script tags
- XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
-
- // avoid iframes
- XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
-
- // Avoid anything in a src='...' type of expression
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
-
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
-
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
-
- // Remove any lonesome </script> tag
- XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
-
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
-
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
-
- // Remove any lonesome <script ...> tag
- XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
-
- // Avoid eval(...) expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
-
- // Avoid expression(...) expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
-
- // Avoid javascript:... expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
-
- // Avoid onload= expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
- }
-
- private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
-
- /**
- * * This method takes a string and strips out any potential script injections.
- *
- * @param value
- * @return String - the new "sanitized" string.
- */
- public String stripXSS(String value) {
-
- try {
-
- if (StringUtils.isNotBlank(value)) {
-
- value = StringEscapeUtils.escapeHtml4(value);
-
- value = ESAPI.encoder().canonicalize(value);
-
- // Avoid null characters
- value = value.replaceAll("\0", "");
-
- for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
- value = xssInputPattern.matcher(value).replaceAll("");
- }
- }
-
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
- }
-
- return value;
- }
-
- public Boolean denyXSS(String value) {
- Boolean flag = Boolean.FALSE;
- try {
- if (StringUtils.isNotBlank(value)) {
- value = ESAPI.encoder().canonicalize(value);
- for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
- if (xssInputPattern.matcher(value).matches()) {
- flag = Boolean.TRUE;
- break;
- }
-
- }
- }
-
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
- }
-
- return flag;
- }
-
- public Codec getCodec() {
- try {
- if (null == instance) {
- if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
- || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- MARIA_DB)) {
- instance = new MySQLCodec(Mode.STANDARD);
-
- } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- ORACLE_DB)) {
- instance = new OracleCodec();
- } else {
- throw new NotImplementedException("Handling for data base \""
- + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
- }
- }
-
- } catch (Exception ex) {
- logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
- }
- return instance;
-
- }
-
- public List<Pattern> getXSS_INPUT_PATTERNS() {
- return XSS_INPUT_PATTERNS;
- }
-
- public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
- XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
- }
-
-} \ No newline at end of file