diff options
Diffstat (limited to 'ecomp-portal-BE-os/src/main')
-rw-r--r-- | ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | 185 | ||||
-rw-r--r-- | ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java | 207 |
2 files changed, 0 insertions, 392 deletions
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java deleted file mode 100644 index 703019f9..00000000 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ /dev/null @@ -1,185 +0,0 @@ -/*- - * ============LICENSE_START========================================== - * ONAP Portal - * =================================================================== - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * Modifications Copyright (c) 2019 Samsung - * =================================================================== - * - * Unless otherwise specified, all software contained herein is licensed - * under the Apache License, Version 2.0 (the "License"); - * you may not use this software except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Unless otherwise specified, all documentation contained herein is licensed - * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); - * you may not use this documentation except in compliance with the License. - * You may obtain a copy of the License at - * - * https://creativecommons.org/licenses/by/4.0/ - * - * Unless required by applicable law or agreed to in writing, documentation - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * ============LICENSE_END============================================ - * - * - */ - -package org.onap.portalapp.filter; - -import java.io.BufferedReader; -import java.io.ByteArrayInputStream; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.InputStreamReader; -import java.nio.charset.StandardCharsets; -import java.util.Enumeration; - -import javax.servlet.FilterChain; -import javax.servlet.ReadListener; -import javax.servlet.ServletInputStream; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; -import javax.servlet.http.HttpServletResponse; - -import org.apache.commons.io.IOUtils; -import org.apache.commons.lang.StringUtils; -import org.apache.http.HttpStatus; -import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; -import org.springframework.web.filter.OncePerRequestFilter; - -public class SecurityXssFilter extends OncePerRequestFilter { - - private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); - - private static final String APPLICATION_JSON = "application/json"; - - private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}"; - - private SecurityXssValidator validator = SecurityXssValidator.getInstance(); - - public class RequestWrapper extends HttpServletRequestWrapper { - - private ByteArrayOutputStream cachedBytes; - - public RequestWrapper(HttpServletRequest request) { - super(request); - } - - @Override - public ServletInputStream getInputStream() throws IOException { - if (cachedBytes == null) - cacheInputStream(); - - return new CachedServletInputStream(); - } - - @Override - public BufferedReader getReader() throws IOException { - return new BufferedReader(new InputStreamReader(getInputStream())); - } - - private void cacheInputStream() throws IOException { - cachedBytes = new ByteArrayOutputStream(); - IOUtils.copy(super.getInputStream(), cachedBytes); - } - - public class CachedServletInputStream extends ServletInputStream { - private ByteArrayInputStream input; - - public CachedServletInputStream() { - input = new ByteArrayInputStream(cachedBytes.toByteArray()); - } - - @Override - public int read() throws IOException { - return input.read(); - } - - @Override - public boolean isFinished() { - return false; - } - - @Override - public boolean isReady() { - return false; - } - - @Override - public void setReadListener(ReadListener readListener) { - // do nothing - } - } - } - - @Override - protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) - throws IOException { - StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString()); - String queryString = request.getQueryString(); - String requestUrl; - - if (queryString == null) { - requestUrl = requestURL.toString(); - } else { - requestUrl = requestURL.append('?').append(queryString).toString(); - } - - validateRequest(requestUrl, response); - StringBuilder headerValues = new StringBuilder(); - Enumeration<String> headerNames = request.getHeaderNames(); - - while (headerNames.hasMoreElements()) { - String key = headerNames.nextElement(); - String value = request.getHeader(key); - headerValues.append(value); - } - - validateRequest(headerValues.toString(), response); - - if (validateRequestType(request)) { - request = new RequestWrapper(request); - String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString()); - validateRequest(requestData, response); - } - - try { - filterChain.doFilter(request, response); - } catch (Exception e) { - sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e); - response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request"); - } - } - - private boolean validateRequestType(HttpServletRequest request) { - return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT") - || request.getMethod().equalsIgnoreCase("DELETE")); - } - - private void validateRequest(String text, HttpServletResponse response) throws IOException { - try { - if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) { - response.setContentType(APPLICATION_JSON); - response.setStatus(HttpStatus.SC_BAD_REQUEST); - response.getWriter().write(ERROR_BAD_REQUEST); - throw new SecurityException(ERROR_BAD_REQUEST); - } - } catch (Exception e) { - sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); - response.getWriter().close(); - } - } -} diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java deleted file mode 100644 index c203f1f0..00000000 --- a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java +++ /dev/null @@ -1,207 +0,0 @@ -/*- - * ============LICENSE_START========================================== - * ONAP Portal - * =================================================================== - * Copyright © 2017 AT&T Intellectual Property. All rights reserved. - * =================================================================== - * - * Unless otherwise specified, all software contained herein is licensed - * under the Apache License, Version 2.0 (the "License"); - * you may not use this software except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * Unless otherwise specified, all documentation contained herein is licensed - * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); - * you may not use this documentation except in compliance with the License. - * You may obtain a copy of the License at - * - * https://creativecommons.org/licenses/by/4.0/ - * - * Unless required by applicable law or agreed to in writing, documentation - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * ============LICENSE_END============================================ - * - * - */ -package org.onap.portalapp.filter; - -import java.util.ArrayList; -import java.util.List; -import java.util.concurrent.locks.Lock; -import java.util.concurrent.locks.ReentrantLock; -import java.util.regex.Pattern; - -import org.apache.commons.lang.NotImplementedException; -import org.apache.commons.lang.StringUtils; -import org.apache.commons.lang3.StringEscapeUtils; -import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; -import org.onap.portalsdk.core.util.SystemProperties; -import org.owasp.esapi.ESAPI; -import org.owasp.esapi.codecs.Codec; -import org.owasp.esapi.codecs.MySQLCodec; -import org.owasp.esapi.codecs.MySQLCodec.Mode; -import org.owasp.esapi.codecs.OracleCodec; - -public class SecurityXssValidator { - - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - - private static final String MYSQL_DB = "mysql"; - private static final String ORACLE_DB = "oracle"; - private static final String MARIA_DB = "mariadb"; - private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; - static SecurityXssValidator validator = null; - private static Codec instance; - private static final Lock lock = new ReentrantLock(); - - public static SecurityXssValidator getInstance() { - - if (validator == null) { - lock.lock(); - try { - if (validator == null) - validator = new SecurityXssValidator(); - } finally { - lock.unlock(); - } - } - - return validator; - } - - private SecurityXssValidator() { - // Avoid anything between script tags - XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS)); - - // avoid iframes - XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS)); - - // Avoid anything in a src='...' type of expression - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); - - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); - - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); - - // Remove any lonesome </script> tag - XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS)); - - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS)); - - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS)); - - // Remove any lonesome <script ...> tag - XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS)); - - // Avoid eval(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS)); - - // Avoid expression(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS)); - - // Avoid javascript:... expressions - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS)); - - // Avoid onload= expressions - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS)); - } - - private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>(); - - /** - * * This method takes a string and strips out any potential script injections. - * - * @param value - * @return String - the new "sanitized" string. - */ - public String stripXSS(String value) { - - try { - - if (StringUtils.isNotBlank(value)) { - - value = StringEscapeUtils.escapeHtml4(value); - - value = ESAPI.encoder().canonicalize(value); - - // Avoid null characters - value = value.replaceAll("\0", ""); - - for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) { - value = xssInputPattern.matcher(value).replaceAll(""); - } - } - - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e); - } - - return value; - } - - public Boolean denyXSS(String value) { - Boolean flag = Boolean.FALSE; - try { - if (StringUtils.isNotBlank(value)) { - value = ESAPI.encoder().canonicalize(value); - for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) { - if (xssInputPattern.matcher(value).matches()) { - flag = Boolean.TRUE; - break; - } - - } - } - - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e); - } - - return flag; - } - - public Codec getCodec() { - try { - if (null == instance) { - if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB) - || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - MARIA_DB)) { - instance = new MySQLCodec(Mode.STANDARD); - - } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - ORACLE_DB)) { - instance = new OracleCodec(); - } else { - throw new NotImplementedException("Handling for data base \"" - + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented."); - } - } - - } catch (Exception ex) { - logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex); - } - return instance; - - } - - public List<Pattern> getXSS_INPUT_PATTERNS() { - return XSS_INPUT_PATTERNS; - } - - public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) { - XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS; - } - -}
\ No newline at end of file |