From 60ec30b5f8480da7f525da5e6a9b9e2070100f1b Mon Sep 17 00:00:00 2001
From: statta <statta@research.att.com>
Date: Mon, 26 Aug 2019 13:14:25 -0400
Subject: Portal Setup - App issue

Issue-ID: PORTAL-723
Change-Id: Iff1523b2a474f56a74c9fcb9fd850e0e38f6fc68
Signed-off-by: statta <statta@research.att.com>
---
 .../onap/portalapp/filter/SecurityXssFilter.java   | 179 +++++++++++++++++
 .../portalapp/filter/SecurityXssValidator.java     | 213 +++++++++++++++++++++
 2 files changed, 392 insertions(+)
 create mode 100644 ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
 create mode 100644 ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java

(limited to 'ecomp-portal-BE-os/src/main/java/org/onap/portalapp')

diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
new file mode 100644
index 00000000..4bb48a3a
--- /dev/null
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -0,0 +1,179 @@
+
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * 
+ */
+package org.onap.portalapp.filter;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
+import java.util.Enumeration;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ReadListener;
+import javax.servlet.ServletException;
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.StringUtils;
+import org.apache.http.HttpStatus;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+public class SecurityXssFilter extends OncePerRequestFilter {
+
+	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
+
+	private static final String APPLICATION_JSON = "application/json";
+
+	private static final String ERROR_BAD_REQUEST = "{\"error\":\"BAD_REQUEST\"}";
+
+	private SecurityXssValidator validator = SecurityXssValidator.getInstance();
+
+	public class RequestWrapper extends HttpServletRequestWrapper {
+
+		private ByteArrayOutputStream cachedBytes;
+
+		public RequestWrapper(HttpServletRequest request) {
+			super(request);
+		}
+
+		@Override
+		public ServletInputStream getInputStream() throws IOException {
+			if (cachedBytes == null)
+				cacheInputStream();
+
+			return new CachedServletInputStream();
+		}
+
+		@Override
+		public BufferedReader getReader() throws IOException {
+			return new BufferedReader(new InputStreamReader(getInputStream()));
+		}
+
+		private void cacheInputStream() throws IOException {
+			cachedBytes = new ByteArrayOutputStream();
+			IOUtils.copy(super.getInputStream(), cachedBytes);
+		}
+
+		public class CachedServletInputStream extends ServletInputStream {
+			private ByteArrayInputStream input;
+
+			public CachedServletInputStream() {
+				input = new ByteArrayInputStream(cachedBytes.toByteArray());
+			}
+
+			@Override
+			public int read() throws IOException {
+				return input.read();
+			}
+
+			@Override
+			public boolean isFinished() {
+				return false;
+			}
+
+			@Override
+			public boolean isReady() {
+				return false;
+			}
+
+			@Override
+			public void setReadListener(ReadListener readListener) {
+
+			}
+
+		}
+	}
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+		StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString());
+	    String queryString = request.getQueryString();
+	    String requestUrl = "";
+	    if (queryString == null) {
+	    	requestUrl = requestURL.toString();
+	    } else {
+	    	requestUrl = requestURL.append('?').append(queryString).toString();
+	    }
+	    validateRequest(requestUrl, response);
+		StringBuilder headerValues = new StringBuilder();
+		Enumeration<String> headerNames = request.getHeaderNames();
+		while (headerNames.hasMoreElements()) {
+			String key = (String) headerNames.nextElement();
+			String value = request.getHeader(key);
+			headerValues.append(key + ":" + value + ";");
+		}
+		validateRequest(headerValues.toString(), response);
+		if (validateRequestType(request)) {
+			request = new RequestWrapper(request);
+			String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
+			validateRequest(requestData, response);
+			filterChain.doFilter(request, response);
+
+		} else {
+			filterChain.doFilter(request, response);
+		}
+	}
+
+	private boolean validateRequestType(HttpServletRequest request) {
+		return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")
+				|| request.getMethod().equalsIgnoreCase("DELETE"));
+	}
+	
+	private void validateRequest(String text, HttpServletResponse response) throws IOException {
+		try {
+			if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) {
+				response.setContentType(APPLICATION_JSON);
+				response.setStatus(HttpStatus.SC_BAD_REQUEST);
+				response.getWriter().write(ERROR_BAD_REQUEST);
+				throw new SecurityException(ERROR_BAD_REQUEST);
+			}
+		} catch (Exception e) {
+			logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
+			response.getWriter().close();
+			return;
+		}
+	}
+}
\ No newline at end of file
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
new file mode 100644
index 00000000..3adc313a
--- /dev/null
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
@@ -0,0 +1,213 @@
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *             https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * 
+ */
+package org.onap.portalapp.filter;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang.NotImplementedException;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SystemProperties;
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.codecs.Codec;
+import org.owasp.esapi.codecs.MySQLCodec;
+import org.owasp.esapi.codecs.OracleCodec;
+import org.owasp.esapi.codecs.MySQLCodec.Mode;
+
+public class SecurityXssValidator {
+
+	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
+
+	private static final String MYSQL_DB = "mysql";
+	private static final String ORACLE_DB = "oracle";
+	private static final String MARIA_DB = "mariadb";
+	private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
+	static SecurityXssValidator validator = null;
+	private static Codec instance;
+	private static final Lock lock = new ReentrantLock();
+
+	public static SecurityXssValidator getInstance() {
+
+		if (validator == null) {
+			lock.lock();
+			try {
+				if (validator == null)
+					validator = new SecurityXssValidator();
+			} finally {
+				lock.unlock();
+			}
+		}
+
+		return validator;
+	}
+
+	private SecurityXssValidator() {
+		// Avoid anything between script tags
+		XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
+
+		// avoid iframes
+		XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
+
+		// Avoid anything in a src='...' type of expression
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
+
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
+
+		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
+
+		// Remove any lonesome </script> tag
+		XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
+
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
+
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
+
+		// Remove any lonesome <script ...> tag
+		XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
+
+		// Avoid eval(...) expressions
+		XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
+
+		// Avoid expression(...) expressions
+		XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
+
+		// Avoid javascript:... expressions
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
+
+		// Avoid onload= expressions
+		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
+	}
+
+	private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
+
+	/**
+	 * * This method takes a string and strips out any potential script injections.
+	 * 
+	 * @param value
+	 * @return String - the new "sanitized" string.
+	 */
+	public String stripXSS(String value) {
+
+		try {
+
+			if (StringUtils.isNotBlank(value)) {
+
+				value = StringEscapeUtils.escapeHtml4(value);
+
+				value = ESAPI.encoder().canonicalize(value);
+
+				// Avoid null characters
+				value = value.replaceAll("\0", "");
+
+				for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
+					value = xssInputPattern.matcher(value).replaceAll("");
+				}
+			}
+
+		} catch (Exception e) {
+			logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
+		}
+
+		return value;
+	}
+
+	public Boolean denyXSS(String value) {
+		Boolean flag = Boolean.FALSE;
+		try {
+			if (StringUtils.isNotBlank(value)) {
+				if (value.contains("&timeseclgn"))
+				{
+					logger.info(EELFLoggerDelegate.applicationLogger, "denyXSS() replacing &timeseclgn with empty string for request value : " + value);
+					value=value.replaceAll("&timeseclgn", "");
+				}
+				value = ESAPI.encoder().canonicalize(value);
+				for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
+					if (xssInputPattern.matcher(value).matches()) {
+						flag = Boolean.TRUE;
+						break;
+					}
+
+				}
+			}
+
+		} catch (Exception e) {
+			logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed for request with value : " + value, e);
+		}
+
+		return flag;
+	}
+
+	public Codec getCodec() {
+		try {
+			if (null == instance) {
+				if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
+						|| StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+								MARIA_DB)) {
+					instance = new MySQLCodec(Mode.STANDARD);
+
+				} else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+						ORACLE_DB)) {
+					instance = new OracleCodec();
+				} else {
+					throw new NotImplementedException("Handling for data base \""
+							+ SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
+				}
+			}
+
+		} catch (Exception ex) {
+			logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
+		}
+		return instance;
+
+	}
+
+	public List<Pattern> getXSS_INPUT_PATTERNS() {
+		return XSS_INPUT_PATTERNS;
+	}
+
+	public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
+		XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
+	}
+	
+
+}
\ No newline at end of file
-- 
cgit 1.2.3-korg