summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-app-os/src/main/java
diff options
context:
space:
mode:
authorst782s <statta@research.att.com>2017-11-22 11:41:10 -0500
committerSunder Tattavarada <statta@research.att.com>2017-11-28 20:24:36 +0000
commited07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 (patch)
treeee4a6e53f01f15057f32b86f271c9b6d02b25615 /ecomp-sdk/epsdk-app-os/src/main/java
parent418d7273d6d8f6fed2698df89c9910be8498a677 (diff)
Harden code
Issue-ID: PORTAL-145,PORTAL-119 Harden code to address SQL injecton, XSS vulnerabilities; Separate docker images for portal, sdk app and DMaaPBC ui Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204 Signed-off-by: st782s <statta@research.att.com>
Diffstat (limited to 'ecomp-sdk/epsdk-app-os/src/main/java')
-rw-r--r--ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java112
1 files changed, 45 insertions, 67 deletions
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
index b3ebed73..71ab7359 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -39,92 +39,70 @@
package org.onap.portalapp.filter;
import java.io.IOException;
-import javax.servlet.Filter;
+import java.io.UnsupportedEncodingException;
+
import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.onap.portalapp.util.SecurityXssValidator;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-
-public class SecurityXssFilter implements Filter {
-
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
- private SecurityXssValidator validator = SecurityXssValidator.getInstance();
-
- class SecurityRequestWrapper extends HttpServletRequestWrapper {
-
- public SecurityRequestWrapper(HttpServletRequest servletRequest) {
- super(servletRequest);
- }
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.ContentCachingRequestWrapper;
+import org.springframework.web.util.ContentCachingResponseWrapper;
+import org.springframework.web.util.WebUtils;
- @Override
- public String[] getParameterValues(String parameter) {
- String[] values = super.getParameterValues(parameter);
+public class SecurityXssFilter extends OncePerRequestFilter {
- if (values == null) {
- return null;
- }
-
- int count = values.length;
- String[] encodedValues = new String[count];
- for (int i = 0; i < count; i++) {
- encodedValues[i] = stripXss(values[i]);
-
- }
-
- return encodedValues;
- }
+ private static final String BAD_REQUEST = "BAD_REQUEST";
- private String stripXss(String value) {
-
-
- return validator.stripXSS(value);
- }
+ private SecurityXssValidator validator = SecurityXssValidator.getInstance();
- @Override
- public String getParameter(String parameter) {
- String value = super.getParameter(parameter);
- if (StringUtils.isNotBlank(value)) {
- value = stripXss(value);
+ private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
+ String payload = null;
+ ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
+ if (wrapper != null) {
+ byte[] buf = wrapper.getContentAsByteArray();
+ if (buf.length > 0) {
+ payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
}
- return value;
}
+ return payload;
+ }
- @Override
- public String getHeader(String name) {
- String value = super.getHeader(name);
- if (StringUtils.isNotBlank(value)) {
- value = stripXss(value);
+ private static String getResponseData(final HttpServletResponse response) throws IOException {
+ String payload = null;
+ ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
+ ContentCachingResponseWrapper.class);
+ if (wrapper != null) {
+ byte[] buf = wrapper.getContentAsByteArray();
+ if (buf.length > 0) {
+ payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
+ wrapper.copyBodyToResponse();
}
- return value;
}
- }
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
+ return payload;
}
@Override
- public void destroy() {
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
-
- try {
+ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+ throws ServletException, IOException {
+
+ if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
+
+ HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
+ HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
+ filterChain.doFilter(requestToCache, responseToCache);
+ String requestData = getRequestData(requestToCache);
+ String responseData = getResponseData(responseToCache);
+ if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
+ throw new SecurityException(BAD_REQUEST);
+ }
- chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response);
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e);
+ } else {
+ filterChain.doFilter(request, response);
}
- }
+ }
}