summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java238
1 files changed, 121 insertions, 117 deletions
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
index 8a2cf3e7..ef53d16e 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
@@ -33,7 +33,7 @@
*
* ============LICENSE_END============================================
*
- *
+ *
*/
package org.onap.portalapp.util;
@@ -42,7 +42,6 @@ import java.util.List;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.regex.Pattern;
-
import org.apache.commons.lang.NotImplementedException;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.StringEscapeUtils;
@@ -51,157 +50,162 @@ import org.onap.portalsdk.core.util.SystemProperties;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.codecs.MySQLCodec;
-import org.owasp.esapi.codecs.OracleCodec;
import org.owasp.esapi.codecs.MySQLCodec.Mode;
+import org.owasp.esapi.codecs.OracleCodec;
public class SecurityXssValidator {
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
-
- private static final String MYSQL_DB = "mysql";
- private static final String ORACLE_DB = "oracle";
- private static final String MARIA_DB = "mariadb";
- private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
-
- static SecurityXssValidator validator = null;
- private static Codec instance;
- private static final Lock lock = new ReentrantLock();
-
- public static SecurityXssValidator getInstance() {
-
- if (validator == null) {
- lock.lock();
- try {
- if (validator == null)
- validator = new SecurityXssValidator();
- } finally {
- lock.unlock();
- }
- }
- return validator;
- }
+ private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
- private SecurityXssValidator() {
- // Avoid anything between script tags
- XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
+ private static final String MYSQL_DB = "mysql";
+ private static final String ORACLE_DB = "oracle";
+ private static final String MARIA_DB = "mariadb";
+ private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
- // avoid iframes
- XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
+ static SecurityXssValidator validator = null;
+ private static Codec instance;
+ private static final Lock lock = new ReentrantLock();
- // Avoid anything in a src='...' type of expression
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
+ private List<Pattern> xssInputPatterns = new ArrayList<>();
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
+ private SecurityXssValidator() {
+ // Avoid anything between script tags
+ xssInputPatterns.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
- XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
+ // avoid iframes
+ xssInputPatterns.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
- // Remove any lonesome </script> tag
- XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
+ // Avoid anything in a src='...' type of expression
+ xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
+ xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
+ xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
- // Remove any lonesome <script ...> tag
- XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
+ // Remove any lonesome </script> tag
+ xssInputPatterns.add(Pattern.compile("</script>", FLAGS));
- // Avoid eval(...) expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
+ xssInputPatterns.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
- // Avoid expression(...) expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
+ xssInputPatterns.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
- // Avoid javascript:... expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
+ // Remove any lonesome <script ...> tag
+ xssInputPatterns.add(Pattern.compile("<script(.*?)>", FLAGS));
- // Avoid onload= expressions
- XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
- }
+ // Avoid eval(...) expressions
+ xssInputPatterns.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
- private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
+ // Avoid expression(...) expressions
+ xssInputPatterns.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
- /**
- * * This method takes a string and strips out any potential script injections.
- *
- * @param value
- * @return String - the new "sanitized" string.
- */
- public String stripXSS(String value) {
+ // Avoid javascript:... expressions
+ xssInputPatterns.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
- try {
+ // Avoid onload= expressions
+ xssInputPatterns.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
+ }
- if (StringUtils.isNotBlank(value)) {
+ public static SecurityXssValidator getInstance() {
- value = StringEscapeUtils.escapeHtml4(value);
+ if (validator == null) {
+ lock.lock();
+ try {
+ if (validator == null) {
+ validator = new SecurityXssValidator();
+ }
+ } finally {
+ lock.unlock();
+ }
+ }
- value = ESAPI.encoder().canonicalize(value);
+ return validator;
+ }
- // Avoid null characters
- value = value.replaceAll("\0", "");
+ /**
+ * * This method takes a string and strips out any potential script injections.
+ *
+ * @return String - the new "sanitized" string.
+ */
+ public String stripXSS(String value) {
- for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
- value = xssInputPattern.matcher(value).replaceAll("");
- }
- }
+ try {
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
- }
+ if (StringUtils.isNotBlank(value)) {
- return value;
- }
+ value = StringEscapeUtils.escapeHtml4(value);
- public Boolean denyXSS(String value) {
- Boolean flag = Boolean.FALSE;
- try {
- if (StringUtils.isNotBlank(value)) {
- value = ESAPI.encoder().canonicalize(value);
- for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
- if (xssInputPattern.matcher(value).matches()) {
- flag = Boolean.TRUE;
- break;
- }
+ value = ESAPI.encoder().canonicalize(value);
- }
- }
+ // Avoid null characters
+ value = value.replaceAll("\0", "");
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
- }
+ for (Pattern xssInputPattern : xssInputPatterns) {
+ value = xssInputPattern.matcher(value).replaceAll("");
+ }
+ }
- return flag;
- }
+ } catch (Exception e) {
+ logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
+ }
- public Codec getCodec() {
- try {
- if (null == instance) {
- if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
- || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- MARIA_DB)) {
- instance = new MySQLCodec(Mode.STANDARD);
+ return value;
+ }
- } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
- ORACLE_DB)) {
- instance = new OracleCodec();
- } else {
- throw new NotImplementedException("Handling for data base \""
- + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
- }
- }
+ public Boolean denyXSS(String value) {
+ Boolean flag = Boolean.FALSE;
+ try {
+ if (StringUtils.isBlank(value))
+ return flag;
- } catch (Exception ex) {
- logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
- }
- return instance;
+ value = ESAPI.encoder().canonicalize(value);
+ for (Pattern xssInputPattern : xssInputPatterns) {
+ if (xssInputPattern.matcher(value).matches()) {
+ flag = Boolean.TRUE;
+ break;
+ }
+ }
- }
+ } catch (Exception e) {
+ logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
+ }
- public List<Pattern> getXSS_INPUT_PATTERNS() {
- return XSS_INPUT_PATTERNS;
- }
+ return flag;
+ }
- public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
- XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
- }
+ public Codec getCodec() {
+ try {
+ if (null == instance) {
+ if (StringUtils
+ .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
+ || StringUtils
+ .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+ MARIA_DB)) {
+ instance = new MySQLCodec(Mode.STANDARD);
+
+ } else if (StringUtils
+ .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+ ORACLE_DB)) {
+ instance = new OracleCodec();
+ } else {
+ throw new NotImplementedException("Handling for data base \""
+ + SystemProperties.getProperty(SystemProperties.DB_DRIVER)
+ + "\" not yet implemented.");
+ }
+ }
+
+ } catch (Exception ex) {
+ logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
+ }
+ return instance;
+
+ }
+
+ public List<Pattern> getXssInputPatterns() {
+ return xssInputPatterns;
+ }
+
+ public void setXssInputPatterns(List<Pattern> xssInputPatterns) {
+ this.xssInputPatterns = xssInputPatterns;
+ }
} \ No newline at end of file