diff options
Diffstat (limited to 'ecomp-sdk/epsdk-app-common/src')
-rw-r--r-- | ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java | 238 |
1 files changed, 121 insertions, 117 deletions
diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java index 8a2cf3e7..ef53d16e 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java @@ -33,7 +33,7 @@ * * ============LICENSE_END============================================ * - * + * */ package org.onap.portalapp.util; @@ -42,7 +42,6 @@ import java.util.List; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; import java.util.regex.Pattern; - import org.apache.commons.lang.NotImplementedException; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringEscapeUtils; @@ -51,157 +50,162 @@ import org.onap.portalsdk.core.util.SystemProperties; import org.owasp.esapi.ESAPI; import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.codecs.MySQLCodec; -import org.owasp.esapi.codecs.OracleCodec; import org.owasp.esapi.codecs.MySQLCodec.Mode; +import org.owasp.esapi.codecs.OracleCodec; public class SecurityXssValidator { - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - - private static final String MYSQL_DB = "mysql"; - private static final String ORACLE_DB = "oracle"; - private static final String MARIA_DB = "mariadb"; - private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; - - static SecurityXssValidator validator = null; - private static Codec instance; - private static final Lock lock = new ReentrantLock(); - - public static SecurityXssValidator getInstance() { - - if (validator == null) { - lock.lock(); - try { - if (validator == null) - validator = new SecurityXssValidator(); - } finally { - lock.unlock(); - } - } - return validator; - } + private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - private SecurityXssValidator() { - // Avoid anything between script tags - XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS)); + private static final String MYSQL_DB = "mysql"; + private static final String ORACLE_DB = "oracle"; + private static final String MARIA_DB = "mariadb"; + private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; - // avoid iframes - XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS)); + static SecurityXssValidator validator = null; + private static Codec instance; + private static final Lock lock = new ReentrantLock(); - // Avoid anything in a src='...' type of expression - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); + private List<Pattern> xssInputPatterns = new ArrayList<>(); - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); + private SecurityXssValidator() { + // Avoid anything between script tags + xssInputPatterns.add(Pattern.compile("<script>(.*?)</script>", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); + // avoid iframes + xssInputPatterns.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS)); - // Remove any lonesome </script> tag - XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS)); + // Avoid anything in a src='...' type of expression + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS)); + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS)); + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); - // Remove any lonesome <script ...> tag - XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS)); + // Remove any lonesome </script> tag + xssInputPatterns.add(Pattern.compile("</script>", FLAGS)); - // Avoid eval(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS)); + xssInputPatterns.add(Pattern.compile(".*(<script>|</script>).*", FLAGS)); - // Avoid expression(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS)); + xssInputPatterns.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS)); - // Avoid javascript:... expressions - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS)); + // Remove any lonesome <script ...> tag + xssInputPatterns.add(Pattern.compile("<script(.*?)>", FLAGS)); - // Avoid onload= expressions - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS)); - } + // Avoid eval(...) expressions + xssInputPatterns.add(Pattern.compile("eval\\((.*?)\\)", FLAGS)); - private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>(); + // Avoid expression(...) expressions + xssInputPatterns.add(Pattern.compile("expression\\((.*?)\\)", FLAGS)); - /** - * * This method takes a string and strips out any potential script injections. - * - * @param value - * @return String - the new "sanitized" string. - */ - public String stripXSS(String value) { + // Avoid javascript:... expressions + xssInputPatterns.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS)); - try { + // Avoid onload= expressions + xssInputPatterns.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS)); + } - if (StringUtils.isNotBlank(value)) { + public static SecurityXssValidator getInstance() { - value = StringEscapeUtils.escapeHtml4(value); + if (validator == null) { + lock.lock(); + try { + if (validator == null) { + validator = new SecurityXssValidator(); + } + } finally { + lock.unlock(); + } + } - value = ESAPI.encoder().canonicalize(value); + return validator; + } - // Avoid null characters - value = value.replaceAll("\0", ""); + /** + * * This method takes a string and strips out any potential script injections. + * + * @return String - the new "sanitized" string. + */ + public String stripXSS(String value) { - for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) { - value = xssInputPattern.matcher(value).replaceAll(""); - } - } + try { - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e); - } + if (StringUtils.isNotBlank(value)) { - return value; - } + value = StringEscapeUtils.escapeHtml4(value); - public Boolean denyXSS(String value) { - Boolean flag = Boolean.FALSE; - try { - if (StringUtils.isNotBlank(value)) { - value = ESAPI.encoder().canonicalize(value); - for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) { - if (xssInputPattern.matcher(value).matches()) { - flag = Boolean.TRUE; - break; - } + value = ESAPI.encoder().canonicalize(value); - } - } + // Avoid null characters + value = value.replaceAll("\0", ""); - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e); - } + for (Pattern xssInputPattern : xssInputPatterns) { + value = xssInputPattern.matcher(value).replaceAll(""); + } + } - return flag; - } + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e); + } - public Codec getCodec() { - try { - if (null == instance) { - if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB) - || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - MARIA_DB)) { - instance = new MySQLCodec(Mode.STANDARD); + return value; + } - } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), - ORACLE_DB)) { - instance = new OracleCodec(); - } else { - throw new NotImplementedException("Handling for data base \"" - + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented."); - } - } + public Boolean denyXSS(String value) { + Boolean flag = Boolean.FALSE; + try { + if (StringUtils.isBlank(value)) + return flag; - } catch (Exception ex) { - logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex); - } - return instance; + value = ESAPI.encoder().canonicalize(value); + for (Pattern xssInputPattern : xssInputPatterns) { + if (xssInputPattern.matcher(value).matches()) { + flag = Boolean.TRUE; + break; + } + } - } + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e); + } - public List<Pattern> getXSS_INPUT_PATTERNS() { - return XSS_INPUT_PATTERNS; - } + return flag; + } - public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) { - XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS; - } + public Codec getCodec() { + try { + if (null == instance) { + if (StringUtils + .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB) + || StringUtils + .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + MARIA_DB)) { + instance = new MySQLCodec(Mode.STANDARD); + + } else if (StringUtils + .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), + ORACLE_DB)) { + instance = new OracleCodec(); + } else { + throw new NotImplementedException("Handling for data base \"" + + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + + "\" not yet implemented."); + } + } + + } catch (Exception ex) { + logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex); + } + return instance; + + } + + public List<Pattern> getXssInputPatterns() { + return xssInputPatterns; + } + + public void setXssInputPatterns(List<Pattern> xssInputPatterns) { + this.xssInputPatterns = xssInputPatterns; + } }
\ No newline at end of file |