summaryrefslogtreecommitdiffstats
path: root/ecomp-sdk/epsdk-app-os/src
diff options
context:
space:
mode:
Diffstat (limited to 'ecomp-sdk/epsdk-app-os/src')
-rw-r--r--ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java112
-rw-r--r--ecomp-sdk/epsdk-app-os/src/main/resources/key.properties41
2 files changed, 86 insertions, 67 deletions
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
index b3ebed73..71ab7359 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -39,92 +39,70 @@
package org.onap.portalapp.filter;
import java.io.IOException;
-import javax.servlet.Filter;
+import java.io.UnsupportedEncodingException;
+
import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.onap.portalapp.util.SecurityXssValidator;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-
-public class SecurityXssFilter implements Filter {
-
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
- private SecurityXssValidator validator = SecurityXssValidator.getInstance();
-
- class SecurityRequestWrapper extends HttpServletRequestWrapper {
-
- public SecurityRequestWrapper(HttpServletRequest servletRequest) {
- super(servletRequest);
- }
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.ContentCachingRequestWrapper;
+import org.springframework.web.util.ContentCachingResponseWrapper;
+import org.springframework.web.util.WebUtils;
- @Override
- public String[] getParameterValues(String parameter) {
- String[] values = super.getParameterValues(parameter);
+public class SecurityXssFilter extends OncePerRequestFilter {
- if (values == null) {
- return null;
- }
-
- int count = values.length;
- String[] encodedValues = new String[count];
- for (int i = 0; i < count; i++) {
- encodedValues[i] = stripXss(values[i]);
-
- }
-
- return encodedValues;
- }
+ private static final String BAD_REQUEST = "BAD_REQUEST";
- private String stripXss(String value) {
-
-
- return validator.stripXSS(value);
- }
+ private SecurityXssValidator validator = SecurityXssValidator.getInstance();
- @Override
- public String getParameter(String parameter) {
- String value = super.getParameter(parameter);
- if (StringUtils.isNotBlank(value)) {
- value = stripXss(value);
+ private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
+ String payload = null;
+ ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
+ if (wrapper != null) {
+ byte[] buf = wrapper.getContentAsByteArray();
+ if (buf.length > 0) {
+ payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
}
- return value;
}
+ return payload;
+ }
- @Override
- public String getHeader(String name) {
- String value = super.getHeader(name);
- if (StringUtils.isNotBlank(value)) {
- value = stripXss(value);
+ private static String getResponseData(final HttpServletResponse response) throws IOException {
+ String payload = null;
+ ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
+ ContentCachingResponseWrapper.class);
+ if (wrapper != null) {
+ byte[] buf = wrapper.getContentAsByteArray();
+ if (buf.length > 0) {
+ payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
+ wrapper.copyBodyToResponse();
}
- return value;
}
- }
-
- @Override
- public void init(FilterConfig filterConfig) throws ServletException {
+ return payload;
}
@Override
- public void destroy() {
- }
-
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
- throws IOException, ServletException {
-
- try {
+ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+ throws ServletException, IOException {
+
+ if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
+
+ HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
+ HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
+ filterChain.doFilter(requestToCache, responseToCache);
+ String requestData = getRequestData(requestToCache);
+ String responseData = getResponseData(responseToCache);
+ if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
+ throw new SecurityException(BAD_REQUEST);
+ }
- chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response);
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e);
+ } else {
+ filterChain.doFilter(request, response);
}
- }
+ }
}
diff --git a/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties
new file mode 100644
index 00000000..aa3355d1
--- /dev/null
+++ b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties
@@ -0,0 +1,41 @@
+###
+# ============LICENSE_START==========================================
+# ONAP Portal SDK
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+###
+
+# Properties read by the ECOMP Framework library (epsdk-fw)
+
+cipher.enc.key = AGLDdG4D04BKm2IxIWEr8o== \ No newline at end of file