diff options
Diffstat (limited to 'ecomp-sdk/epsdk-app-os/src')
-rw-r--r-- | ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | 112 | ||||
-rw-r--r-- | ecomp-sdk/epsdk-app-os/src/main/resources/key.properties | 41 |
2 files changed, 86 insertions, 67 deletions
diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java index b3ebed73..71ab7359 100644 --- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -39,92 +39,70 @@ package org.onap.portalapp.filter; import java.io.IOException; -import javax.servlet.Filter; +import java.io.UnsupportedEncodingException; + import javax.servlet.FilterChain; -import javax.servlet.FilterConfig; import javax.servlet.ServletException; -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletRequestWrapper; +import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; import org.onap.portalapp.util.SecurityXssValidator; -import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; - -public class SecurityXssFilter implements Filter { - - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class); - - private SecurityXssValidator validator = SecurityXssValidator.getInstance(); - - class SecurityRequestWrapper extends HttpServletRequestWrapper { - - public SecurityRequestWrapper(HttpServletRequest servletRequest) { - super(servletRequest); - } +import org.springframework.web.filter.OncePerRequestFilter; +import org.springframework.web.util.ContentCachingRequestWrapper; +import org.springframework.web.util.ContentCachingResponseWrapper; +import org.springframework.web.util.WebUtils; - @Override - public String[] getParameterValues(String parameter) { - String[] values = super.getParameterValues(parameter); +public class SecurityXssFilter extends OncePerRequestFilter { - if (values == null) { - return null; - } - - int count = values.length; - String[] encodedValues = new String[count]; - for (int i = 0; i < count; i++) { - encodedValues[i] = stripXss(values[i]); - - } - - return encodedValues; - } + private static final String BAD_REQUEST = "BAD_REQUEST"; - private String stripXss(String value) { - - - return validator.stripXSS(value); - } + private SecurityXssValidator validator = SecurityXssValidator.getInstance(); - @Override - public String getParameter(String parameter) { - String value = super.getParameter(parameter); - if (StringUtils.isNotBlank(value)) { - value = stripXss(value); + private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException { + String payload = null; + ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); } - return value; } + return payload; + } - @Override - public String getHeader(String name) { - String value = super.getHeader(name); - if (StringUtils.isNotBlank(value)) { - value = stripXss(value); + private static String getResponseData(final HttpServletResponse response) throws IOException { + String payload = null; + ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response, + ContentCachingResponseWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); + wrapper.copyBodyToResponse(); } - return value; } - } - - @Override - public void init(FilterConfig filterConfig) throws ServletException { + return payload; } @Override - public void destroy() { - } - - @Override - public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) - throws IOException, ServletException { - - try { + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + + if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) { + + HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request); + HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response); + filterChain.doFilter(requestToCache, responseToCache); + String requestData = getRequestData(requestToCache); + String responseData = getResponseData(responseToCache); + if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { + throw new SecurityException(BAD_REQUEST); + } - chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response); - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e); + } else { + filterChain.doFilter(request, response); } - } + } } diff --git a/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties new file mode 100644 index 00000000..aa3355d1 --- /dev/null +++ b/ecomp-sdk/epsdk-app-os/src/main/resources/key.properties @@ -0,0 +1,41 @@ +### +# ============LICENSE_START========================================== +# ONAP Portal SDK +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +### + +# Properties read by the ECOMP Framework library (epsdk-fw) + +cipher.enc.key = AGLDdG4D04BKm2IxIWEr8o==
\ No newline at end of file |