From acf75098a37e442c5f194bc0563ec49998df4c47 Mon Sep 17 00:00:00 2001
From: burdziak <olaf.burdziakowski@nokia.com>
Date: Thu, 6 Jun 2019 14:19:01 +0200
Subject: Fix sonar issues in SecurityXssValidator

Change-Id: I8ef5c92c0e38c25e961a066b4bc6411c944210f7
Issue-ID: PORTAL-523
Signed-off-by: burdziak <olaf.burdziakowski@nokia.com>
---
 .../onap/portalapp/util/SecurityXssValidator.java  | 238 +++++++++++----------
 1 file changed, 121 insertions(+), 117 deletions(-)

(limited to 'ecomp-sdk/epsdk-app-common')

diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
index 8a2cf3e7..ef53d16e 100644
--- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
+++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java
@@ -33,7 +33,7 @@
  *
  * ============LICENSE_END============================================
  *
- * 
+ *
  */
 package org.onap.portalapp.util;
 
@@ -42,7 +42,6 @@ import java.util.List;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
 import java.util.regex.Pattern;
-
 import org.apache.commons.lang.NotImplementedException;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang3.StringEscapeUtils;
@@ -51,157 +50,162 @@ import org.onap.portalsdk.core.util.SystemProperties;
 import org.owasp.esapi.ESAPI;
 import org.owasp.esapi.codecs.Codec;
 import org.owasp.esapi.codecs.MySQLCodec;
-import org.owasp.esapi.codecs.OracleCodec;
 import org.owasp.esapi.codecs.MySQLCodec.Mode;
+import org.owasp.esapi.codecs.OracleCodec;
 
 public class SecurityXssValidator {
-	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
-
-	private static final String MYSQL_DB = "mysql";
-	private static final String ORACLE_DB = "oracle";
-	private static final String MARIA_DB = "mariadb";
-	private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
-
-	static SecurityXssValidator validator = null;
-	private static Codec instance;
-	private static final Lock lock = new ReentrantLock();
-
-	public static SecurityXssValidator getInstance() {
-
-		if (validator == null) {
-			lock.lock();
-			try {
-				if (validator == null)
-					validator = new SecurityXssValidator();
-			} finally {
-				lock.unlock();
-			}
-		}
 
-		return validator;
-	}
+  private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
 
-	private SecurityXssValidator() {
-		// Avoid anything between script tags
-		XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
+  private static final String MYSQL_DB = "mysql";
+  private static final String ORACLE_DB = "oracle";
+  private static final String MARIA_DB = "mariadb";
+  private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
 
-		// avoid iframes
-		XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
+  static SecurityXssValidator validator = null;
+  private static Codec instance;
+  private static final Lock lock = new ReentrantLock();
 
-		// Avoid anything in a src='...' type of expression
-		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
+  private List<Pattern> xssInputPatterns = new ArrayList<>();
 
-		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
+  private SecurityXssValidator() {
+    // Avoid anything between script tags
+    xssInputPatterns.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
 
-		XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
+    // avoid iframes
+    xssInputPatterns.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
 
-		// Remove any lonesome </script> tag
-		XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
+    // Avoid anything in a src='...' type of expression
+    xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
 
-		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
+    xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
 
-		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
+    xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
 
-		// Remove any lonesome <script ...> tag
-		XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
+    // Remove any lonesome </script> tag
+    xssInputPatterns.add(Pattern.compile("</script>", FLAGS));
 
-		// Avoid eval(...) expressions
-		XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
+    xssInputPatterns.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
 
-		// Avoid expression(...) expressions
-		XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
+    xssInputPatterns.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
 
-		// Avoid javascript:... expressions
-		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
+    // Remove any lonesome <script ...> tag
+    xssInputPatterns.add(Pattern.compile("<script(.*?)>", FLAGS));
 
-		// Avoid onload= expressions
-		XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
-	}
+    // Avoid eval(...) expressions
+    xssInputPatterns.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
 
-	private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
+    // Avoid expression(...) expressions
+    xssInputPatterns.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
 
-	/**
-	 * * This method takes a string and strips out any potential script injections.
-	 * 
-	 * @param value
-	 * @return String - the new "sanitized" string.
-	 */
-	public String stripXSS(String value) {
+    // Avoid javascript:... expressions
+    xssInputPatterns.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
 
-		try {
+    // Avoid onload= expressions
+    xssInputPatterns.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
+  }
 
-			if (StringUtils.isNotBlank(value)) {
+  public static SecurityXssValidator getInstance() {
 
-				value = StringEscapeUtils.escapeHtml4(value);
+    if (validator == null) {
+      lock.lock();
+      try {
+        if (validator == null) {
+          validator = new SecurityXssValidator();
+        }
+      } finally {
+        lock.unlock();
+      }
+    }
 
-				value = ESAPI.encoder().canonicalize(value);
+    return validator;
+  }
 
-				// Avoid null characters
-				value = value.replaceAll("\0", "");
+  /**
+   * * This method takes a string and strips out any potential script injections.
+   *
+   * @return String - the new "sanitized" string.
+   */
+  public String stripXSS(String value) {
 
-				for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
-					value = xssInputPattern.matcher(value).replaceAll("");
-				}
-			}
+    try {
 
-		} catch (Exception e) {
-			logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
-		}
+      if (StringUtils.isNotBlank(value)) {
 
-		return value;
-	}
+        value = StringEscapeUtils.escapeHtml4(value);
 
-	public Boolean denyXSS(String value) {
-		Boolean flag = Boolean.FALSE;
-		try {
-			if (StringUtils.isNotBlank(value)) {
-				value = ESAPI.encoder().canonicalize(value);
-				for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
-					if (xssInputPattern.matcher(value).matches()) {
-						flag = Boolean.TRUE;
-						break;
-					}
+        value = ESAPI.encoder().canonicalize(value);
 
-				}
-			}
+        // Avoid null characters
+        value = value.replaceAll("\0", "");
 
-		} catch (Exception e) {
-			logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
-		}
+        for (Pattern xssInputPattern : xssInputPatterns) {
+          value = xssInputPattern.matcher(value).replaceAll("");
+        }
+      }
 
-		return flag;
-	}
+    } catch (Exception e) {
+      logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
+    }
 
-	public Codec getCodec() {
-		try {
-			if (null == instance) {
-				if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
-						|| StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-								MARIA_DB)) {
-					instance = new MySQLCodec(Mode.STANDARD);
+    return value;
+  }
 
-				} else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
-						ORACLE_DB)) {
-					instance = new OracleCodec();
-				} else {
-					throw new NotImplementedException("Handling for data base \""
-							+ SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
-				}
-			}
+  public Boolean denyXSS(String value) {
+    Boolean flag = Boolean.FALSE;
+    try {
+      if (StringUtils.isBlank(value))
+        return flag;
 
-		} catch (Exception ex) {
-			logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
-		}
-		return instance;
+      value = ESAPI.encoder().canonicalize(value);
+      for (Pattern xssInputPattern : xssInputPatterns) {
+        if (xssInputPattern.matcher(value).matches()) {
+          flag = Boolean.TRUE;
+          break;
+        }
+      }
 
-	}
+    } catch (Exception e) {
+      logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed", e);
+    }
 
-	public List<Pattern> getXSS_INPUT_PATTERNS() {
-		return XSS_INPUT_PATTERNS;
-	}
+    return flag;
+  }
 
-	public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
-		XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
-	}
+  public Codec getCodec() {
+    try {
+      if (null == instance) {
+        if (StringUtils
+            .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
+            || StringUtils
+            .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+                MARIA_DB)) {
+          instance = new MySQLCodec(Mode.STANDARD);
+
+        } else if (StringUtils
+            .containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
+                ORACLE_DB)) {
+          instance = new OracleCodec();
+        } else {
+          throw new NotImplementedException("Handling for data base \""
+              + SystemProperties.getProperty(SystemProperties.DB_DRIVER)
+              + "\" not yet implemented.");
+        }
+      }
+
+    } catch (Exception ex) {
+      logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
+    }
+    return instance;
+
+  }
+
+  public List<Pattern> getXssInputPatterns() {
+    return xssInputPatterns;
+  }
+
+  public void setXssInputPatterns(List<Pattern> xssInputPatterns) {
+    this.xssInputPatterns = xssInputPatterns;
+  }
 
 }
\ No newline at end of file
-- 
cgit 1.2.3-korg