From e3636b96e9938cb89bb90672cf70fff3ae790186 Mon Sep 17 00:00:00 2001 From: Muni Mohan Kunchi Date: Thu, 6 Feb 2020 13:51:45 -0500 Subject: adding sdk changes adding sdk changes Issue-ID: PORTAL-830 Signed-off-by: Muni Mohan Kunchi Change-Id: I0c99d3ab15fcf4c3b34d84658b64114dadbe2577 --- .../onap/portalapp/filter/SecurityXssFilter.java | 45 ++++++++++++++++------ 1 file changed, 33 insertions(+), 12 deletions(-) (limited to 'ecomp-sdk/epsdk-app-os/src/main/java/org') diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java index 91025d14..41251e50 100644 --- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java +++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -146,21 +146,27 @@ public class SecurityXssFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { + StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString()); + String queryString = request.getQueryString(); + String requestUrl = ""; + if (queryString == null) { + requestUrl = requestURL.toString(); + } else { + requestUrl = requestURL.append('?').append(queryString).toString(); + } + validateRequest(requestUrl, response); + StringBuilder headerValues = new StringBuilder(); + Enumeration headerNames = request.getHeaderNames(); + while (headerNames.hasMoreElements()) { + String key = (String) headerNames.nextElement(); + String value = request.getHeader(key); + headerValues.append(key + ":" + value + ";"); + } + validateRequest(headerValues.toString(), response); if (validateRequestType(request)) { request = new RequestWrapper(request); String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString()); - try { - if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { - response.setContentType(APPLICATION_JSON); - response.setStatus(HttpStatus.SC_BAD_REQUEST); - response.getWriter().write(ERROR_BAD_REQUEST); - throw new SecurityException(ERROR_BAD_REQUEST); - } - } catch (Exception e) { - logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); - response.getWriter().close(); - return; - } + validateRequest(requestData, response); filterChain.doFilter(request, response); } else { @@ -174,4 +180,19 @@ public class SecurityXssFilter extends OncePerRequestFilter { "PUT".equalsIgnoreCase( request.getMethod() ) || "DELETE".equalsIgnoreCase( request.getMethod() ) ); } + + private void validateRequest(String text, HttpServletResponse response) throws IOException { + try { + if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) { + response.setContentType(APPLICATION_JSON); + response.setStatus(HttpStatus.SC_BAD_REQUEST); + response.getWriter().write(ERROR_BAD_REQUEST); + throw new SecurityException(ERROR_BAD_REQUEST); + } + } catch (Exception e) { + logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e); + response.getWriter().close(); + return; + } + } } \ No newline at end of file -- cgit 1.2.3-korg