From ed07ebfbce4031ef4dfbd2f42147f6a7b351aeb8 Mon Sep 17 00:00:00 2001
From: st782s <statta@research.att.com>
Date: Wed, 22 Nov 2017 11:41:10 -0500
Subject: Harden code

Issue-ID: PORTAL-145,PORTAL-119
Harden code to address SQL injecton, XSS vulnerabilities; Separate
docker images for portal, sdk app and DMaaPBC ui

Change-Id: I85fad4d3fcee3243207b8f0dfe21beaa41602204
Signed-off-by: st782s <statta@research.att.com>
---
 .../onap/portalapp/filter/SecurityXssFilter.java   | 112 +++++++++------------
 1 file changed, 45 insertions(+), 67 deletions(-)

(limited to 'ecomp-sdk/epsdk-app-os/src/main/java/org')

diff --git a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
index b3ebed73..71ab7359 100644
--- a/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
+++ b/ecomp-sdk/epsdk-app-os/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java
@@ -39,92 +39,70 @@
 package org.onap.portalapp.filter;
 
 import java.io.IOException;
-import javax.servlet.Filter;
+import java.io.UnsupportedEncodingException;
+
 import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang.StringUtils;
 import org.onap.portalapp.util.SecurityXssValidator;
-import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
-
-public class SecurityXssFilter implements Filter {
-
-	private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
-
-	private SecurityXssValidator validator  = SecurityXssValidator.getInstance();
-	
-	class SecurityRequestWrapper extends HttpServletRequestWrapper {
-
-		public SecurityRequestWrapper(HttpServletRequest servletRequest) {
-			super(servletRequest);
-		}
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.ContentCachingRequestWrapper;
+import org.springframework.web.util.ContentCachingResponseWrapper;
+import org.springframework.web.util.WebUtils;
 
-		@Override
-		public String[] getParameterValues(String parameter) {
-			String[] values = super.getParameterValues(parameter);
+public class SecurityXssFilter extends OncePerRequestFilter {
 
-			if (values == null) {
-				return null;
-			}
-
-			int count = values.length;
-			String[] encodedValues = new String[count];
-			for (int i = 0; i < count; i++) {
-				encodedValues[i] = stripXss(values[i]);
-				
-			}
-
-			return encodedValues;
-		}
+	private static final String BAD_REQUEST = "BAD_REQUEST";
 
-		private String stripXss(String value) {
-			
-			
-			return validator.stripXSS(value);
-		}
+	private SecurityXssValidator validator = SecurityXssValidator.getInstance();
 
-		@Override
-		public String getParameter(String parameter) {
-			String value = super.getParameter(parameter);
-			if (StringUtils.isNotBlank(value)) {
-				value = stripXss(value);
+	private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
+		String payload = null;
+		ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
+		if (wrapper != null) {
+			byte[] buf = wrapper.getContentAsByteArray();
+			if (buf.length > 0) {
+				payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
 			}
-			return value;
 		}
+		return payload;
+	}
 
-		@Override
-		public String getHeader(String name) {
-			String value = super.getHeader(name);
-			if (StringUtils.isNotBlank(value)) {
-				value = stripXss(value);
+	private static String getResponseData(final HttpServletResponse response) throws IOException {
+		String payload = null;
+		ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
+				ContentCachingResponseWrapper.class);
+		if (wrapper != null) {
+			byte[] buf = wrapper.getContentAsByteArray();
+			if (buf.length > 0) {
+				payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
+				wrapper.copyBodyToResponse();
 			}
-			return value;
 		}
-	}
-	
-	@Override
-	public void init(FilterConfig filterConfig) throws ServletException {
+		return payload;
 	}
 
 	@Override
-	public void destroy() {
-	}
-
-	@Override
-	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
-			throws IOException, ServletException {
-
-		try {
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+
+		if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
+
+			HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
+			HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
+			filterChain.doFilter(requestToCache, responseToCache);
+			String requestData = getRequestData(requestToCache);
+			String responseData = getResponseData(responseToCache);
+			if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
+				throw new SecurityException(BAD_REQUEST);
+			}
 
-			chain.doFilter(new SecurityRequestWrapper((HttpServletRequest) request), response);
-		} catch (Exception e) {
-			logger.error(EELFLoggerDelegate.errorLogger, "doFilter() failed", e);
+		} else {
+			filterChain.doFilter(request, response);
 		}
-	}
 
+	}
 }
-- 
cgit 1.2.3-korg