From acf75098a37e442c5f194bc0563ec49998df4c47 Mon Sep 17 00:00:00 2001 From: burdziak Date: Thu, 6 Jun 2019 14:19:01 +0200 Subject: Fix sonar issues in SecurityXssValidator Change-Id: I8ef5c92c0e38c25e961a066b4bc6411c944210f7 Issue-ID: PORTAL-523 Signed-off-by: burdziak --- .../onap/portalapp/util/SecurityXssValidator.java | 238 +++++++++++---------- 1 file changed, 121 insertions(+), 117 deletions(-) (limited to 'ecomp-sdk') diff --git a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java index 8a2cf3e7..ef53d16e 100644 --- a/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java +++ b/ecomp-sdk/epsdk-app-common/src/main/java/org/onap/portalapp/util/SecurityXssValidator.java @@ -33,7 +33,7 @@ * * ============LICENSE_END============================================ * - * + * */ package org.onap.portalapp.util; @@ -42,7 +42,6 @@ import java.util.List; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; import java.util.regex.Pattern; - import org.apache.commons.lang.NotImplementedException; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringEscapeUtils; @@ -51,157 +50,162 @@ import org.onap.portalsdk.core.util.SystemProperties; import org.owasp.esapi.ESAPI; import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.codecs.MySQLCodec; -import org.owasp.esapi.codecs.OracleCodec; import org.owasp.esapi.codecs.MySQLCodec.Mode; +import org.owasp.esapi.codecs.OracleCodec; public class SecurityXssValidator { - private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - - private static final String MYSQL_DB = "mysql"; - private static final String ORACLE_DB = "oracle"; - private static final String MARIA_DB = "mariadb"; - private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; - - static SecurityXssValidator validator = null; - private static Codec instance; - private static final Lock lock = new ReentrantLock(); - - public static SecurityXssValidator getInstance() { - - if (validator == null) { - lock.lock(); - try { - if (validator == null) - validator = new SecurityXssValidator(); - } finally { - lock.unlock(); - } - } - return validator; - } + private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); - private SecurityXssValidator() { - // Avoid anything between script tags - XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS)); + private static final String MYSQL_DB = "mysql"; + private static final String ORACLE_DB = "oracle"; + private static final String MARIA_DB = "mariadb"; + private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; - // avoid iframes - XSS_INPUT_PATTERNS.add(Pattern.compile("(.*?)", FLAGS)); + static SecurityXssValidator validator = null; + private static Codec instance; + private static final Lock lock = new ReentrantLock(); - // Avoid anything in a src='...' type of expression - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); + private List xssInputPatterns = new ArrayList<>(); - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); + private SecurityXssValidator() { + // Avoid anything between script tags + xssInputPatterns.add(Pattern.compile("", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); + // avoid iframes + xssInputPatterns.add(Pattern.compile("(.*?)", FLAGS)); - // Remove any lonesome tag - XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS)); + // Avoid anything in a src='...' type of expression + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS)); + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); - XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS)); + xssInputPatterns.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); - // Remove any lonesome tag + xssInputPatterns.add(Pattern.compile("", FLAGS)); - // Avoid eval(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS)); + xssInputPatterns.add(Pattern.compile(".*().*", FLAGS)); - // Avoid expression(...) expressions - XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS)); + xssInputPatterns.add(Pattern.compile(".*().*", FLAGS)); - // Avoid javascript:... expressions - XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS)); + // Remove any lonesome