diff options
author | Ofir Sonsino <os0695@att.com> | 2018-02-20 18:03:30 +0200 |
---|---|---|
committer | Ofir Sonsino <os0695@intl.att.com> | 2018-02-27 14:47:52 +0200 |
commit | efedea1c5d80532f5b1180d57c8dafce5dcb302a (patch) | |
tree | c4bdefe8758b01f31c9e91a9ded0ab989daeb5e2 /epsdk-app-onap/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | |
parent | b94bd70f1595fad9546c3506393613f68504f495 (diff) |
org.onap migration
Change-Id: I5e2d01a6da21d4003c910b5fe0702b35c2089a77
Issue-ID: VID-86
Signed-off-by: Ofir Sonsino <os0695@intl.att.com>
Diffstat (limited to 'epsdk-app-onap/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java')
-rw-r--r-- | epsdk-app-onap/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/epsdk-app-onap/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java b/epsdk-app-onap/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java new file mode 100644 index 000000000..71ab7359a --- /dev/null +++ b/epsdk-app-onap/src/main/java/org/onap/portalapp/filter/SecurityXssFilter.java @@ -0,0 +1,108 @@ + +/*- + * ============LICENSE_START========================================== + * ONAP Portal + * =================================================================== + * Copyright © 2017 AT&T Intellectual Property. All rights reserved. + * =================================================================== + * + * Unless otherwise specified, all software contained herein is licensed + * under the Apache License, Version 2.0 (the "License"); + * you may not use this software except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Unless otherwise specified, all documentation contained herein is licensed + * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); + * you may not use this documentation except in compliance with the License. + * You may obtain a copy of the License at + * + * https://creativecommons.org/licenses/by/4.0/ + * + * Unless required by applicable law or agreed to in writing, documentation + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * ============LICENSE_END============================================ + * + * ECOMP is a trademark and service mark of AT&T Intellectual Property. + */ +package org.onap.portalapp.filter; + +import java.io.IOException; +import java.io.UnsupportedEncodingException; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang.StringUtils; +import org.onap.portalapp.util.SecurityXssValidator; +import org.springframework.web.filter.OncePerRequestFilter; +import org.springframework.web.util.ContentCachingRequestWrapper; +import org.springframework.web.util.ContentCachingResponseWrapper; +import org.springframework.web.util.WebUtils; + +public class SecurityXssFilter extends OncePerRequestFilter { + + private static final String BAD_REQUEST = "BAD_REQUEST"; + + private SecurityXssValidator validator = SecurityXssValidator.getInstance(); + + private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException { + String payload = null; + ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); + } + } + return payload; + } + + private static String getResponseData(final HttpServletResponse response) throws IOException { + String payload = null; + ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response, + ContentCachingResponseWrapper.class); + if (wrapper != null) { + byte[] buf = wrapper.getContentAsByteArray(); + if (buf.length > 0) { + payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); + wrapper.copyBodyToResponse(); + } + } + return payload; + } + + @Override + protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) + throws ServletException, IOException { + + if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) { + + HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request); + HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response); + filterChain.doFilter(requestToCache, responseToCache); + String requestData = getRequestData(requestToCache); + String responseData = getResponseData(responseToCache); + if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { + throw new SecurityException(BAD_REQUEST); + } + + } else { + filterChain.doFilter(request, response); + } + + } +} |