/*- * ============LICENSE_START========================================== * ONAP Portal * =================================================================== * Copyright © 2017 AT&T Intellectual Property. All rights reserved. * =================================================================== * * Unless otherwise specified, all software contained herein is licensed * under the Apache License, Version 2.0 (the "License"); * you may not use this software except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * Unless otherwise specified, all documentation contained herein is licensed * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); * you may not use this documentation except in compliance with the License. * You may obtain a copy of the License at * * https://creativecommons.org/licenses/by/4.0/ * * Unless required by applicable law or agreed to in writing, documentation * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * ============LICENSE_END============================================ * * ECOMP is a trademark and service mark of AT&T Intellectual Property. */ package org.onap.portalapp.filter; import java.io.IOException; import java.io.UnsupportedEncodingException; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils; import org.onap.portalapp.util.SecurityXssValidator; import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.util.ContentCachingRequestWrapper; import org.springframework.web.util.ContentCachingResponseWrapper; import org.springframework.web.util.WebUtils; public class SecurityXssFilter extends OncePerRequestFilter { private static final String BAD_REQUEST = "BAD_REQUEST"; private SecurityXssValidator validator = SecurityXssValidator.getInstance(); private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException { String payload = null; ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class); if (wrapper != null) { byte[] buf = wrapper.getContentAsByteArray(); if (buf.length > 0) { payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); } } return payload; } private static String getResponseData(final HttpServletResponse response) throws IOException { String payload = null; ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response, ContentCachingResponseWrapper.class); if (wrapper != null) { byte[] buf = wrapper.getContentAsByteArray(); if (buf.length > 0) { payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); wrapper.copyBodyToResponse(); } } return payload; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { if ("POST".equalsIgnoreCase(request.getMethod())|| "PUT".equalsIgnoreCase(request.getMethod())) { HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request); HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response); filterChain.doFilter(requestToCache, responseToCache); String requestData = getRequestData(requestToCache); getResponseData(responseToCache); if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { throw new SecurityException(BAD_REQUEST); } } else { filterChain.doFilter(request, response); } } }