| /*- | |
| * ============LICENSE_START======================================================= | |
| * OSAM | |
| * ================================================================================ | |
| * Copyright (C) 2018 AT&T | |
| * ================================================================================ | |
| * Licensed under the Apache License, Version 2.0 (the "License"); | |
| * you may not use this file except in compliance with the License. | |
| * You may obtain a copy of the License at | |
| * | |
| * http://www.apache.org/licenses/LICENSE-2.0 | |
| * | |
| * Unless required by applicable law or agreed to in writing, software | |
| * distributed under the License is distributed on an "AS IS" BASIS, | |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| * See the License for the specific language governing permissions and | |
| * limitations under the License. | |
| * ============LICENSE_END========================================================= | |
| */ | |
| package org.onap.portalapp.filter; | |
| import java.io.IOException; | |
| import java.io.UnsupportedEncodingException; | |
| import javax.servlet.FilterChain; | |
| import javax.servlet.ServletException; | |
| import javax.servlet.http.HttpServletRequest; | |
| import javax.servlet.http.HttpServletResponse; | |
| import org.apache.commons.lang.StringUtils; | |
| import org.onap.portalapp.util.SecurityXssValidator; | |
| import org.springframework.web.filter.OncePerRequestFilter; | |
| import org.springframework.web.util.ContentCachingRequestWrapper; | |
| import org.springframework.web.util.ContentCachingResponseWrapper; | |
| import org.springframework.web.util.WebUtils; | |
| public class SecurityXssFilter extends OncePerRequestFilter { | |
| private static final String BAD_REQUEST = "BAD_REQUEST"; | |
| private SecurityXssValidator validator = SecurityXssValidator.getInstance(); | |
| private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException { | |
| String payload = null; | |
| ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class); | |
| if (wrapper != null) { | |
| byte[] buf = wrapper.getContentAsByteArray(); | |
| if (buf.length > 0) { | |
| payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); | |
| } | |
| } | |
| return payload; | |
| } | |
| private static String getResponseData(final HttpServletResponse response) throws IOException { | |
| String payload = null; | |
| ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response, | |
| ContentCachingResponseWrapper.class); | |
| if (wrapper != null) { | |
| byte[] buf = wrapper.getContentAsByteArray(); | |
| if (buf.length > 0) { | |
| payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); | |
| wrapper.copyBodyToResponse(); | |
| } | |
| } | |
| return payload; | |
| } | |
| @Override | |
| protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) | |
| throws ServletException, IOException { | |
| if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) { | |
| HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request); | |
| HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response); | |
| filterChain.doFilter(requestToCache, responseToCache); | |
| String requestData = getRequestData(requestToCache); | |
| String responseData = getResponseData(responseToCache); | |
| if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { | |
| throw new SecurityException(BAD_REQUEST); | |
| } | |
| } else { | |
| filterChain.doFilter(request, response); | |
| } | |
| } | |
| } |