/*- | |
* ============LICENSE_START======================================================= | |
* OSAM | |
* ================================================================================ | |
* Copyright (C) 2018 AT&T | |
* ================================================================================ | |
* Licensed under the Apache License, Version 2.0 (the "License"); | |
* you may not use this file except in compliance with the License. | |
* You may obtain a copy of the License at | |
* | |
* http://www.apache.org/licenses/LICENSE-2.0 | |
* | |
* Unless required by applicable law or agreed to in writing, software | |
* distributed under the License is distributed on an "AS IS" BASIS, | |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
* See the License for the specific language governing permissions and | |
* limitations under the License. | |
* ============LICENSE_END========================================================= | |
*/ | |
package org.onap.portalapp.filter; | |
import java.io.IOException; | |
import java.io.UnsupportedEncodingException; | |
import javax.servlet.FilterChain; | |
import javax.servlet.ServletException; | |
import javax.servlet.http.HttpServletRequest; | |
import javax.servlet.http.HttpServletResponse; | |
import org.apache.commons.lang.StringUtils; | |
import org.onap.portalapp.util.SecurityXssValidator; | |
import org.springframework.web.filter.OncePerRequestFilter; | |
import org.springframework.web.util.ContentCachingRequestWrapper; | |
import org.springframework.web.util.ContentCachingResponseWrapper; | |
import org.springframework.web.util.WebUtils; | |
public class SecurityXssFilter extends OncePerRequestFilter { | |
private static final String BAD_REQUEST = "BAD_REQUEST"; | |
private SecurityXssValidator validator = SecurityXssValidator.getInstance(); | |
private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException { | |
String payload = null; | |
ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class); | |
if (wrapper != null) { | |
byte[] buf = wrapper.getContentAsByteArray(); | |
if (buf.length > 0) { | |
payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); | |
} | |
} | |
return payload; | |
} | |
private static String getResponseData(final HttpServletResponse response) throws IOException { | |
String payload = null; | |
ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response, | |
ContentCachingResponseWrapper.class); | |
if (wrapper != null) { | |
byte[] buf = wrapper.getContentAsByteArray(); | |
if (buf.length > 0) { | |
payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding()); | |
wrapper.copyBodyToResponse(); | |
} | |
} | |
return payload; | |
} | |
@Override | |
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) | |
throws ServletException, IOException { | |
if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) { | |
HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request); | |
HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response); | |
filterChain.doFilter(requestToCache, responseToCache); | |
String requestData = getRequestData(requestToCache); | |
String responseData = getResponseData(responseToCache); | |
if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) { | |
throw new SecurityException(BAD_REQUEST); | |
} | |
} else { | |
filterChain.doFilter(request, response); | |
} | |
} | |
} |