Aharoni, Pavel (pa0916) | ca3cb01 | 2018-10-22 15:29:57 +0300 | [diff] [blame] | 1 | /*-
|
| 2 | * ============LICENSE_START=======================================================
|
| 3 | * OSAM
|
| 4 | * ================================================================================
|
| 5 | * Copyright (C) 2018 AT&T
|
| 6 | * ================================================================================
|
| 7 | * Licensed under the Apache License, Version 2.0 (the "License");
|
| 8 | * you may not use this file except in compliance with the License.
|
| 9 | * You may obtain a copy of the License at
|
| 10 | *
|
| 11 | * http://www.apache.org/licenses/LICENSE-2.0
|
| 12 | *
|
| 13 | * Unless required by applicable law or agreed to in writing, software
|
| 14 | * distributed under the License is distributed on an "AS IS" BASIS,
|
| 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
| 16 | * See the License for the specific language governing permissions and
|
| 17 | * limitations under the License.
|
| 18 | * ============LICENSE_END=========================================================
|
| 19 | */
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 | package org.onap.portalapp.filter;
|
| 24 |
|
| 25 | import java.io.IOException;
|
| 26 | import java.io.UnsupportedEncodingException;
|
| 27 |
|
| 28 | import javax.servlet.FilterChain;
|
| 29 | import javax.servlet.ServletException;
|
| 30 | import javax.servlet.http.HttpServletRequest;
|
| 31 | import javax.servlet.http.HttpServletResponse;
|
| 32 |
|
| 33 | import org.apache.commons.lang.StringUtils;
|
| 34 | import org.onap.portalapp.util.SecurityXssValidator;
|
| 35 | import org.springframework.web.filter.OncePerRequestFilter;
|
| 36 | import org.springframework.web.util.ContentCachingRequestWrapper;
|
| 37 | import org.springframework.web.util.ContentCachingResponseWrapper;
|
| 38 | import org.springframework.web.util.WebUtils;
|
| 39 |
|
| 40 | public class SecurityXssFilter extends OncePerRequestFilter {
|
| 41 |
|
| 42 | private static final String BAD_REQUEST = "BAD_REQUEST";
|
| 43 |
|
| 44 | private SecurityXssValidator validator = SecurityXssValidator.getInstance();
|
| 45 |
|
| 46 | private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
|
| 47 | String payload = null;
|
| 48 | ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
|
| 49 | if (wrapper != null) {
|
| 50 | byte[] buf = wrapper.getContentAsByteArray();
|
| 51 | if (buf.length > 0) {
|
| 52 | payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
|
| 53 | }
|
| 54 | }
|
| 55 | return payload;
|
| 56 | }
|
| 57 |
|
| 58 | private static String getResponseData(final HttpServletResponse response) throws IOException {
|
| 59 | String payload = null;
|
| 60 | ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
|
| 61 | ContentCachingResponseWrapper.class);
|
| 62 | if (wrapper != null) {
|
| 63 | byte[] buf = wrapper.getContentAsByteArray();
|
| 64 | if (buf.length > 0) {
|
| 65 | payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
|
| 66 | wrapper.copyBodyToResponse();
|
| 67 | }
|
| 68 | }
|
| 69 | return payload;
|
| 70 | }
|
| 71 |
|
| 72 | @Override
|
| 73 | protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
|
| 74 | throws ServletException, IOException {
|
| 75 |
|
| 76 | if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
|
| 77 |
|
| 78 | HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
|
| 79 | HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
|
| 80 | filterChain.doFilter(requestToCache, responseToCache);
|
| 81 | String requestData = getRequestData(requestToCache);
|
| 82 | String responseData = getResponseData(responseToCache);
|
| 83 | if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
|
| 84 | throw new SecurityException(BAD_REQUEST);
|
| 85 | }
|
| 86 |
|
| 87 | } else {
|
| 88 | filterChain.doFilter(request, response);
|
| 89 | }
|
| 90 |
|
| 91 | }
|
| 92 | }
|