Gitiles
Code Review Sign In
gerrit.opencord.org / osam / d294618824c772ab2261d6f4464ef7b954dea6eb / . / onap-enabler / onap-enabler-infra / src / main / java / org / onap / portalapp / filter / SecurityXssFilter.java
blob: e2f8d3de2d22a74a7f495ef3226b8d45562de303 [file] [log] [blame]
Aharoni, Pavel (pa0916)ca3cb012018-10-22 15:29:57 +0300[diff] [blame]1/*-
2 * ============LICENSE_START=======================================================
3 * OSAM
4 * ================================================================================
5 * Copyright (C) 2018 AT&T
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
19 */
20
21
22
23package org.onap.portalapp.filter;
24
25import java.io.IOException;
26import java.io.UnsupportedEncodingException;
27
28import javax.servlet.FilterChain;
29import javax.servlet.ServletException;
30import javax.servlet.http.HttpServletRequest;
31import javax.servlet.http.HttpServletResponse;
32
33import org.apache.commons.lang.StringUtils;
34import org.onap.portalapp.util.SecurityXssValidator;
35import org.springframework.web.filter.OncePerRequestFilter;
36import org.springframework.web.util.ContentCachingRequestWrapper;
37import org.springframework.web.util.ContentCachingResponseWrapper;
38import org.springframework.web.util.WebUtils;
39
40public class SecurityXssFilter extends OncePerRequestFilter {
41
42 private static final String BAD_REQUEST = "BAD_REQUEST";
43
44 private SecurityXssValidator validator = SecurityXssValidator.getInstance();
45
46 private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
47 String payload = null;
48 ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
49 if (wrapper != null) {
50 byte[] buf = wrapper.getContentAsByteArray();
51 if (buf.length > 0) {
52 payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
53 }
54 }
55 return payload;
56 }
57
58 private static String getResponseData(final HttpServletResponse response) throws IOException {
59 String payload = null;
60 ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
61 ContentCachingResponseWrapper.class);
62 if (wrapper != null) {
63 byte[] buf = wrapper.getContentAsByteArray();
64 if (buf.length > 0) {
65 payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
66 wrapper.copyBodyToResponse();
67 }
68 }
69 return payload;
70 }
71
72 @Override
73 protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
74 throws ServletException, IOException {
75
76 if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
77
78 HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
79 HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
80 filterChain.doFilter(requestToCache, responseToCache);
81 String requestData = getRequestData(requestToCache);
82 String responseData = getResponseData(responseToCache);
83 if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
84 throw new SecurityException(BAD_REQUEST);
85 }
86
87 } else {
88 filterChain.doFilter(request, response);
89 }
90
91 }
92}