3 * ============LICENSE_START==========================================
5 * ===================================================================
6 * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
7 * ===================================================================
9 * Unless otherwise specified, all software contained herein is licensed
10 * under the Apache License, Version 2.0 (the "License");
11 * you may not use this software except in compliance with the License.
12 * You may obtain a copy of the License at
14 * http://www.apache.org/licenses/LICENSE-2.0
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS,
18 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
22 * Unless otherwise specified, all documentation contained herein is licensed
23 * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
24 * you may not use this documentation except in compliance with the License.
25 * You may obtain a copy of the License at
27 * https://creativecommons.org/licenses/by/4.0/
29 * Unless required by applicable law or agreed to in writing, documentation
30 * distributed under the License is distributed on an "AS IS" BASIS,
31 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
32 * See the License for the specific language governing permissions and
33 * limitations under the License.
35 * ============LICENSE_END============================================
37 * ECOMP is a trademark and service mark of AT&T Intellectual Property.
39 package org.onap.portalapp.filter;
41 import java.io.IOException;
42 import java.io.UnsupportedEncodingException;
44 import javax.servlet.FilterChain;
45 import javax.servlet.ServletException;
46 import javax.servlet.http.HttpServletRequest;
47 import javax.servlet.http.HttpServletResponse;
49 import org.apache.commons.lang.StringUtils;
50 import org.onap.portalapp.util.SecurityXssValidator;
51 import org.springframework.web.filter.OncePerRequestFilter;
52 import org.springframework.web.util.ContentCachingRequestWrapper;
53 import org.springframework.web.util.ContentCachingResponseWrapper;
54 import org.springframework.web.util.WebUtils;
56 public class SecurityXssFilter extends OncePerRequestFilter {
58 private static final String BAD_REQUEST = "BAD_REQUEST";
60 private SecurityXssValidator validator = SecurityXssValidator.getInstance();
62 private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
63 String payload = null;
64 ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
65 if (wrapper != null) {
66 byte[] buf = wrapper.getContentAsByteArray();
68 payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
74 private static String getResponseData(final HttpServletResponse response) throws IOException {
75 String payload = null;
76 ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
77 ContentCachingResponseWrapper.class);
78 if (wrapper != null) {
79 byte[] buf = wrapper.getContentAsByteArray();
81 payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
82 wrapper.copyBodyToResponse();
89 protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
90 throws ServletException, IOException {
92 if ("POST".equalsIgnoreCase(request.getMethod())|| "PUT".equalsIgnoreCase(request.getMethod())) {
94 HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
95 HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
96 filterChain.doFilter(requestToCache, responseToCache);
97 String requestData = getRequestData(requestToCache);
98 getResponseData(responseToCache);
99 if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
100 throw new SecurityException(BAD_REQUEST);
104 filterChain.doFilter(request, response);