-
/*-
* ============LICENSE_START==========================================
* ONAP Portal
* ===================================================================
* Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * Modifications Copyright (c) 2019 Samsung
* ===================================================================
*
* Unless otherwise specified, all software contained herein is licensed
*
* ============LICENSE_END============================================
*
- * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ *
*/
+
package org.onap.portalapp.filter;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
+import java.util.Enumeration;
import javax.servlet.FilterChain;
import javax.servlet.ReadListener;
-import javax.servlet.ServletException;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
public class SecurityXssFilter extends OncePerRequestFilter {
- private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
+ private EELFLoggerDelegate sxLogger = EELFLoggerDelegate.getLogger(SecurityXssFilter.class);
private static final String APPLICATION_JSON = "application/json";
@Override
public void setReadListener(ReadListener readListener) {
-
+ // do nothing
}
-
}
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
- throws ServletException, IOException {
+ throws IOException {
+ StringBuilder requestURL = new StringBuilder(request.getRequestURL().toString());
+ String queryString = request.getQueryString();
+ String requestUrl;
+
+ if (queryString == null) {
+ requestUrl = requestURL.toString();
+ } else {
+ requestUrl = requestURL.append('?').append(queryString).toString();
+ }
+
+ validateRequest(requestUrl, response);
+ StringBuilder headerValues = new StringBuilder();
+ Enumeration<String> headerNames = request.getHeaderNames();
+
+ while (headerNames.hasMoreElements()) {
+ String key = headerNames.nextElement();
+ String value = request.getHeader(key);
+ headerValues.append(value);
+ }
+
+ validateRequest(headerValues.toString(), response);
+
if (validateRequestType(request)) {
request = new RequestWrapper(request);
String requestData = IOUtils.toString(request.getInputStream(), StandardCharsets.UTF_8.toString());
- try {
- if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
- response.setContentType(APPLICATION_JSON);
- response.setStatus(HttpStatus.SC_BAD_REQUEST);
- response.getWriter().write(ERROR_BAD_REQUEST);
- throw new SecurityException(ERROR_BAD_REQUEST);
- }
- } catch (Exception e) {
- logger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
- response.getWriter().close();
- return;
- }
- filterChain.doFilter(request, response);
+ validateRequest(requestData, response);
+ }
- } else {
+ try {
filterChain.doFilter(request, response);
+ } catch (Exception e) {
+ sxLogger.warn(EELFLoggerDelegate.errorLogger, "Handling bad request", e);
+ response.sendError(org.springframework.http.HttpStatus.BAD_REQUEST.value(), "Handling bad request");
}
-
}
private boolean validateRequestType(HttpServletRequest request) {
return (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")
|| request.getMethod().equalsIgnoreCase("DELETE"));
}
-}
\ No newline at end of file
+
+ private void validateRequest(String text, HttpServletResponse response) throws IOException {
+ try {
+ if (StringUtils.isNotBlank(text) && validator.denyXSS(text)) {
+ response.setContentType(APPLICATION_JSON);
+ response.setStatus(HttpStatus.SC_BAD_REQUEST);
+ response.getWriter().write(ERROR_BAD_REQUEST);
+ throw new SecurityException(ERROR_BAD_REQUEST);
+ }
+ } catch (Exception e) {
+ sxLogger.error(EELFLoggerDelegate.errorLogger, "doFilterInternal() failed due to BAD_REQUEST", e);
+ response.getWriter().close();
+ }
+ }
+}
Code Review / portal.git / blobdiff