X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=ecomp-portal-BE-os%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fportalapp%2Ffilter%2FSecurityXssValidator.java;fp=ecomp-portal-BE-os%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Fportalapp%2Ffilter%2FSecurityXssValidator.java;h=4d6a9fe20d8a07f76e6cff0a5ae88613aa6656dd;hb=21a8761f684745bb300e075c7e98ad897ace9eed;hp=0000000000000000000000000000000000000000;hpb=3af8af1310d5a27cb58be29505573f0bbdc1717c;p=portal.git
diff --git a/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
new file mode 100644
index 00000000..4d6a9fe2
--- /dev/null
+++ b/ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java
@@ -0,0 +1,207 @@
+/*-
+ * ============LICENSE_START==========================================
+ * ONAP Portal
+ * ===================================================================
+ * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+ * ===================================================================
+ *
+ * Unless otherwise specified, all software contained herein is licensed
+ * under the Apache License, Version 2.0 (the "License");
+ * you may not use this software except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Unless otherwise specified, all documentation contained herein is licensed
+ * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
+ * you may not use this documentation except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * https://creativecommons.org/licenses/by/4.0/
+ *
+ * Unless required by applicable law or agreed to in writing, documentation
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * ============LICENSE_END============================================
+ *
+ * ECOMP is a trademark and service mark of AT&T Intellectual Property.
+ */
+package org.onap.portalapp.filter;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang.NotImplementedException;
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringEscapeUtils;
+import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
+import org.onap.portalsdk.core.util.SystemProperties;
+import org.owasp.esapi.ESAPI;
+import org.owasp.esapi.codecs.Codec;
+import org.owasp.esapi.codecs.MySQLCodec;
+import org.owasp.esapi.codecs.MySQLCodec.Mode;
+import org.owasp.esapi.codecs.OracleCodec;
+
+public class SecurityXssValidator {
+
+ private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
+
+ private static final String MYSQL_DB = "mysql";
+ private static final String ORACLE_DB = "oracle";
+ private static final String MARIA_DB = "mariadb";
+ private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
+ static SecurityXssValidator validator = null;
+ private static Codec instance;
+ private static final Lock lock = new ReentrantLock();
+
+ public static SecurityXssValidator getInstance() {
+
+ if (validator == null) {
+ lock.lock();
+ try {
+ if (validator == null)
+ validator = new SecurityXssValidator();
+ } finally {
+ lock.unlock();
+ }
+ }
+
+ return validator;
+ }
+
+ private SecurityXssValidator() {
+ // Avoid anything between script tags
+ XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS));
+
+ // avoid iframes
+ XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS));
+
+ // Avoid anything in a src='...' type of expression
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
+
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
+
+ XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
+
+ // Remove any lonesome tag
+ XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS));
+
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS));
+
+ XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS));
+
+ // Remove any lonesome