2 * ================================================================================
4 * ================================================================================
5 * Copyright (C) 2017 AT&T Intellectual Property
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ================================================================================
20 package org.onap.portalapp.filter;
22 import java.io.IOException;
23 import java.io.UnsupportedEncodingException;
25 import javax.servlet.FilterChain;
26 import javax.servlet.ServletException;
27 import javax.servlet.http.HttpServletRequest;
28 import javax.servlet.http.HttpServletResponse;
30 import org.apache.commons.lang.StringUtils;
31 import org.onap.portalapp.util.SecurityXssValidator;
32 import org.springframework.web.filter.OncePerRequestFilter;
33 import org.springframework.web.util.ContentCachingRequestWrapper;
34 import org.springframework.web.util.ContentCachingResponseWrapper;
35 import org.springframework.web.util.WebUtils;
37 public class SecurityXssFilter extends OncePerRequestFilter {
39 private static final String BAD_REQUEST = "BAD_REQUEST";
41 private SecurityXssValidator validator = SecurityXssValidator.getInstance();
43 private static String getRequestData(final HttpServletRequest request) throws UnsupportedEncodingException {
44 String payload = null;
45 ContentCachingRequestWrapper wrapper = WebUtils.getNativeRequest(request, ContentCachingRequestWrapper.class);
46 if (wrapper != null) {
47 byte[] buf = wrapper.getContentAsByteArray();
49 payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
55 private static String getResponseData(final HttpServletResponse response) throws IOException {
56 String payload = null;
57 ContentCachingResponseWrapper wrapper = WebUtils.getNativeResponse(response,
58 ContentCachingResponseWrapper.class);
59 if (wrapper != null) {
60 byte[] buf = wrapper.getContentAsByteArray();
62 payload = new String(buf, 0, buf.length, wrapper.getCharacterEncoding());
63 wrapper.copyBodyToResponse();
69 @SuppressWarnings("unused")
71 protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
72 throws ServletException, IOException {
74 if (request.getMethod().equalsIgnoreCase("POST") || request.getMethod().equalsIgnoreCase("PUT")) {
76 HttpServletRequest requestToCache = new ContentCachingRequestWrapper(request);
77 HttpServletResponse responseToCache = new ContentCachingResponseWrapper(response);
78 filterChain.doFilter(requestToCache, responseToCache);
79 String requestData = getRequestData(requestToCache);
80 String responseData = getResponseData(responseToCache);
81 if (StringUtils.isNotBlank(requestData) && validator.denyXSS(requestData)) {
82 throw new SecurityException(BAD_REQUEST);
86 filterChain.doFilter(request, response);