Code Review / portal.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Portal Setup - App issue
[portal.git] / ecomp-portal-BE-os / src / main / java / org / onap / portalapp / filter / SecurityXssValidator.java
1 /*-
2  * ============LICENSE_START==========================================
3  * ONAP Portal
4  * ===================================================================
5  * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
6  * ===================================================================
7  *
8  * Unless otherwise specified, all software contained herein is licensed
9  * under the Apache License, Version 2.0 (the "License");
10  * you may not use this software except in compliance with the License.
11  * You may obtain a copy of the License at
12  *
13  *             http://www.apache.org/licenses/LICENSE-2.0
14  *
15  * Unless required by applicable law or agreed to in writing, software
16  * distributed under the License is distributed on an "AS IS" BASIS,
17  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18  * See the License for the specific language governing permissions and
19  * limitations under the License.
20  *
21  * Unless otherwise specified, all documentation contained herein is licensed
22  * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
23  * you may not use this documentation except in compliance with the License.
24  * You may obtain a copy of the License at
25  *
26  *             https://creativecommons.org/licenses/by/4.0/
27  *
28  * Unless required by applicable law or agreed to in writing, documentation
29  * distributed under the License is distributed on an "AS IS" BASIS,
30  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
31  * See the License for the specific language governing permissions and
32  * limitations under the License.
33  *
34  * ============LICENSE_END============================================
35  *
36  * 
37  */
38 package org.onap.portalapp.filter;
39
40 import java.util.ArrayList;
41 import java.util.List;
42 import java.util.concurrent.locks.Lock;
43 import java.util.concurrent.locks.ReentrantLock;
44 import java.util.regex.Pattern;
45
46 import org.apache.commons.lang.NotImplementedException;
47 import org.apache.commons.lang.StringUtils;
48 import org.apache.commons.lang3.StringEscapeUtils;
49 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
50 import org.onap.portalsdk.core.util.SystemProperties;
51 import org.owasp.esapi.ESAPI;
52 import org.owasp.esapi.codecs.Codec;
53 import org.owasp.esapi.codecs.MySQLCodec;
54 import org.owasp.esapi.codecs.OracleCodec;
55 import org.owasp.esapi.codecs.MySQLCodec.Mode;
56
57 public class SecurityXssValidator {
58
59         private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
60
61         private static final String MYSQL_DB = "mysql";
62         private static final String ORACLE_DB = "oracle";
63         private static final String MARIA_DB = "mariadb";
64         private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
65         static SecurityXssValidator validator = null;
66         private static Codec instance;
67         private static final Lock lock = new ReentrantLock();
68
69         public static SecurityXssValidator getInstance() {
70
71                 if (validator == null) {
72                         lock.lock();
73                         try {
74                                 if (validator == null)
75                                         validator = new SecurityXssValidator();
76                         } finally {
77                                 lock.unlock();
78                         }
79                 }
80
81                 return validator;
82         }
83
84         private SecurityXssValidator() {
85                 // Avoid anything between script tags
86                 XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
87
88                 // avoid iframes
89                 XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
90
91                 // Avoid anything in a src='...' type of expression
92                 XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
93
94                 XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
95
96                 XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
97
98                 // Remove any lonesome </script> tag
99                 XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
100
101                 XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
102
103                 XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
104
105                 // Remove any lonesome <script ...> tag
106                 XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
107
108                 // Avoid eval(...) expressions
109                 XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
110
111                 // Avoid expression(...) expressions
112                 XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
113
114                 // Avoid javascript:... expressions
115                 XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
116
117                 // Avoid onload= expressions
118                 XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
119         }
120
121         private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
122
123         /**
124          * * This method takes a string and strips out any potential script injections.
125          * 
126          * @param value
127          * @return String - the new "sanitized" string.
128          */
129         public String stripXSS(String value) {
130
131                 try {
132
133                         if (StringUtils.isNotBlank(value)) {
134
135                                 value = StringEscapeUtils.escapeHtml4(value);
136
137                                 value = ESAPI.encoder().canonicalize(value);
138
139                                 // Avoid null characters
140                                 value = value.replaceAll("\0", "");
141
142                                 for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
143                                         value = xssInputPattern.matcher(value).replaceAll("");
144                                 }
145                         }
146
147                 } catch (Exception e) {
148                         logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
149                 }
150
151                 return value;
152         }
153
154         public Boolean denyXSS(String value) {
155                 Boolean flag = Boolean.FALSE;
156                 try {
157                         if (StringUtils.isNotBlank(value)) {
158                                 if (value.contains("&timeseclgn"))
159                                 {
160                                         logger.info(EELFLoggerDelegate.applicationLogger, "denyXSS() replacing &timeseclgn with empty string for request value : " + value);
161                                         value=value.replaceAll("&timeseclgn", "");
162                                 }
163                                 value = ESAPI.encoder().canonicalize(value);
164                                 for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
165                                         if (xssInputPattern.matcher(value).matches()) {
166                                                 flag = Boolean.TRUE;
167                                                 break;
168                                         }
169
170                                 }
171                         }
172
173                 } catch (Exception e) {
174                         logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed for request with value : " + value, e);
175                 }
176
177                 return flag;
178         }
179
180         public Codec getCodec() {
181                 try {
182                         if (null == instance) {
183                                 if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
184                                                 || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
185                                                                 MARIA_DB)) {
186                                         instance = new MySQLCodec(Mode.STANDARD);
187
188                                 } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
189                                                 ORACLE_DB)) {
190                                         instance = new OracleCodec();
191                                 } else {
192                                         throw new NotImplementedException("Handling for data base \""
193                                                         + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
194                                 }
195                         }
196
197                 } catch (Exception ex) {
198                         logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
199                 }
200                 return instance;
201
202         }
203
204         public List<Pattern> getXSS_INPUT_PATTERNS() {
205                 return XSS_INPUT_PATTERNS;
206         }
207
208         public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
209                 XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
210         }
211         
212
213 }
ARCHIVED- 2022-02-15 at the request of the project