ecomp-portal-BE-os/src/main/java/org/onap/portalapp/filter/SecurityXssValidator.java

   1 /*-
   2  * ============LICENSE_START==========================================
   3  * ONAP Portal
   4  * ===================================================================
   5  * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
   6  * ===================================================================
   7  *
   8  * Unless otherwise specified, all software contained herein is licensed
   9  * under the Apache License, Version 2.0 (the "License");
  10  * you may not use this software except in compliance with the License.
  11  * You may obtain a copy of the License at
  12  *
  13  *             http://www.apache.org/licenses/LICENSE-2.0
  14  *
  15  * Unless required by applicable law or agreed to in writing, software
  16  * distributed under the License is distributed on an "AS IS" BASIS,
  17  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  18  * See the License for the specific language governing permissions and
  19  * limitations under the License.
  20  *
  21  * Unless otherwise specified, all documentation contained herein is licensed
  22  * under the Creative Commons License, Attribution 4.0 Intl. (the "License");
  23  * you may not use this documentation except in compliance with the License.
  24  * You may obtain a copy of the License at
  25  *
  26  *             https://creativecommons.org/licenses/by/4.0/
  27  *
  28  * Unless required by applicable law or agreed to in writing, documentation
  29  * distributed under the License is distributed on an "AS IS" BASIS,
  30  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  31  * See the License for the specific language governing permissions and
  32  * limitations under the License.
  33  *
  34  * ============LICENSE_END============================================
  35  *
  36  *
  37  */
  38 package org.onap.portalapp.filter;
  39
  40 import java.util.ArrayList;
  41 import java.util.List;
  42 import java.util.concurrent.locks.Lock;
  43 import java.util.concurrent.locks.ReentrantLock;
  44 import java.util.regex.Pattern;
  45
  46 import org.apache.commons.lang.NotImplementedException;
  47 import org.apache.commons.lang.StringUtils;
  48 import org.apache.commons.lang3.StringEscapeUtils;
  49 import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate;
  50 import org.onap.portalsdk.core.util.SystemProperties;
  51 import org.owasp.esapi.ESAPI;
  52 import org.owasp.esapi.codecs.Codec;
  53 import org.owasp.esapi.codecs.MySQLCodec;
  54 import org.owasp.esapi.codecs.OracleCodec;
  55 import org.owasp.esapi.codecs.MySQLCodec.Mode;
  56
  57 public class SecurityXssValidator {
  58
  59         private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class);
  60
  61         private static final String MYSQL_DB = "mysql";
  62         private static final String ORACLE_DB = "oracle";
  63         private static final String MARIA_DB = "mariadb";
  64         private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL;
  65         static SecurityXssValidator validator = null;
  66         private static Codec instance;
  67         private static final Lock lock = new ReentrantLock();
  68
  69         public static SecurityXssValidator getInstance() {
  70
  71                 if (validator == null) {
  72                         lock.lock();
  73                         try {
  74                                 if (validator == null)
  75                                         validator = new SecurityXssValidator();
  76                         } finally {
  77                                 lock.unlock();
  78                         }
  79                 }
  80
  81                 return validator;
  82         }
  83
  84         private SecurityXssValidator() {
  85                 // Avoid anything between script tags
  86                 XSS_INPUT_PATTERNS.add(Pattern.compile("<script>(.*?)</script>", FLAGS));
  87
  88                 // avoid iframes
  89                 XSS_INPUT_PATTERNS.add(Pattern.compile("<iframe(.*?)>(.*?)</iframe>", FLAGS));
  90
  91                 // Avoid anything in a src='...' type of expression
  92                 XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS));
  93
  94                 XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS));
  95
  96                 XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS));
  97
  98                 // Remove any lonesome </script> tag
  99                 XSS_INPUT_PATTERNS.add(Pattern.compile("</script>", FLAGS));
 100
 101                 XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<script>|</script>).*", FLAGS));
 102
 103                 XSS_INPUT_PATTERNS.add(Pattern.compile(".*(<iframe>|</iframe>).*", FLAGS));
 104
 105                 // Remove any lonesome <script ...> tag
 106                 XSS_INPUT_PATTERNS.add(Pattern.compile("<script(.*?)>", FLAGS));
 107
 108                 // Avoid eval(...) expressions
 109                 XSS_INPUT_PATTERNS.add(Pattern.compile("eval\\((.*?)\\)", FLAGS));
 110
 111                 // Avoid expression(...) expressions
 112                 XSS_INPUT_PATTERNS.add(Pattern.compile("expression\\((.*?)\\)", FLAGS));
 113
 114                 // Avoid javascript:... expressions
 115                 XSS_INPUT_PATTERNS.add(Pattern.compile(".*(javascript:|vbscript:).*", FLAGS));
 116
 117                 // Avoid onload= expressions
 118                 XSS_INPUT_PATTERNS.add(Pattern.compile(".*(onload(.*?)=).*", FLAGS));
 119         }
 120
 121         private List<Pattern> XSS_INPUT_PATTERNS = new ArrayList<Pattern>();
 122
 123         /**
 124          * * This method takes a string and strips out any potential script injections.
 125          *
 126          * @param value
 127          * @return String - the new "sanitized" string.
 128          */
 129         public String stripXSS(String value) {
 130
 131                 try {
 132
 133                         if (StringUtils.isNotBlank(value)) {
 134
 135                                 value = StringEscapeUtils.escapeHtml4(value);
 136
 137                                 value = ESAPI.encoder().canonicalize(value);
 138
 139                                 // Avoid null characters
 140                                 value = value.replaceAll("\0", "");
 141
 142                                 for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
 143                                         value = xssInputPattern.matcher(value).replaceAll("");
 144                                 }
 145                         }
 146
 147                 } catch (Exception e) {
 148                         logger.error(EELFLoggerDelegate.errorLogger, "stripXSS() failed", e);
 149                 }
 150
 151                 return value;
 152         }
 153
 154         public Boolean denyXSS(String value) {
 155                 Boolean flag = Boolean.FALSE;
 156                 try {
 157                         if (StringUtils.isNotBlank(value)) {
 158                                 if (value.contains("&timeseclgn"))
 159                                 {
 160                                         logger.info(EELFLoggerDelegate.applicationLogger, "denyXSS() replacing &timeseclgn with empty string for request value : " + value);
 161                                         value=value.replaceAll("&timeseclgn", "");
 162                                 }
 163                                 while(value.contains("%25")) {
 164                                         value = value.replaceAll("%25", "%");
 165                                 }
 166                                 value = ESAPI.encoder().canonicalize(value);
 167                                 for (Pattern xssInputPattern : XSS_INPUT_PATTERNS) {
 168                                         if (xssInputPattern.matcher(value).matches()) {
 169                                                 flag = Boolean.TRUE;
 170                                                 break;
 171                                         }
 172                                 }
 173                         }
 174
 175                 } catch (Exception e) {
 176                         logger.error(EELFLoggerDelegate.errorLogger, "denyXSS() failed for request with value : " + e.getMessage());
 177                         logger.debug(EELFLoggerDelegate.debugLogger, "denyXSS() failed for request with value : " + value, e);
 178                 }
 179
 180                 return flag;
 181         }
 182
 183         public Codec getCodec() {
 184                 try {
 185                         if (null == instance) {
 186                                 if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER), MYSQL_DB)
 187                                                 || StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
 188                                                                 MARIA_DB)) {
 189                                         instance = new MySQLCodec(Mode.STANDARD);
 190
 191                                 } else if (StringUtils.containsIgnoreCase(SystemProperties.getProperty(SystemProperties.DB_DRIVER),
 192                                                 ORACLE_DB)) {
 193                                         instance = new OracleCodec();
 194                                 } else {
 195                                         throw new NotImplementedException("Handling for data base \""
 196                                                         + SystemProperties.getProperty(SystemProperties.DB_DRIVER) + "\" not yet implemented.");
 197                                 }
 198                         }
 199
 200                 } catch (Exception ex) {
 201                         logger.error(EELFLoggerDelegate.errorLogger, "getCodec() failed", ex);
 202                 }
 203                 return instance;
 204
 205         }
 206
 207         public List<Pattern> getXSS_INPUT_PATTERNS() {
 208                 return XSS_INPUT_PATTERNS;
 209         }
 210
 211         public void setXSS_INPUT_PATTERNS(List<Pattern> xSS_INPUT_PATTERNS) {
 212                 XSS_INPUT_PATTERNS = xSS_INPUT_PATTERNS;
 213         }
 214
 215 }