/*- * ============LICENSE_START========================================== * ONAP Portal * =================================================================== * Copyright © 2017 AT&T Intellectual Property. All rights reserved. * =================================================================== * * Unless otherwise specified, all software contained herein is licensed * under the Apache License, Version 2.0 (the "License"); * you may not use this software except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * Unless otherwise specified, all documentation contained herein is licensed * under the Creative Commons License, Attribution 4.0 Intl. (the "License"); * you may not use this documentation except in compliance with the License. * You may obtain a copy of the License at * * https://creativecommons.org/licenses/by/4.0/ * * Unless required by applicable law or agreed to in writing, documentation * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. * * ============LICENSE_END============================================ * * */ package org.onap.portalapp.filter; import java.util.ArrayList; import java.util.List; import java.util.concurrent.locks.Lock; import java.util.concurrent.locks.ReentrantLock; import java.util.regex.Pattern; import org.apache.commons.lang.NotImplementedException; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang3.StringEscapeUtils; import org.onap.portalsdk.core.logging.logic.EELFLoggerDelegate; import org.onap.portalsdk.core.util.SystemProperties; import org.owasp.esapi.ESAPI; import org.owasp.esapi.codecs.Codec; import org.owasp.esapi.codecs.MySQLCodec; import org.owasp.esapi.codecs.OracleCodec; import org.owasp.esapi.codecs.MySQLCodec.Mode; public class SecurityXssValidator { private EELFLoggerDelegate logger = EELFLoggerDelegate.getLogger(SecurityXssValidator.class); private static final String MYSQL_DB = "mysql"; private static final String ORACLE_DB = "oracle"; private static final String MARIA_DB = "mariadb"; private static final int FLAGS = Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL; static SecurityXssValidator validator = null; private static Codec instance; private static final Lock lock = new ReentrantLock(); public static SecurityXssValidator getInstance() { if (validator == null) { lock.lock(); try { if (validator == null) validator = new SecurityXssValidator(); } finally { lock.unlock(); } } return validator; } private SecurityXssValidator() { // Avoid anything between script tags XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS)); // avoid iframes XSS_INPUT_PATTERNS.add(Pattern.compile("(.*?)", FLAGS)); // Avoid anything in a src='...' type of expression XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", FLAGS)); XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", FLAGS)); XSS_INPUT_PATTERNS.add(Pattern.compile("src[\r\n]*=[\r\n]*([^>]+)", FLAGS)); // Remove any lonesome tag XSS_INPUT_PATTERNS.add(Pattern.compile("", FLAGS)); XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS)); XSS_INPUT_PATTERNS.add(Pattern.compile(".*().*", FLAGS)); // Remove any lonesome