2 * ============LICENSE_START=======================================================
4 * ================================================================================
5 * Copyright (C) 2022 Nordix Foundation. All rights reserved.
6 * ================================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END=========================================================
21 package org.openecomp.sdc.common.filters;
23 import java.io.IOException;
24 import java.util.Iterator;
25 import java.util.List;
26 import javax.servlet.Filter;
27 import javax.servlet.FilterChain;
28 import javax.servlet.FilterConfig;
29 import javax.servlet.ServletException;
30 import javax.servlet.ServletRequest;
31 import javax.servlet.ServletResponse;
32 import javax.servlet.http.Cookie;
33 import javax.servlet.http.HttpServletRequest;
34 import javax.ws.rs.HttpMethod;
35 import org.apache.commons.collections4.CollectionUtils;
36 import org.apache.commons.lang3.StringUtils;
37 import org.openecomp.sdc.common.util.DataValidator;
38 import org.openecomp.sdc.common.util.SecureString;
39 import org.openecomp.sdc.exception.NotAllowedSpecialCharsException;
42 * Provides mechanism to filter request according to {@link DataValidator} and {@code dataValidatorFilterExcludedUrlsList}.
44 public abstract class DataValidatorFilterAbstract implements Filter {
46 protected static final String DATA_VALIDATOR_FILTER_EXCLUDED_URLS = "dataValidatorFilterExcludedUrls";
47 protected static final String ERROR_SPECIAL_CHARACTERS_NOT_ALLOWED = "Error: HTML elements not permitted in field values.";
48 private DataValidator dataValidator;
51 public void init(final FilterConfig filterConfig) throws ServletException {
52 dataValidator = new DataValidator();
56 public void destroy() {
61 public void doFilter(ServletRequest request, final ServletResponse response, final FilterChain chain)
62 throws IOException, ServletException {
63 if (isExcluded(((HttpServletRequest) request).getRequestURI()) || !isPostOrPut(((HttpServletRequest) request).getMethod())) {
64 chain.doFilter(request, response);
66 if (!skipCheckBody((HttpServletRequest) request)) {
67 request = new RequestWrapper((HttpServletRequest) request);
69 if (isValid((HttpServletRequest) request)) {
70 chain.doFilter(request, response);
72 throw new NotAllowedSpecialCharsException();
77 private boolean isPostOrPut(final String method) {
78 return method.equals(HttpMethod.POST) || method.equals(HttpMethod.PUT);
81 private boolean isExcluded(final String path) {
82 final List<String> dataValidatorFilterExcludedUrlsList = getDataValidatorFilterExcludedUrls();
83 return CollectionUtils.isNotEmpty(dataValidatorFilterExcludedUrlsList)
84 && dataValidatorFilterExcludedUrlsList.stream().anyMatch(s -> path.trim().contains(s.trim()));
87 protected abstract List<String> getDataValidatorFilterExcludedUrls();
89 private boolean skipCheckBody(final HttpServletRequest requestWrapper) {
90 final String contentType = requestWrapper.getContentType();
91 return StringUtils.isNotEmpty(contentType) && contentType.contains("multipart/form-data");
94 private boolean isValid(final HttpServletRequest request) {
95 final boolean skipCheckBody = skipCheckBody(request);
96 return (skipCheckBody || checkBody((RequestWrapper) request))
97 && checkHeaders(request)
98 && checkCookies(request)
99 && checkParameters(request)
100 && checkQuery(request);
103 private boolean checkParameters(final HttpServletRequest httpRequest) {
104 final Iterator<String> parameterNamesIterator = httpRequest.getParameterNames().asIterator();
105 while (parameterNamesIterator.hasNext()) {
106 final String parameterName = parameterNamesIterator.next();
107 final String parameter = httpRequest.getParameter(parameterName);
108 if (!dataValidator.isValid(new SecureString(parameter))) {
111 final String[] parameterValues = httpRequest.getParameterValues(parameterName);
112 if (parameterValues != null) {
113 for (final String parameterValue : parameterValues) {
114 if (!dataValidator.isValid(new SecureString(parameterValue))) {
123 private boolean checkHeaders(final HttpServletRequest httpRequest) {
124 final Iterator<String> headerNamesIterator = httpRequest.getHeaderNames().asIterator();
125 while (headerNamesIterator.hasNext()) {
126 final String headerName = headerNamesIterator.next();
127 final String header = httpRequest.getHeader(headerName);
128 if (!dataValidator.isValid(new SecureString(header))) {
135 private boolean checkCookies(final HttpServletRequest httpRequest) {
136 final Cookie[] cookies = httpRequest.getCookies();
137 if (cookies != null) {
138 for (final Cookie cookie : cookies) {
139 if (!dataValidator.isValid(new SecureString(cookie.getValue()))) {
147 private boolean checkQuery(final HttpServletRequest httpRequest) {
148 final String queryString = httpRequest.getQueryString();
149 return StringUtils.isEmpty(queryString) || dataValidator.isValid(new SecureString(queryString));
152 private boolean checkBody(final RequestWrapper httpRequest) {
153 final String body = httpRequest.getBody();
154 return StringUtils.isEmpty(body) || dataValidator.isValid(new SecureString(body));