-
Notifications
You must be signed in to change notification settings - Fork 292
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2984 from SCADA-LTS/feature/#2983_Prevent_XSS_for…
…_URLs #2983 Prevent XSS for URLs
- Loading branch information
Showing
16 changed files
with
323 additions
and
172 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
package org.scada_lts.web.security; | ||
|
||
import org.apache.logging.log4j.LogManager; | ||
import org.apache.logging.log4j.Logger; | ||
import org.springframework.web.filter.OncePerRequestFilter; | ||
|
||
import javax.servlet.*; | ||
import javax.servlet.http.HttpServletRequest; | ||
import javax.servlet.http.HttpServletResponse; | ||
import java.io.IOException; | ||
|
||
public class XssFilter extends OncePerRequestFilter { | ||
|
||
private static final Logger LOG = LogManager.getLogger(XssFilter.class); | ||
@Override | ||
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) | ||
throws ServletException, IOException { | ||
|
||
String queryString = request.getQueryString(); | ||
if (queryString != null && !XssUtils.validateHttpQuery(queryString)) { | ||
LOG.warn("Potential XSS detected in request. Request URI: {}, Query: {}", | ||
request.getRequestURI(), queryString); | ||
|
||
try { | ||
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, | ||
"Potential XSS detected in the request Query: " + queryString); | ||
} catch (IOException e) { | ||
throw new RuntimeException(e); | ||
} | ||
return; | ||
} | ||
|
||
filterChain.doFilter(request, response); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
package org.scada_lts.web.security; | ||
|
||
import org.scada_lts.serorepl.utils.StringUtils; | ||
import org.scada_lts.utils.SystemSettingsUtils; | ||
|
||
import java.util.regex.Pattern; | ||
|
||
public final class XssUtils { | ||
|
||
private XssUtils() {} | ||
|
||
private static final Pattern SECURITY_HTTP_ACCESS_DENIED_QUERY_REGEX = init(SystemSettingsUtils.getSecurityHttpQueryAccessDeniedRegex()); | ||
private static final Pattern SECURITY_HTTP_ACCESS_GRANTED_QUERY_REGEX = init(SystemSettingsUtils.getSecurityHttpQueryAccessGrantedRegex()); | ||
public static final int SECURITY_HTTP_ACCESS_GRANTED_QUERY_LIMIT = SystemSettingsUtils.getSecurityHttpQueryLimit(); | ||
public static final boolean SECURITY_HTTP_QUERY_PROTECT_ENABLED = SystemSettingsUtils.isSecurityHttpQueryProtectEnabled(); | ||
|
||
public static boolean validateHttpQuery(String query) { | ||
|
||
if(!SECURITY_HTTP_QUERY_PROTECT_ENABLED) | ||
return true; | ||
|
||
if (query == null || query.isEmpty()) { | ||
return false; | ||
} | ||
|
||
if(query.length() > SECURITY_HTTP_ACCESS_GRANTED_QUERY_LIMIT) { | ||
return false; | ||
} | ||
|
||
if(SECURITY_HTTP_ACCESS_DENIED_QUERY_REGEX != null && SECURITY_HTTP_ACCESS_DENIED_QUERY_REGEX.matcher(query).matches()) { | ||
return false; | ||
} | ||
|
||
return SECURITY_HTTP_ACCESS_GRANTED_QUERY_REGEX == null || SECURITY_HTTP_ACCESS_GRANTED_QUERY_REGEX.matcher(query).matches(); | ||
} | ||
|
||
private static Pattern init(String regex) { | ||
if(StringUtils.isEmpty(regex)) { | ||
return null; | ||
} | ||
return Pattern.compile(regex); | ||
} | ||
} |
Oops, something went wrong.