-
Notifications
You must be signed in to change notification settings - Fork 292
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3023 from SCADA-LTS/feature/#2992_Prevent_XSS_for…
…_body_request #2992 Prevent XSS for body request
- Loading branch information
Showing
18 changed files
with
507 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21 changes: 21 additions & 0 deletions
21
src/org/scada_lts/web/beans/validation/xss/XssConstraintValidator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package org.scada_lts.web.beans.validation.xss; | ||
|
||
import org.scada_lts.serorepl.utils.StringUtils; | ||
import org.scada_lts.web.beans.validation.AbstractConstraintValidator; | ||
import org.scada_lts.web.beans.validation.ScadaValidator; | ||
|
||
public class XssConstraintValidator extends AbstractConstraintValidator<XssProtect, String> { | ||
|
||
@Override | ||
public void beforeValidate(String value) throws Exception { | ||
if (StringUtils.isEmpty(value)) { | ||
throw new XssValidatorException("Input is empty"); | ||
} | ||
} | ||
|
||
@Override | ||
public void validate(String value) throws Exception { | ||
ScadaValidator<String> validator = new XssValidator(); | ||
validator.validate(value); | ||
} | ||
} |
15 changes: 15 additions & 0 deletions
15
src/org/scada_lts/web/beans/validation/xss/XssProtect.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package org.scada_lts.web.beans.validation.xss; | ||
|
||
import javax.validation.Constraint; | ||
import javax.validation.Payload; | ||
import java.lang.annotation.*; | ||
|
||
@Documented | ||
@Constraint(validatedBy = XssConstraintValidator.class) | ||
@Target({ElementType.METHOD, ElementType.FIELD, ElementType.ANNOTATION_TYPE, ElementType.PARAMETER}) | ||
@Retention(RetentionPolicy.RUNTIME) | ||
public @interface XssProtect { | ||
String message() default "Potential XSS detected in the request body."; | ||
Class<?>[] groups() default {}; | ||
Class<? extends Payload>[] payload() default {}; | ||
} |
15 changes: 15 additions & 0 deletions
15
src/org/scada_lts/web/beans/validation/xss/XssValidator.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
package org.scada_lts.web.beans.validation.xss; | ||
|
||
import org.scada_lts.web.beans.validation.ScadaValidator; | ||
|
||
import static org.scada_lts.web.security.XssUtils.validateHttpBody; | ||
|
||
public class XssValidator implements ScadaValidator<String> { | ||
|
||
@Override | ||
public void validate(String input) throws XssValidatorException { | ||
if(!validateHttpBody(input)) { | ||
throw new XssValidatorException("Potential XSS attack detected"); | ||
} | ||
} | ||
} |
25 changes: 25 additions & 0 deletions
25
src/org/scada_lts/web/beans/validation/xss/XssValidatorException.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
package org.scada_lts.web.beans.validation.xss; | ||
|
||
import org.scada_lts.web.beans.validation.ScadaValidatorException; | ||
|
||
public class XssValidatorException extends ScadaValidatorException { | ||
|
||
public XssValidatorException() { | ||
} | ||
|
||
public XssValidatorException(String message) { | ||
super(message); | ||
} | ||
|
||
public XssValidatorException(String message, Throwable cause) { | ||
super(message, cause); | ||
} | ||
|
||
public XssValidatorException(Throwable cause) { | ||
super(cause); | ||
} | ||
|
||
public XssValidatorException(String message, Throwable cause, boolean enableSuppression, boolean writableStackTrace) { | ||
super(message, cause, enableSuppression, writableStackTrace); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
75 changes: 75 additions & 0 deletions
75
test/org/scada_lts/web/beans/validation/xss/XssValidatorExceptionTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
package org.scada_lts.web.beans.validation.xss; | ||
|
||
import org.junit.Test; | ||
import org.junit.runner.RunWith; | ||
import org.junit.runners.Parameterized; | ||
import org.scada_lts.web.beans.validation.ScadaValidator; | ||
import org.scada_lts.web.beans.validation.ScadaValidatorException; | ||
|
||
import java.util.Arrays; | ||
import java.util.Collection; | ||
|
||
@RunWith(Parameterized.class) | ||
public class XssValidatorExceptionTest { | ||
|
||
@Parameterized.Parameters(name = "{index}: input: {0}") | ||
public static Collection<Object[]> data() { | ||
return Arrays.asList(new Object[][]{ | ||
{null}, | ||
{""}, | ||
{"<script>alert(1)</script>"}, | ||
{"<a href=\"javascript:alert(1)\">Link</a>"}, | ||
{"<div onclick=\"alert(1)\">Click me</div>"}, | ||
{"body { background-image: url('\"><img src=x onerror=alert(document.location)>'); }"}, | ||
{"div { content: \"<script>alert('XSS')</script>\"; }"}, | ||
{"h1 { font-family: \"<img src=x onerror=alert('XSS')>\"; }"}, | ||
{"@import url(\"javascript:alert('XSS')\");"}, | ||
{"div { /* comment: <img src=x onerror=alert('XSS')> */ }"}, | ||
{"span { content: '\"><script>alert(1)</script>'; }"}, | ||
{"h2 { color: expression(alert('XSS')); }"}, | ||
{"\"><img src=x onerror=alert(document.location)>"}, | ||
{"<img src='x' onerror='alert(1)'>"}, | ||
{"<input type=\"text\" value=\"\" onfocus=\"alert(1)\">"}, | ||
{"<iframe src=\"javascript:alert(1)\"></iframe>"}, | ||
{"<form action=\"javascript:alert(1)\"><input type=\"submit\"></form>"}, | ||
{"<object data=\"javascript:alert(1)\"></object>"}, | ||
{"<embed src=\"javascript:alert(1)\">"}, | ||
{"<base href=\"javascript:alert(1)//\">"}, | ||
{"<svg onload=\"alert(1)\">"}, | ||
{"<svg><script>alert(1)</script></svg>"}, | ||
{"<math><a xlink:href=\"javascript:alert(1)\">XSS</a></math>"}, | ||
{"<img src=x onerror=\"alert(String.fromCharCode(88,83,83))\">"}, | ||
{"<b onmouseover=\"alert(1)\">XSS</b>"}, | ||
{"<video><source onerror=\"javascript:alert(1)\"></video>"}, | ||
{"<details open ontoggle=\"alert(1)\">"}, | ||
{"<input onfocus=\"alert('XSS')\">"}, | ||
{"<div style=\"width: expression(alert('XSS'))\">"}, | ||
{"<meta http-equiv=\"refresh\" content=\"0;url=javascript:alert(1)\">"}, | ||
{"<link rel=\"stylesheet\" href=\"javascript:alert(1)\">"}, | ||
{"<textarea onfocus=\"alert(1)\"></textarea>"}, | ||
{"<a href=\"//example.com\" onclick=\"alert(1)\">Link</a>"}, | ||
{"<button onclick=\"alert(1)\">Click me</button>"}, | ||
{"<div style=\"background-image: url(javascript:alert(1))\">XSS</div>"}, | ||
{"<audio src=\"javascript:alert(1)\"></audio>"}, | ||
{"<marquee onstart=\"alert(1)\">XSS</marquee>"}, | ||
{"<keygen autofocus onfocus=\"alert(1)\">"}, | ||
{"<command onclick=\"alert(1)\">Click me</command>"}, | ||
{"<img src=\"https://example.com/image.jpg\" alt=\"Example Image\" width=\"600\" height=\"400\" border=\"0\" />"}, | ||
{"<img src=\"http://example.com/image.jpg\" alt=\"Example Image\" width=\"600\" height=\"400\" border=\"0\" />"}, | ||
{"><img src=x onerror=alert(document.location)>"}, | ||
}); | ||
} | ||
|
||
private final String input; | ||
private final ScadaValidator<String> validator; | ||
|
||
public XssValidatorExceptionTest(String input) { | ||
this.input = input; | ||
this.validator = new XssValidator(); | ||
} | ||
|
||
@Test(expected = XssValidatorException.class) | ||
public void when_isInvalidXss() throws ScadaValidatorException { | ||
validator.validate(input); | ||
} | ||
} |
55 changes: 55 additions & 0 deletions
55
test/org/scada_lts/web/beans/validation/xss/XssValidatorTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
package org.scada_lts.web.beans.validation.xss; | ||
|
||
import org.junit.Test; | ||
import org.junit.runner.RunWith; | ||
import org.junit.runners.Parameterized; | ||
import org.scada_lts.web.beans.validation.ScadaValidator; | ||
import org.scada_lts.web.beans.validation.ScadaValidatorException; | ||
|
||
import java.util.Arrays; | ||
import java.util.Collection; | ||
|
||
@RunWith(Parameterized.class) | ||
public class XssValidatorTest { | ||
|
||
@Parameterized.Parameters(name = "{index}: input: {0}") | ||
public static Collection<Object[]> data() { | ||
return Arrays.asList(new Object[][]{ | ||
{"<b>Bold</b>"}, | ||
{"Hello, World!"}, | ||
{"<i>Italic text</i>"}, | ||
{"<u>Underlined</u>"}, | ||
{"<strong>Strong text</strong>"}, | ||
{"<em>Emphasized text</em>"}, | ||
{"<p>Paragraph with <b>bold</b> and <i>italic</i></p>"}, | ||
{"<ul><li>Item 1</li><li>Item 2</li></ul>"}, | ||
{"<ol><li>First</li><li>Second</li></ol>"}, | ||
{"body { font-size: 14px; }"}, | ||
{"h1 { font-weight: bold; }"}, | ||
{"p { margin: 0; padding: 0; }"}, | ||
{"a > 12"}, | ||
{"a>12"}, | ||
{"a> 12"}, | ||
{"a >12"}, | ||
{"a<12"}, | ||
{"a < 12"}, | ||
{"a< 12"}, | ||
{"a <12"}, | ||
{"'a'"}, | ||
{"\"a\""}, | ||
}); | ||
} | ||
|
||
private final String input; | ||
private final ScadaValidator<String> validator; | ||
|
||
public XssValidatorTest(String input) { | ||
this.input = input; | ||
this.validator = new XssValidator(); | ||
} | ||
|
||
@Test | ||
public void when_isInvalidXss() throws ScadaValidatorException { | ||
validator.validate(input); | ||
} | ||
} |
Oops, something went wrong.