diff options
author | Bianca Schnalzer <bianca.schnalzer@egiz.gv.at> | 2017-06-23 10:05:35 +0200 |
---|---|---|
committer | Bianca Schnalzer <bianca.schnalzer@egiz.gv.at> | 2017-06-23 10:05:35 +0200 |
commit | 2b395988ade78c58e6feaf55bd6ec129cf5f8e6f (patch) | |
tree | ca64698b31b478abe7fb5cde97398646f4105699 /BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java | |
parent | f31c5c8e557b611ff4f5e43443975fb08a202863 (diff) | |
parent | 0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff) | |
download | mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.gz mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.bz2 mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.zip |
Merge branch 'manuell_XXE_and_SSRF_validation' into 'master'
Manuell xxe and ssrf validation
Diffstat (limited to 'BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java')
-rw-r--r-- | BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java new file mode 100644 index 00000000..356401b6 --- /dev/null +++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java @@ -0,0 +1,80 @@ +package at.gv.egiz.bku.online.filter; + +import java.io.IOException; +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.stream.XMLStreamException; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.dom.DOMUtils; + + +public class StalSecurityFilter implements Filter { + + private static Logger log = LoggerFactory.getLogger(StalSecurityFilter.class); + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + log.info("Initialize STAL Service security filter"); + + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) + throws IOException, ServletException { + + if (request instanceof HttpServletRequest) { + try { + MoccaHttpServletRequestWrapper stalHttpReq = new MoccaHttpServletRequestWrapper((HttpServletRequest) request); + + if (stalHttpReq.isInputStreamAvailable()) { + log.trace("Validate STAL request ... "); + DOMUtils.validateXMLAgainstXXEAndSSRFAttacks(stalHttpReq.getInputStream()); + log.trace("Validate of STAL request completed"); + + } + + chain.doFilter(stalHttpReq, response); + + } catch (XMLStreamException e) { + log.error("XML data validation FAILED with msg: " + e.getMessage(), e); + sendErrorToResponse(e, response); + + } catch (IOException e) { + log.error("Can not process InputStream from STAL request"); + sendErrorToResponse(e, response); + + } + + } else { + log.error("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); + log.warn("STAL request is processed WITHOUT security checks!!!!"); + log.error("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); + chain.doFilter(request, response); + + } + } + + @Override + public void destroy() { + + } + + private void sendErrorToResponse(Exception e, ServletResponse response) throws IOException { + if (response instanceof HttpServletResponse) { + ((HttpServletResponse)response).sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage()); + + } else + log.error("Can not response with http error message"); + + } + +} |