summaryrefslogtreecommitdiff
path: root/BKUOnline/src
diff options
context:
space:
mode:
authorBianca Schnalzer <bianca.schnalzer@egiz.gv.at>2017-06-23 10:05:35 +0200
committerBianca Schnalzer <bianca.schnalzer@egiz.gv.at>2017-06-23 10:05:35 +0200
commit2b395988ade78c58e6feaf55bd6ec129cf5f8e6f (patch)
treeca64698b31b478abe7fb5cde97398646f4105699 /BKUOnline/src
parentf31c5c8e557b611ff4f5e43443975fb08a202863 (diff)
parent0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff)
downloadmocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.gz
mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.bz2
mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.zip
Merge branch 'manuell_XXE_and_SSRF_validation' into 'master'
Manuell xxe and ssrf validation
Diffstat (limited to 'BKUOnline/src')
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java71
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java80
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java5
-rw-r--r--BKUOnline/src/main/webapp/WEB-INF/web.xml8
4 files changed, 163 insertions, 1 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
new file mode 100644
index 00000000..d01f8128
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
@@ -0,0 +1,71 @@
+package at.gv.egiz.bku.online.filter;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import org.apache.commons.io.IOUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+import at.gv.egiz.bku.binding.HttpUtil;
+
+
+public class MoccaHttpServletRequestWrapper extends HttpServletRequestWrapper {
+
+ private static Logger log = LoggerFactory.getLogger(MoccaHttpServletRequestWrapper.class);
+
+ private final byte[] body;
+ private final String charset;
+
+ public MoccaHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
+ super(request);
+
+ String ct = request.getHeader(HttpUtil.HTTP_HEADER_CONTENT_TYPE.toLowerCase());
+ charset = HttpUtil.getCharset(ct, true);
+
+ byte[] result = null;
+ try {
+ result = IOUtils.toByteArray(request.getReader(), charset);
+
+ } catch (IOException e) {
+ log.error("Can not copy input stream!!!!!", e);
+ throw new IOException("Can not copy input stream!!!!!", e);
+
+ } finally {
+ body = result;
+
+ }
+ }
+
+ public boolean isInputStreamAvailable() {
+ return (body != null && body.length > 0);
+
+ }
+
+ @Override
+ public BufferedReader getReader() throws IOException {
+ return new BufferedReader(new InputStreamReader(getInputStream(), charset));
+
+ }
+
+ @Override
+ public ServletInputStream getInputStream() throws IOException {
+ final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(body);
+ return new ServletInputStream() {
+
+ @Override
+ public int read() throws IOException {
+ return byteArrayInputStream.read();
+ }
+
+ };
+
+ }
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
new file mode 100644
index 00000000..356401b6
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
@@ -0,0 +1,80 @@
+package at.gv.egiz.bku.online.filter;
+
+import java.io.IOException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.stream.XMLStreamException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import at.gv.egiz.dom.DOMUtils;
+
+
+public class StalSecurityFilter implements Filter {
+
+ private static Logger log = LoggerFactory.getLogger(StalSecurityFilter.class);
+
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ log.info("Initialize STAL Service security filter");
+
+ }
+
+ @Override
+ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+ throws IOException, ServletException {
+
+ if (request instanceof HttpServletRequest) {
+ try {
+ MoccaHttpServletRequestWrapper stalHttpReq = new MoccaHttpServletRequestWrapper((HttpServletRequest) request);
+
+ if (stalHttpReq.isInputStreamAvailable()) {
+ log.trace("Validate STAL request ... ");
+ DOMUtils.validateXMLAgainstXXEAndSSRFAttacks(stalHttpReq.getInputStream());
+ log.trace("Validate of STAL request completed");
+
+ }
+
+ chain.doFilter(stalHttpReq, response);
+
+ } catch (XMLStreamException e) {
+ log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
+ sendErrorToResponse(e, response);
+
+ } catch (IOException e) {
+ log.error("Can not process InputStream from STAL request");
+ sendErrorToResponse(e, response);
+
+ }
+
+ } else {
+ log.error("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
+ log.warn("STAL request is processed WITHOUT security checks!!!!");
+ log.error("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
+ chain.doFilter(request, response);
+
+ }
+ }
+
+ @Override
+ public void destroy() {
+
+ }
+
+ private void sendErrorToResponse(Exception e, ServletResponse response) throws IOException {
+ if (response instanceof HttpServletResponse) {
+ ((HttpServletResponse)response).sendError(HttpServletResponse.SC_BAD_REQUEST, e.getMessage());
+
+ } else
+ log.error("Can not response with http error message");
+
+ }
+
+}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
index 7dd2cd22..d34ead45 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
@@ -65,6 +65,7 @@ import at.gv.egiz.bku.slcommands.impl.SLCommandImpl;
import at.gv.egiz.bku.slexceptions.SLCommandException;
import at.gv.egiz.bku.utils.DebugInputStream;
import at.gv.egiz.bku.utils.StreamUtil;
+import at.gv.egiz.dom.DOMUtils;
import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage;
import at.gv.egiz.slbinding.SLUnmarshaller;
@@ -135,7 +136,6 @@ public class DataURLServerServlet extends HttpServlet {
}
SLUnmarshaller slUnmarshaller = new SLUnmarshaller();
-
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setNamespaceAware(true);
dbf.setSchema(slUnmarshaller.getSlSchema());
@@ -153,6 +153,9 @@ public class DataURLServerServlet extends HttpServlet {
"(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e);
}
+ //set XML parser flags to prevent XXE, XEE and SSRF attacks
+ DOMUtils.setXMLParserFlagsAgainstXXEAndSSRFAttacks(dbf);
+
DocumentBuilder documentBuilder;
try {
documentBuilder = dbf.newDocumentBuilder();
diff --git a/BKUOnline/src/main/webapp/WEB-INF/web.xml b/BKUOnline/src/main/webapp/WEB-INF/web.xml
index 5033cc5e..5779fc97 100644
--- a/BKUOnline/src/main/webapp/WEB-INF/web.xml
+++ b/BKUOnline/src/main/webapp/WEB-INF/web.xml
@@ -175,6 +175,14 @@
<filter-name>RequestIdFilter</filter-name>
<filter-class>at.gv.egiz.bku.online.webapp.TransactionIdFilter</filter-class>
</filter>
+ <filter>
+ <filter-name>StalSecurityFilter</filter-name>
+ <filter-class>at.gv.egiz.bku.online.filter.StalSecurityFilter</filter-class>
+ </filter>
+ <filter-mapping>
+ <filter-name>StalSecurityFilter</filter-name>
+ <servlet-name>STALService</servlet-name>
+ </filter-mapping>
<filter-mapping>
<filter-name>RequestIdFilter</filter-name>
<servlet-name>HTTPSecurityLayerServlet</servlet-name>