summaryrefslogtreecommitdiff
path: root/BKUOnline
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2017-06-23 06:50:14 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2017-06-23 06:50:14 +0200
commit0603c0fbdfe028113431c65590b6e7e28929f6f6 (patch)
treeca64698b31b478abe7fb5cde97398646f4105699 /BKUOnline
parentd840a372f84518c4026efd3d463cfcffac930e46 (diff)
downloadmocca-0603c0fbdfe028113431c65590b6e7e28929f6f6.tar.gz
mocca-0603c0fbdfe028113431c65590b6e7e28929f6f6.tar.bz2
mocca-0603c0fbdfe028113431c65590b6e7e28929f6f6.zip
some small refactoring and code documentation
Diffstat (limited to 'BKUOnline')
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java1
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java48
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java16
3 files changed, 7 insertions, 58 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
index 8901969d..d01f8128 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
@@ -5,7 +5,6 @@ import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
-import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
index 0e98cb79..356401b6 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
@@ -1,26 +1,20 @@
package at.gv.egiz.bku.online.filter;
-import java.io.ByteArrayInputStream;
import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
-import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.xml.sax.SAXException;
+
+import at.gv.egiz.dom.DOMUtils;
public class StalSecurityFilter implements Filter {
@@ -43,7 +37,7 @@ public class StalSecurityFilter implements Filter {
if (stalHttpReq.isInputStreamAvailable()) {
log.trace("Validate STAL request ... ");
- validateStalRequest(stalHttpReq.getInputStream());
+ DOMUtils.validateXMLAgainstXXEAndSSRFAttacks(stalHttpReq.getInputStream());
log.trace("Validate of STAL request completed");
}
@@ -71,7 +65,6 @@ public class StalSecurityFilter implements Filter {
@Override
public void destroy() {
- // TODO Auto-generated method stub
}
@@ -83,40 +76,5 @@ public class StalSecurityFilter implements Filter {
log.error("Can not response with http error message");
}
-
- private void validateStalRequest(InputStream is) throws XMLStreamException, IOException {
-
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-
- try {
- dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
- dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-
- } catch (ParserConfigurationException e) {
- log.error("Can NOT set Xerces parser security features. -> XML parsing is possible insecure!!!! ", e);
-
- }
-
- try {
- //validate input stream
- dbf.newDocumentBuilder().parse(is);
-
- } catch (SAXException e) {
- log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
- throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-
- } catch (ParserConfigurationException e) {
- log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
- throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-
- } catch (IOException e) {
- log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
- throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-
- }
- }
-
}
diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
index 37889ae5..d34ead45 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
@@ -65,6 +65,7 @@ import at.gv.egiz.bku.slcommands.impl.SLCommandImpl;
import at.gv.egiz.bku.slexceptions.SLCommandException;
import at.gv.egiz.bku.utils.DebugInputStream;
import at.gv.egiz.bku.utils.StreamUtil;
+import at.gv.egiz.dom.DOMUtils;
import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage;
import at.gv.egiz.slbinding.SLUnmarshaller;
@@ -152,18 +153,9 @@ public class DataURLServerServlet extends HttpServlet {
"(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e);
}
- try {
- dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
- dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-
- } catch (ParserConfigurationException e) {
- log.error("Can NOT set SAX parser security features. -> XML parsing is possible insecure!!!! ", e);
-
- }
-
-
+ //set XML parser flags to prevent XXE, XEE and SSRF attacks
+ DOMUtils.setXMLParserFlagsAgainstXXEAndSSRFAttacks(dbf);
+
DocumentBuilder documentBuilder;
try {
documentBuilder = dbf.newDocumentBuilder();