summaryrefslogtreecommitdiff
path: root/BKUOnline/src/main/java/at/gv/egiz/bku/online
diff options
context:
space:
mode:
Diffstat (limited to 'BKUOnline/src/main/java/at/gv/egiz/bku/online')
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java1
-rw-r--r--BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java48
2 files changed, 3 insertions, 46 deletions
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
index 8901969d..d01f8128 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
@@ -5,7 +5,6 @@ import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
-import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
index 0e98cb79..356401b6 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
@@ -1,26 +1,20 @@
package at.gv.egiz.bku.online.filter;
-import java.io.ByteArrayInputStream;
import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
-import javax.servlet.ServletInputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.xml.sax.SAXException;
+
+import at.gv.egiz.dom.DOMUtils;
public class StalSecurityFilter implements Filter {
@@ -43,7 +37,7 @@ public class StalSecurityFilter implements Filter {
if (stalHttpReq.isInputStreamAvailable()) {
log.trace("Validate STAL request ... ");
- validateStalRequest(stalHttpReq.getInputStream());
+ DOMUtils.validateXMLAgainstXXEAndSSRFAttacks(stalHttpReq.getInputStream());
log.trace("Validate of STAL request completed");
}
@@ -71,7 +65,6 @@ public class StalSecurityFilter implements Filter {
@Override
public void destroy() {
- // TODO Auto-generated method stub
}
@@ -83,40 +76,5 @@ public class StalSecurityFilter implements Filter {
log.error("Can not response with http error message");
}
-
- private void validateStalRequest(InputStream is) throws XMLStreamException, IOException {
-
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-
- try {
- dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
- dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-
- } catch (ParserConfigurationException e) {
- log.error("Can NOT set Xerces parser security features. -> XML parsing is possible insecure!!!! ", e);
-
- }
-
- try {
- //validate input stream
- dbf.newDocumentBuilder().parse(is);
-
- } catch (SAXException e) {
- log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
- throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-
- } catch (ParserConfigurationException e) {
- log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
- throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-
- } catch (IOException e) {
- log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
- throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-
- }
- }
-
}