From 345a8534ff39cc9550cbacabe2b3fffe20293508 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 22 Jun 2017 14:26:15 +0200
Subject: implement a workaround to fix XXE and SSRF problems in an old
 XMLStreamParser implementation of a third party library

---
 .../filter/MoccaHttpServletRequestWrapper.java     | 72 ++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java

(limited to 'BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java')

diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
new file mode 100644
index 00000000..8901969d
--- /dev/null
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/MoccaHttpServletRequestWrapper.java
@@ -0,0 +1,72 @@
+package at.gv.egiz.bku.online.filter;
+
+import java.io.BufferedReader;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+
+import javax.servlet.ReadListener;
+import javax.servlet.ServletInputStream;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+
+import org.apache.commons.io.IOUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+
+import at.gv.egiz.bku.binding.HttpUtil;
+
+
+public class MoccaHttpServletRequestWrapper extends HttpServletRequestWrapper {
+
+	private static Logger log = LoggerFactory.getLogger(MoccaHttpServletRequestWrapper.class);
+	
+	private final byte[] body;
+	private final String charset;
+	
+	public MoccaHttpServletRequestWrapper(HttpServletRequest request) throws IOException {
+		super(request);
+				
+		String ct = request.getHeader(HttpUtil.HTTP_HEADER_CONTENT_TYPE.toLowerCase());
+		charset = HttpUtil.getCharset(ct, true);
+		
+		byte[] result = null;
+		try {
+			 result = IOUtils.toByteArray(request.getReader(), charset);
+						
+		} catch (IOException e) {
+			log.error("Can not copy input stream!!!!!", e);
+			throw new IOException("Can not copy input stream!!!!!", e);
+			
+		} finally {
+			body = result;
+			
+		}
+	}
+	
+	public boolean isInputStreamAvailable() {
+		return (body != null && body.length > 0);
+		
+	}
+	
+	@Override
+	public BufferedReader getReader() throws IOException {
+		return new BufferedReader(new InputStreamReader(getInputStream(), charset));
+	    
+	}
+
+	@Override
+	public ServletInputStream getInputStream() throws IOException {
+		final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(body);
+		return new ServletInputStream() {
+
+			@Override
+			public int read() throws IOException {
+				return byteArrayInputStream.read();
+			}
+        
+		};
+					
+	}
+}
-- 
cgit v1.2.3