From 0603c0fbdfe028113431c65590b6e7e28929f6f6 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 23 Jun 2017 06:50:14 +0200
Subject: some small refactoring and code documentation

---
 .../egiz/bku/online/filter/StalSecurityFilter.java | 48 ++--------------------
 1 file changed, 3 insertions(+), 45 deletions(-)

(limited to 'BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java')

diff --git a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
index 0e98cb79..356401b6 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/bku/online/filter/StalSecurityFilter.java
@@ -1,26 +1,20 @@
 package at.gv.egiz.bku.online.filter;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
-import javax.servlet.ServletInputStream;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.stream.XMLStreamException;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.xml.sax.SAXException;
+
+import at.gv.egiz.dom.DOMUtils;
 
 
 public class StalSecurityFilter implements Filter {
@@ -43,7 +37,7 @@ public class StalSecurityFilter implements Filter {
 				
 				if (stalHttpReq.isInputStreamAvailable()) {
 					log.trace("Validate STAL request ... ");
-					validateStalRequest(stalHttpReq.getInputStream());
+					DOMUtils.validateXMLAgainstXXEAndSSRFAttacks(stalHttpReq.getInputStream());
 					log.trace("Validate of STAL request completed");
 					
 				}
@@ -71,7 +65,6 @@ public class StalSecurityFilter implements Filter {
 
 	@Override
 	public void destroy() {
-		// TODO Auto-generated method stub
 		
 	}
 
@@ -83,40 +76,5 @@ public class StalSecurityFilter implements Filter {
 			log.error("Can not response with http error message");
 		
 	}
-	
-	private void validateStalRequest(InputStream is) throws XMLStreamException, IOException {
-			
-		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-		
-		try {
-			dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
-			dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-			dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
-			dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-						
-		} catch (ParserConfigurationException e) {
-			log.error("Can NOT set Xerces parser security features. -> XML parsing is possible insecure!!!! ", e);
-			
-		}
-    	    	        
-		try {        	
-			//validate input stream        	
-			dbf.newDocumentBuilder().parse(is);
-            		    		    		
-		} catch (SAXException e) {
-			log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
-			throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-
-		} catch (ParserConfigurationException e) {
-			log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
-			throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-    		
-		} catch (IOException e) {
-			log.error("XML data validation FAILED with msg: " + e.getMessage(), e);
-			throw new XMLStreamException("XML data validation FAILED with msg: " + e.getMessage(), e);
-    		
-		}
 		
-	}
-	
 }
-- 
cgit v1.2.3