View Javadoc
1   /*
2    * Copyright (c) 2002-2014, Mairie de Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.util.http;
35  
36  import fr.paris.lutece.util.string.StringUtil;
37  
38  import org.apache.commons.lang.StringUtils;
39  
40  import org.apache.log4j.Logger;
41  
42  import java.util.Enumeration;
43  
44  import javax.servlet.http.HttpServletRequest;
45  
46  
47  /**
48   * Security utils
49   *
50   */
51  public final class SecurityUtil
52  {
53      private static final String LOGGER_NAME = "lutece.security.http";
54      private static final String CONSTANT_HTTP_HEADER_X_FORWARDED_FOR = "X-Forwarded-For";
55      private static final String PATTERN_IP_ADDRESS = "^([0-9]{1,3}\\.){3}[0-9]{1,3}$";
56      private static final String CONSTANT_COMMA = ",";
57  
58      //private static final String PATTERN_CLEAN_PARAMETER = "^[\\w/]+$+";
59  
60      /**
61       * Private Constructor
62       */
63      private SecurityUtil(  )
64      {
65      }
66  
67      /**
68       * Scan request parameters to see if there no malicious code.
69       *
70       * @param request The HTTP request
71       * @return true if all parameters don't contains any special characters
72       */
73      public static boolean containsCleanParameters( HttpServletRequest request )
74      {
75          return containsCleanParameters( request, null );
76      }
77  
78      /**
79       * Scan request parameters to see if there no malicious code.
80       *
81       * @param request The HTTP request
82       * @param strXssCharacters a String wich contain a list of Xss characters to check in strValue
83       * @return true if all parameters don't contains any special characters
84       */
85      public static boolean containsCleanParameters( HttpServletRequest request, String strXssCharacters )
86      {
87          String key;
88          String[] values;
89  
90          Enumeration<String> e = request.getParameterNames(  );
91  
92          while ( e.hasMoreElements(  ) )
93          {
94              key = e.nextElement(  );
95              values = request.getParameterValues( key );
96  
97              int length = values.length;
98  
99              for ( int i = 0; i < length; i++ )
100             {
101                 if ( SecurityUtil.containsXssCharacters( request, values[i], strXssCharacters ) )
102                 {
103                     Logger logger = Logger.getLogger( LOGGER_NAME );
104                     logger.warn( "SECURITY WARNING : INVALID REQUEST PARAMETERS" + dumpRequest( request ) );
105 
106                     return false;
107                 }
108             }
109         }
110 
111         return true;
112     }
113 
114     /**
115      * Checks if a String contains characters that could be used for a
116      * cross-site scripting attack.
117      *
118      * @param request The HTTP request
119      * @param strString a character String
120      * @return true if the String contains illegal characters
121      */
122     public static boolean containsXssCharacters( HttpServletRequest request, String strString )
123     {
124         return containsXssCharacters( request, strString, null );
125     }
126 
127     /**
128      * Checks if a String contains characters that could be used for a
129      * cross-site scripting attack.
130      *
131      * @param request The HTTP request
132      * @param strValue a character String
133      * @param strXssCharacters a String wich contain a list of Xss characters to check in strValue
134      * @return true if the String contains illegal characters
135      */
136     public static boolean containsXssCharacters( HttpServletRequest request, String strValue, String strXssCharacters )
137     {
138         boolean bContains = ( strXssCharacters == null ) ? StringUtil.containsXssCharacters( strValue )
139                                                          : StringUtil.containsXssCharacters( strValue, strXssCharacters );
140 
141         if ( bContains )
142         {
143             Logger logger = Logger.getLogger( LOGGER_NAME );
144             logger.warn( "SECURITY WARNING : XSS CHARACTERS DETECTED" + dumpRequest( request ) );
145         }
146 
147         return bContains;
148     }
149 
150     /**
151      * Dump all request info
152      * @param request The HTTP request
153      * @return A report containing all request info
154      */
155     public static String dumpRequest( HttpServletRequest request )
156     {
157         StringBuffer sbDump = new StringBuffer( "\r\n Request Dump : \r\n" );
158         dumpTitle( sbDump, "Request variables" );
159         dumpVariables( sbDump, request );
160         dumpTitle( sbDump, "Request parameters" );
161         dumpParameters( sbDump, request );
162         dumpTitle( sbDump, "Request headers" );
163         dumpHeaders( sbDump, request );
164 
165         return sbDump.toString(  );
166     }
167 
168     /**
169      * Get the IP of the user from a request. If the user is behind an apache
170      * server, return the ip of the user instead of the ip of the server.
171      * @param request The request
172      * @return The IP of the user that made the request
173      */
174     public static String getRealIp( HttpServletRequest request )
175     {
176         String strIPAddress = request.getHeader( CONSTANT_HTTP_HEADER_X_FORWARDED_FOR );
177 
178         if ( strIPAddress != null )
179         {
180             String strIpForwarded = null;
181 
182             while ( !strIPAddress.matches( PATTERN_IP_ADDRESS ) && strIPAddress.contains( CONSTANT_COMMA ) )
183             {
184                 strIpForwarded = strIPAddress.substring( 0, strIPAddress.indexOf( CONSTANT_COMMA ) );
185                 strIPAddress = strIPAddress.substring( strIPAddress.indexOf( CONSTANT_COMMA ) )
186                                            .replaceFirst( CONSTANT_COMMA, StringUtils.EMPTY ).trim(  );
187 
188                 if ( ( strIpForwarded != null ) && strIpForwarded.matches( PATTERN_IP_ADDRESS ) )
189                 {
190                     strIPAddress = strIpForwarded;
191                 }
192             }
193 
194             if ( !strIPAddress.matches( PATTERN_IP_ADDRESS ) )
195             {
196                 strIPAddress = request.getRemoteAddr(  );
197             }
198         }
199         else
200         {
201             strIPAddress = request.getRemoteAddr(  );
202         }
203 
204         return strIPAddress;
205     }
206 
207     /**
208      * Write a title into the dump stringbuffer
209      * @param sbDump The dump stringbuffer
210      * @param strTitle The title
211      */
212     private static void dumpTitle( StringBuffer sbDump, String strTitle )
213     {
214         sbDump.append( "** " );
215         sbDump.append( strTitle );
216         sbDump.append( "  **\r\n" );
217     }
218 
219     /**
220      * Write request variables into the dump stringbuffer
221      * @param sb The dump stringbuffer
222      * @param request The HTTP request
223      */
224     private static void dumpVariables( StringBuffer sb, HttpServletRequest request )
225     {
226         dumpVariable( sb, "AUTH_TYPE", request.getAuthType(  ) );
227         dumpVariable( sb, "REQUEST_METHOD", request.getMethod(  ) );
228         dumpVariable( sb, "PATH_INFO", request.getPathInfo(  ) );
229         dumpVariable( sb, "PATH_TRANSLATED", request.getPathTranslated(  ) );
230         dumpVariable( sb, "QUERY_STRING", request.getQueryString(  ) );
231         dumpVariable( sb, "REQUEST_URI", request.getRequestURI(  ) );
232         dumpVariable( sb, "SCRIPT_NAME", request.getServletPath(  ) );
233         dumpVariable( sb, "LOCAL_ADDR", request.getLocalAddr(  ) );
234         dumpVariable( sb, "SERVER_PROTOCOL", request.getProtocol(  ) );
235         dumpVariable( sb, "REMOTE_ADDR", request.getRemoteAddr(  ) );
236         dumpVariable( sb, "REMOTE_HOST", request.getRemoteHost(  ) );
237         dumpVariable( sb, "HTTPS", request.getScheme(  ) );
238         dumpVariable( sb, "SERVER_NAME", request.getServerName(  ) );
239         dumpVariable( sb, "SERVER_PORT", String.valueOf( request.getServerPort(  ) ) );
240     }
241 
242     /**
243      * Write request headers infos into the dump stringbuffer
244      * @param sb The dump stringbuffer
245      * @param request The HTTP request
246      */
247     private static void dumpHeaders( StringBuffer sb, HttpServletRequest request )
248     {
249         Enumeration<String> values;
250         String key;
251         Enumeration<String> headers = request.getHeaderNames(  );
252 
253         while ( headers.hasMoreElements(  ) )
254         {
255             key = headers.nextElement(  );
256             values = request.getHeaders( key );
257 
258             while ( values.hasMoreElements(  ) )
259             {
260                 dumpVariable( sb, key, values.nextElement(  ) );
261             }
262         }
263     }
264 
265     /**
266      * Write request parameters infos into the dump stringbuffer
267      * @param sb The dump stringbuffer
268      * @param request The HTTP request
269      */
270     private static void dumpParameters( StringBuffer sb, HttpServletRequest request )
271     {
272         String key;
273         String[] values;
274 
275         Enumeration<String> e = request.getParameterNames(  );
276 
277         while ( e.hasMoreElements(  ) )
278         {
279             key = e.nextElement(  );
280             values = request.getParameterValues( key );
281 
282             int length = values.length;
283 
284             for ( int i = 0; i < length; i++ )
285             {
286                 dumpVariable( sb, key, values[i] );
287             }
288         }
289     }
290 
291     /**
292      * Write name / value infos into the dump stringbuffer
293      * @param sb The dump string buffer
294      * @param strName The info name
295      * @param strValue The info value
296      */
297     private static void dumpVariable( StringBuffer sb, String strName, String strValue )
298     {
299         sb.append( strName );
300         sb.append( " : \"" );
301         sb.append( strValue );
302         sb.append( "\"\r\n" );
303     }
304 }