View Javadoc
1   /*
2    * Copyright (c) 2002-2022, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.portal.web.xss;
35  
36  import fr.paris.lutece.util.http.SecurityUtil;
37  
38  import java.io.IOException;
39  
40  import javax.servlet.Filter;
41  import javax.servlet.FilterChain;
42  import javax.servlet.FilterConfig;
43  import javax.servlet.ServletException;
44  import javax.servlet.ServletRequest;
45  import javax.servlet.ServletResponse;
46  import javax.servlet.http.HttpServletRequest;
47  import javax.servlet.http.HttpServletResponse;
48  
49  /**
50   * A rewrite of the HttpServletRequestWrapper for escaping xss characters which could be contained inside the request
51   */
52  public abstract class SafeRequestFilter implements Filter
53  {
54      private static final String PROPERTY_TITLE_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS = "portal.util.message.titleDefault";
55      private static final String PROPERTY_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS = "portal.util.message.requestParametersContainsXssCharacters";
56      private static final String PARAM_FILTER_XSS_CHARATERS = "xssCharacters";
57      private static final String ACTIVATE_XSS_FILTER = "activateXssFilter";
58      private String _strXssCharacters;
59      private boolean _bActivateXssFilter;
60  
61      /**
62       * {@inheritDoc}
63       */
64      @Override
65      public void init( FilterConfig config ) throws ServletException
66      {
67          String strParamValue = config.getInitParameter( PARAM_FILTER_XSS_CHARATERS );
68          _strXssCharacters = strParamValue;
69          strParamValue = config.getInitParameter( ACTIVATE_XSS_FILTER );
70  
71          if ( strParamValue != null )
72          {
73              _bActivateXssFilter = Boolean.valueOf( strParamValue );
74          }
75      }
76  
77      /**
78       * {@inheritDoc}
79       */
80      @Override
81      public void destroy( )
82      {
83          // Do nothing
84      }
85  
86      /**
87       * {@inheritDoc}
88       */
89      @Override
90      public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException
91      {
92          HttpServletRequest httpRequest = (HttpServletRequest) request;
93  
94          if ( _bActivateXssFilter && ( _strXssCharacters != null ) && !_strXssCharacters.trim( ).equals( "" )
95                  && !SecurityUtil.containsCleanParameters( httpRequest, _strXssCharacters ) )
96          {
97              HttpServletResponse httpServletResponse = (HttpServletResponse) response;
98              httpServletResponse.sendRedirect( getMessageUrl( httpRequest, PROPERTY_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS, null,
99                      PROPERTY_TITLE_REQUEST_PARAMETERS_CONTAINS_XSS_CHARACTERS ) );
100         }
101         else
102         {
103             chain.doFilter( request, response );
104         }
105     }
106 
107     /**
108      * Forward the error message url depends site or admin implementation
109      * 
110      * @param request
111      *            the request {@link HttpServletRequest}
112      * @param strMessageKey
113      *            the message key
114      * @param messageArgs
115      *            the message args
116      * @param strTitleKey
117      *            the title of the message
118      * @return url
119      */
120     protected abstract String getMessageUrl( HttpServletRequest request, String strMessageKey, Object [ ] messageArgs, String strTitleKey );
121 }