Package com.broadleafcommerce.resource.security.xss.service

Class XSSRequestProcessingService

  • public class XSSRequestProcessingService
extends Object
    Responsible for performing validation and sanitization on provided values.
    Author:
    Jon Fleschler (jfleschler)
    See Also:
    XSSRequestService

    • Constructor Detail

      • XSSRequestProcessingService

        public XSSRequestProcessingService​(org.owasp.html.PolicyFactory policy,
                                   XSSConfigurationProperties properties)

    • Method Detail

      • processValue

        public XSSProcessingResponse processValue​(String value,
                                          @Nullable
                                          javax.servlet.http.HttpServletRequest request)
        Process a given value against XSS sanitization. This will respond with an XSSProcessingResponse containing the processed value and whether it detected any XSS violations. A field will either be validated _OR_ sanitized.
        Parameters:
        value - the value to process
        request - the current request that this payload belongs to
        Returns:
        a XSSProcessingResponse containing the processed value and if a violation has occurred

      • processField

        public XSSProcessingResponse processField​(@Nullable
                                          String fieldName,
                                          String fieldValue,
                                          @Nullable
                                          javax.servlet.http.HttpServletRequest request)
        Process a given field and value against XSS sanitization. This will respond with an XSSProcessingResponse containing the processed value and whether it detected any XSS violations. A field will either be validated _OR_ sanitized.
        Parameters:
        fieldName - the name of the field to sanitize
        fieldValue - the value of the field to process
        request - the current request that this payload belongs to
        Returns:
        a XSSProcessingResponse containing the processed value and if a violation has occurred

      • shouldValidate

        protected boolean shouldValidate​(@Nullable
                                 String fieldName,
                                 @Nullable
                                 javax.servlet.http.HttpServletRequest request)
        Whether the value for the provided field should be validated against XSS
        Parameters:
        fieldName - the name of the field to sanitize
        request - the current request that this payload belongs to
        Returns:
        whether the value should be validated

      • shouldSanitize

        protected boolean shouldSanitize​(@Nullable
                                 String fieldName,
                                 @Nullable
                                 javax.servlet.http.HttpServletRequest request)
        Whether the value for the provide field should be sanitized. A field can only be sanitized if validation is not required.
        Parameters:
        fieldName - the name of the field to sanitize
        request - the current request that this payload belongs to
        Returns:
        whether the value should be sanitized

      • doValidate

        protected boolean doValidate​(@Nullable
                             String value)
        Perform the validation by comparing a sanitized version of the value to a baseline sanitized version.
        Parameters:
        value - the value to validate
        Returns:
        whether the value is valid

      • doSanitize

        protected String doSanitize​(@Nullable
                            String value)
        Perform the XSS sanitization of a value
        Parameters:
        value - the value to sanitize
        Returns:
        the sanitized value

      • normalize

        protected String normalize​(String value)
        Normalized the input value by removing spaces and semi-colons as the baseline sanitize does not perform formatting
        Parameters:
        value - the value to normalize
        Returns:
        a string with spaces and semi-colons removed

      • processRequestParameter

        public XSSRequestParameterProcessingResponse processRequestParameter​(String originalParameterName,
                                                                     @Nullable
                                                                     String[] originalParameterValues,
                                                                     @Nullable
                                                                     javax.servlet.http.HttpServletRequest request)
        Process a given request parameter and its values. This will respond with an XSSRequestParameterProcessingResponse containing the results of XSS validation or sanitization. The parameter name and values will either be validated _or_ sanitized.
        Parameters:
        originalParameterName - the original request parameter name to sanitize/validate
        originalParameterValues - the original request parameter values to sanitize/validate
        request - the request that the parameter was given with
        Returns:
        an XSSRequestParameterProcessingResponse containing the processed values and if a violation has occurred. XSSRequestParameterProcessingResponse.getSanitizedParameterName() is expected to be set both when sanitization is requested, or when validation fails (to safely report the invalid parameter name)

      • shouldValidateParameter

        protected boolean shouldValidateParameter​(@Nullable
                                          String parameterName,
                                          @Nullable
                                          javax.servlet.http.HttpServletRequest request)
        Whether the name/value for the provided request parameter should be validated against XSS
        Parameters:
        parameterName - the name of the parameter to validate
        request - the request that the parameter was given with
        Returns:
        whether the parameter should be validated

      • shouldSanitizeParameter

        protected boolean shouldSanitizeParameter​(@Nullable
                                          String parameterName,
                                          @Nullable
                                          javax.servlet.http.HttpServletRequest request)
        Whether the name/value for the provided request parameter should be sanitized for XSS. A parameter can only be sanitized if validation is not required.
        Parameters:
        parameterName - the name of the parameter to sanitize
        request - the request that the parameter was given with
        Returns:
        whether the value should be sanitized

      • doValidate

        protected boolean doValidate​(@Nullable
                             String[] values)
        Similar to doValidate(String) but for an array of values.
        Parameters:
        values - the array of values to validate against XSS
        Returns:
        true if all values were valid (or the array was null/empty), false otherwise

      • doSanitize

        @Nullable
protected String[] doSanitize​(@Nullable
                              String[] values)
        Similar to doSanitize(String) but for an array of values.
        Parameters:
        values - the array of values to sanitize against XSS
        Returns:
        an array of sanitized values

      • getPolicy

        protected org.owasp.html.PolicyFactory getPolicy()