Package com.broadleafcommerce.resource.security.xss.service

Class XSSRequestService

    • Method Detail

      • processInputStream

        public javax.servlet.ServletInputStream processInputStream​(javax.servlet.ServletInputStream inputStream,
                                                           @Nullable
                                                           javax.servlet.http.HttpServletRequest request)
                                                    throws com.fasterxml.jackson.core.JsonProcessingException
        Responsible for processing the provided input stream to check for any XSS violations. Depending on the supplied properties, this method will either perform validation and throw an error, or sanitize the input.
        Parameters:
        inputStream - the input stream to process
        request - the the current request that this payload belongs to
        Returns:
        a processed input stream free of XSS violations
        Throws:
        com.fasterxml.jackson.core.JsonProcessingException - if the message body is malformed
        com.broadleafcommerce.common.error.validation.ValidationException - if any fields are determined to have XSS violations

      • convertMessageBodyToMap

        protected Optional<Map<String,​Object>> convertMessageBodyToMap​(String body)
        Converts the provided string to a Map.
        Parameters:
        body - the message body associated with this request
        Returns:
        an Object representation of the message body

      • convertMessageBodyToList

        protected Optional<List<Object>> convertMessageBodyToList​(String body)
        Converts the provided string to a List.
        Parameters:
        body - the message body associated with this request
        Returns:
        an Object representation of the message body

      • processDeserializedBody

        protected Object processDeserializedBody​(Object body,
                                         @Nullable
                                         javax.servlet.http.HttpServletRequest request)
                                  throws com.fasterxml.jackson.core.JsonProcessingException
        Processes the deserialized body.
        Parameters:
        body - the deserialized body
        request - the http request, if present
        Returns:
        the processed, deserialized body
        Throws:
        com.fasterxml.jackson.core.JsonProcessingException - if unable to process json

      • buildAndThrowError

        protected void buildAndThrowError​(Object messageBody,
                                  @Nullable
                                  List<String> fieldViolations)
        Responsible for building and throwing an error message containing the list of fields with XSS violations.
        Parameters:
        messageBody - the message body from the request
        fieldViolations - a list of fields with field violations

      • buildErrorMessage

        protected String buildErrorMessage​(@Nullable
                                   List<String> fieldViolations)
        Responsible for building the error message string
        Parameters:
        fieldViolations - a list of any field names found to be in violation
        Returns:
        an error message for the request

      • recurseAndProcessFields

        protected Object recurseAndProcessFields​(@Nullable
                                         String fieldName,
                                         Object fieldValue,
                                         List<String> fieldViolations,
                                         @Nullable
                                         javax.servlet.http.HttpServletRequest request)
        Responsible for recursively processing the passed in field information. Any fields with XSS violations discovered will be added to the fieldViolations list.
        Parameters:
        fieldName - the name of the field being processed
        fieldValue - a generic Object of the value of the field
        fieldViolations - a list of field names found to have XSS violations
        request - the current request that this payload belongs to
        Returns:
        the processed field

      • buildServletInputStream

        protected javax.servlet.ServletInputStream buildServletInputStream​(Object messageBody)
                                                            throws com.fasterxml.jackson.core.JsonProcessingException
        Responsible for wrapping the processed input stream in a new ServletInputStream.
        Parameters:
        messageBody - the processed message body
        Returns:
        a ServletInputStream containing the processed message body
        Throws:
        com.fasterxml.jackson.core.JsonProcessingException - in the event the message body cannot be converted to a string

      • getMessageBodyAsString

        protected String getMessageBodyAsString​(InputStream inputStream)
        Responsible for converting a provided InputStream to a string
        Parameters:
        inputStream - the input stream to convert
        Returns:
        the string value of the input stream

      • processRequestParameters

        public Map<String,​String[]> processRequestParameters​(javax.servlet.http.HttpServletRequest request)
        Responsible for processing the provided request's parameters/values to check for any XSS violations. Depending on the supplied properties, this method will either perform validation and throw an error, or sanitize the input, or return the original values.
        Parameters:
        request - the request whose parameters need to be processed
        Returns:
        a processed parameter map (matching ServletRequest.getParameterMap()) free of XSS violations
        Throws:
        XSSRequestParameterValidationException - if validation is enabled and any parameter names/values are determined to have XSS violations

      • handleRequestParameterValidationFailure

        protected void handleRequestParameterValidationFailure​(List<String> sanitizedParameterNamesFailingValidation)
        The default behavior of this method is to throw an XSSRequestParameterValidationException with an error message that lists the parameters which failed validation.
        Parameters:
        sanitizedParameterNamesFailingValidation - a list of parameter names that failed validation (either due to their name or due to their values). This list is guaranteed to be non-empty and contain only sanitized names for safety.
        Throws:
        XSSRequestParameterValidationException - to report the error