Class XSSRequestService
- java.lang.Object
-
- com.broadleafcommerce.resource.security.xss.service.XSSRequestService
-
public class XSSRequestService extends Object
Responsible for handling input streams fromXSSRequestWrapper
s and passing them through XSS validation / sanitization- Author:
- Jon Fleschler (jfleschler)
- See Also:
XSSRequestProcessingService
-
-
Constructor Summary
Constructors Constructor Description XSSRequestService(XSSRequestProcessingService processingService, XSSConfigurationProperties properties)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected void
buildAndThrowError(Object messageBody, List<String> fieldViolations)
Responsible for building and throwing an error message containing the list of fields with XSS violations.protected String
buildErrorMessage(List<String> fieldViolations)
Responsible for building the error message stringprotected javax.servlet.ServletInputStream
buildServletInputStream(Object messageBody)
Responsible for wrapping the processed input stream in a newServletInputStream
.protected Optional<List<Object>>
convertMessageBodyToList(String body)
Converts the provided string to a List.protected Optional<Map<String,Object>>
convertMessageBodyToMap(String body)
Converts the provided string to a Map.protected String
getMessageBodyAsString(InputStream inputStream)
Responsible for converting a providedInputStream
to a stringprotected XSSRequestProcessingService
getProcessingService()
protected XSSConfigurationProperties
getProperties()
protected void
handleRequestParameterValidationFailure(List<String> sanitizedParameterNamesFailingValidation)
The default behavior of this method is to throw anXSSRequestParameterValidationException
with an error message that lists the parameters which failed validation.protected Object
processDeserializedBody(Object body, javax.servlet.http.HttpServletRequest request)
Processes the deserialized body.javax.servlet.ServletInputStream
processInputStream(javax.servlet.ServletInputStream inputStream, javax.servlet.http.HttpServletRequest request)
Responsible for processing the provided input stream to check for any XSS violations.Map<String,String[]>
processRequestParameters(javax.servlet.http.HttpServletRequest request)
Responsible for processing the provided request's parameters/values to check for any XSS violations.protected Object
recurseAndProcessFields(String fieldName, Object fieldValue, List<String> fieldViolations, javax.servlet.http.HttpServletRequest request)
Responsible for recursively processing the passed in field information.
-
-
-
Constructor Detail
-
XSSRequestService
public XSSRequestService(XSSRequestProcessingService processingService, XSSConfigurationProperties properties)
-
-
Method Detail
-
processInputStream
public javax.servlet.ServletInputStream processInputStream(javax.servlet.ServletInputStream inputStream, @Nullable javax.servlet.http.HttpServletRequest request) throws com.fasterxml.jackson.core.JsonProcessingException
Responsible for processing the provided input stream to check for any XSS violations. Depending on the supplied properties, this method will either perform validation and throw an error, or sanitize the input.- Parameters:
inputStream
- the input stream to processrequest
- the the current request that this payload belongs to- Returns:
- a processed input stream free of XSS violations
- Throws:
com.fasterxml.jackson.core.JsonProcessingException
- if the message body is malformedcom.broadleafcommerce.common.error.validation.ValidationException
- if any fields are determined to have XSS violations
-
convertMessageBodyToMap
protected Optional<Map<String,Object>> convertMessageBodyToMap(String body)
Converts the provided string to a Map.- Parameters:
body
- the message body associated with this request- Returns:
- an Object representation of the message body
-
convertMessageBodyToList
protected Optional<List<Object>> convertMessageBodyToList(String body)
Converts the provided string to a List.- Parameters:
body
- the message body associated with this request- Returns:
- an Object representation of the message body
-
processDeserializedBody
protected Object processDeserializedBody(Object body, @Nullable javax.servlet.http.HttpServletRequest request) throws com.fasterxml.jackson.core.JsonProcessingException
Processes the deserialized body.- Parameters:
body
- the deserialized bodyrequest
- the http request, if present- Returns:
- the processed, deserialized body
- Throws:
com.fasterxml.jackson.core.JsonProcessingException
- if unable to process json
-
buildAndThrowError
protected void buildAndThrowError(Object messageBody, @Nullable List<String> fieldViolations)
Responsible for building and throwing an error message containing the list of fields with XSS violations.- Parameters:
messageBody
- the message body from the requestfieldViolations
- a list of fields with field violations
-
buildErrorMessage
protected String buildErrorMessage(@Nullable List<String> fieldViolations)
Responsible for building the error message string- Parameters:
fieldViolations
- a list of any field names found to be in violation- Returns:
- an error message for the request
-
recurseAndProcessFields
protected Object recurseAndProcessFields(@Nullable String fieldName, Object fieldValue, List<String> fieldViolations, @Nullable javax.servlet.http.HttpServletRequest request)
Responsible for recursively processing the passed in field information. Any fields with XSS violations discovered will be added to the fieldViolations list.- Parameters:
fieldName
- the name of the field being processedfieldValue
- a generic Object of the value of the fieldfieldViolations
- a list of field names found to have XSS violationsrequest
- the current request that this payload belongs to- Returns:
- the processed field
-
buildServletInputStream
protected javax.servlet.ServletInputStream buildServletInputStream(Object messageBody) throws com.fasterxml.jackson.core.JsonProcessingException
Responsible for wrapping the processed input stream in a newServletInputStream
.- Parameters:
messageBody
- the processed message body- Returns:
- a
ServletInputStream
containing the processed message body - Throws:
com.fasterxml.jackson.core.JsonProcessingException
- in the event the message body cannot be converted to a string
-
getMessageBodyAsString
protected String getMessageBodyAsString(InputStream inputStream)
Responsible for converting a providedInputStream
to a string- Parameters:
inputStream
- the input stream to convert- Returns:
- the string value of the input stream
-
processRequestParameters
public Map<String,String[]> processRequestParameters(javax.servlet.http.HttpServletRequest request)
Responsible for processing the provided request's parameters/values to check for any XSS violations. Depending on the supplied properties, this method will either perform validation and throw an error, or sanitize the input, or return the original values.- Parameters:
request
- the request whose parameters need to be processed- Returns:
- a processed parameter map (matching
ServletRequest.getParameterMap()
) free of XSS violations - Throws:
XSSRequestParameterValidationException
- if validation is enabled and any parameter names/values are determined to have XSS violations
-
handleRequestParameterValidationFailure
protected void handleRequestParameterValidationFailure(List<String> sanitizedParameterNamesFailingValidation)
The default behavior of this method is to throw anXSSRequestParameterValidationException
with an error message that lists the parameters which failed validation.- Parameters:
sanitizedParameterNamesFailingValidation
- a list of parameter names that failed validation (either due to their name or due to their values). This list is guaranteed to be non-empty and contain only sanitized names for safety.- Throws:
XSSRequestParameterValidationException
- to report the error
-
getProcessingService
protected XSSRequestProcessingService getProcessingService()
-
getProperties
protected XSSConfigurationProperties getProperties()
-
-