Package com.broadleafcommerce.resource.security.xss.service

Class XSSRequestService

java.lang.Object
com.broadleafcommerce.resource.security.xss.service.XSSRequestService
public class XSSRequestService extends Object
Responsible for handling input streams from XSSRequestWrappers and passing them through XSS validation / sanitization
Author:
Jon Fleschler (jfleschler)
See Also:

  • Constructor Details

  • Method Details

    • processInputStream

      public jakarta.servlet.ServletInputStream processInputStream(jakarta.servlet.ServletInputStream inputStream, @Nullable jakarta.servlet.http.HttpServletRequest request) throws com.fasterxml.jackson.core.JsonProcessingException
      Responsible for processing the provided input stream to check for any XSS violations. Depending on the supplied properties, this method will either perform validation and throw an error, or sanitize the input.
      Parameters:
      inputStream - the input stream to process
      request - the the current request that this payload belongs to
      Returns:
      a processed input stream free of XSS violations
      Throws:
      com.fasterxml.jackson.core.JsonProcessingException - if the message body is malformed
      com.broadleafcommerce.common.error.validation.ValidationException - if any fields are determined to have XSS violations

    • convertMessageBodyToMap

      protected Optional<Map<String,Object>> convertMessageBodyToMap(String body)
      Converts the provided string to a Map.
      Parameters:
      body - the message body associated with this request
      Returns:
      an Object representation of the message body

    • convertMessageBodyToList

      protected Optional<List<Object>> convertMessageBodyToList(String body)
      Converts the provided string to a List.
      Parameters:
      body - the message body associated with this request
      Returns:
      an Object representation of the message body

    • processDeserializedBody

      protected Object processDeserializedBody(Object body, @Nullable jakarta.servlet.http.HttpServletRequest request) throws com.fasterxml.jackson.core.JsonProcessingException
      Processes the deserialized body.
      Parameters:
      body - the deserialized body
      request - the http request, if present
      Returns:
      the processed, deserialized body
      Throws:
      com.fasterxml.jackson.core.JsonProcessingException - if unable to process json

    • buildAndThrowError

      protected void buildAndThrowError(Object messageBody, @Nullable List<String> fieldViolations)
      Responsible for building and throwing an error message containing the list of fields with XSS violations.
      Parameters:
      messageBody - the message body from the request
      fieldViolations - a list of fields with field violations

    • buildErrorMessage

      protected String buildErrorMessage(@Nullable List<String> fieldViolations)
      Responsible for building the error message string
      Parameters:
      fieldViolations - a list of any field names found to be in violation
      Returns:
      an error message for the request

    • recurseAndProcessFields

      protected Object recurseAndProcessFields(@Nullable String fieldName, Object fieldValue, List<String> fieldViolations, @Nullable jakarta.servlet.http.HttpServletRequest request)
      Responsible for recursively processing the passed in field information. Any fields with XSS violations discovered will be added to the fieldViolations list.
      Parameters:
      fieldName - the name of the field being processed
      fieldValue - a generic Object of the value of the field
      fieldViolations - a list of field names found to have XSS violations
      request - the current request that this payload belongs to
      Returns:
      the processed field

    • buildServletInputStream

      protected jakarta.servlet.ServletInputStream buildServletInputStream(Object messageBody) throws com.fasterxml.jackson.core.JsonProcessingException
      Responsible for wrapping the processed input stream in a new ServletInputStream.
      Parameters:
      messageBody - the processed message body
      Returns:
      a ServletInputStream containing the processed message body
      Throws:
      com.fasterxml.jackson.core.JsonProcessingException - in the event the message body cannot be converted to a string

    • getMessageBodyAsString

      protected String getMessageBodyAsString(InputStream inputStream)
      Responsible for converting a provided InputStream to a string
      Parameters:
      inputStream - the input stream to convert
      Returns:
      the string value of the input stream

    • processRequestParameters

      public Map<String,String[]> processRequestParameters(jakarta.servlet.http.HttpServletRequest request)
      Responsible for processing the provided request's parameters/values to check for any XSS violations. Depending on the supplied properties, this method will either perform validation and throw an error, or sanitize the input, or return the original values.
      Parameters:
      request - the request whose parameters need to be processed
      Returns:
      a processed parameter map (matching ServletRequest.getParameterMap()) free of XSS violations
      Throws:
      XSSRequestParameterValidationException - if validation is enabled and any parameter names/values are determined to have XSS violations

    • handleRequestParameterValidationFailure

      protected void handleRequestParameterValidationFailure(List<String> sanitizedParameterNamesFailingValidation)
      The default behavior of this method is to throw an XSSRequestParameterValidationException with an error message that lists the parameters which failed validation.
      Parameters:
      sanitizedParameterNamesFailingValidation - a list of parameter names that failed validation (either due to their name or due to their values). This list is guaranteed to be non-empty and contain only sanitized names for safety.
      Throws:
      XSSRequestParameterValidationException - to report the error

    • getProcessingService

      protected XSSRequestProcessingService getProcessingService()

    • getProperties

      protected XSSConfigurationProperties getProperties()