View Javadoc
1   /**
2    * Copyright 2011-2013 The Kuali Foundation Licensed under the
3    * Educational Community License, Version 2.0 (the "License"); you may
4    * not use this file except in compliance with the License. You may
5    * obtain a copy of the License at
6    *
7    * http://www.osedu.org/licenses/ECL-2.0
8    *
9    * Unless required by applicable law or agreed to in writing,
10   * software distributed under the License is distributed on an "AS IS"
11   * BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
12   * or implied. See the License for the specific language governing
13   * permissions and limitations under the License.
14   */
15  
16  package org.kuali.mobility.shared.interceptors;
17  
18  import org.kuali.mobility.shared.XSSAttackRemoverConstants;
19  import org.slf4j.Logger;
20  import org.slf4j.LoggerFactory;
21  import org.springframework.web.servlet.HandlerInterceptor;
22  import org.springframework.web.servlet.ModelAndView;
23  
24  import javax.servlet.http.HttpServletRequest;
25  import javax.servlet.http.HttpServletResponse;
26  import java.util.Enumeration;
27  import java.util.regex.Pattern;
28  
29  
30  /**
31   * @author Kuali Mobility Team (mobility.collab@kuali.org)
32   */
33  public class XSSAttackRemoverInterceptor implements HandlerInterceptor {
34      private static final Logger LOG = LoggerFactory.getLogger( XSSAttackRemoverInterceptor.class );
35  
36      @Override
37      public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
38          Enumeration paramNames = request.getParameterNames();
39          while(paramNames.hasMoreElements())
40          {
41              String paramName = (String)paramNames.nextElement();
42              if((XSSAttackRemoverConstants.KME_EVENT_CATEGORY_ID).equalsIgnoreCase(paramName)) {
43                  String categoryId = request.getParameter("categoryId");
44                  String actualCategoryId = removeXSSAttack(categoryId);
45                  request.getSession().setAttribute("categoryId", actualCategoryId);
46              }
47              if((XSSAttackRemoverConstants.KME_CAMPUS).equalsIgnoreCase(paramName)) {
48                  String campus = request.getParameter("campus");
49                  String actualCampus = removeXSSAttack(campus);
50                  request.getSession().setAttribute("campus", actualCampus);
51              }
52              if((XSSAttackRemoverConstants.KME_EVENT_ID).equalsIgnoreCase(paramName)) {
53                  String eventId = request.getParameter("eventId");
54                  String actualEventId = removeXSSAttack(eventId);
55                  request.getSession().setAttribute("eventId", actualEventId);
56              }
57              if((XSSAttackRemoverConstants.KME_DINING_NAME).equalsIgnoreCase(paramName)) {
58                  String name = request.getParameter("name");
59                  String actualName = removeXSSAttack(name);
60                  request.getSession().setAttribute("name", actualName);
61              }
62              if((XSSAttackRemoverConstants.KME_DINING_LOCATION).equalsIgnoreCase(paramName)) {
63                  String location = request.getParameter("location");
64                  String actualLocation = removeXSSAttack(location);
65                  request.getSession().setAttribute("location", actualLocation);
66              }
67          }
68          return true;
69      }
70  
71      @Override
72      public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {}
73  
74      @Override
75      public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {}
76  
77      /*
78      removeXSSAttack() method will remove all special characters, script tag etc from the input value entered by the user
79      */
80      private String removeXSSAttack(String value) {
81          if (value != null) {
82              // Avoid null characters
83              value = value.replaceAll("", "");
84  
85              // Avoid anything between script tags
86              Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
87              value = scriptPattern.matcher(value).replaceAll("");
88  
89              // Avoid anything in a src='...' type of expression
90              scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
91              value = scriptPattern.matcher(value).replaceAll("");
92  
93              scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
94              value = scriptPattern.matcher(value).replaceAll("");
95  
96              // Remove any lonesome </script> tag
97              scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
98              value = scriptPattern.matcher(value).replaceAll("");
99  
100             // Remove any lonesome <script ...> tag
101             scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
102             value = scriptPattern.matcher(value).replaceAll("");
103 
104             // Avoid eval(...) expressions
105             scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
106             value = scriptPattern.matcher(value).replaceAll("");
107 
108             // Avoid expression(...) expressions
109             scriptPattern = Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
110             value = scriptPattern.matcher(value).replaceAll("");
111 
112             // Avoid javascript:... expressions
113             scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
114             value = scriptPattern.matcher(value).replaceAll("");
115 
116             // Avoid vbscript:... expressions
117             scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
118             value = scriptPattern.matcher(value).replaceAll("");
119 
120             // Avoid onload= expressions
121             scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
122             value = scriptPattern.matcher(value).replaceAll("");
123         }
124         return value;
125     }
126 }