Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Added html escaping to help with XSS. Added frame busting to help wit…
…h XFS. Added a method override filter so that only GETs and POSTs are accepted. Disabled autocomplete for password fields. Added ability for customer to set their HPKP headers.
- Loading branch information
1 parent
f0700bb
commit f64b10d
Showing
15 changed files
with
167 additions
and
12 deletions.
There are no files selected for viewing
44 changes: 44 additions & 0 deletions
44
src/main/java/com/unboundid/webapp/ssam/HTTPHeaderFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| /* | ||
| * Copyright 2014-2017 Ping Identity Corporation | ||
| * All Rights Reserved. | ||
| */ | ||
|
|
||
| package com.unboundid.webapp.ssam; | ||
|
|
||
| import org.springframework.stereotype.Component; | ||
| import javax.servlet.FilterConfig; | ||
| import javax.servlet.ServletRequest; | ||
| import javax.servlet.ServletResponse; | ||
| import javax.servlet.FilterChain; | ||
| import javax.servlet.http.HttpServletResponse; | ||
|
|
||
| @Component | ||
| public class HTTPHeaderFilter implements javax.servlet.Filter { | ||
| public FilterConfig filterConfig; | ||
|
|
||
| public void doFilter(final ServletRequest request, | ||
| final ServletResponse response, FilterChain chain) | ||
| throws java.io.IOException, javax.servlet.ServletException { | ||
|
|
||
| HttpServletResponse res = (HttpServletResponse) response; | ||
|
|
||
| // Set this variable to the sha256 pin of your public key | ||
| // This value can be generated using the "openssl" command line tool | ||
| // https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning | ||
| String pinSha256 = ""; | ||
|
|
||
| if(pinSha256.length() > 0) | ||
| { | ||
| res.setHeader("Public-Key-Pins", "max-age=518400; " + | ||
| "pin-sha256=\"" + pinSha256 + "\"; " + | ||
| "includeSubDomains"); | ||
| } | ||
|
|
||
| chain.doFilter(request, response); | ||
| } | ||
|
|
||
| public void init(final FilterConfig filterConfig) { this.filterConfig = filterConfig; } | ||
|
|
||
| public void destroy() {} | ||
|
|
||
| } |
35 changes: 35 additions & 0 deletions
35
src/main/java/com/unboundid/webapp/ssam/HTTPRequestParameterFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| /* | ||
| * Copyright 2014-2017 Ping Identity Corporation | ||
| * All Rights Reserved. | ||
| */ | ||
|
|
||
| package com.unboundid.webapp.ssam; | ||
|
|
||
| import org.springframework.stereotype.Component; | ||
| import javax.servlet.FilterConfig; | ||
| import javax.servlet.ServletRequest; | ||
| import javax.servlet.ServletResponse; | ||
| import javax.servlet.FilterChain; | ||
| import javax.servlet.http.HttpServletRequest; | ||
|
|
||
| @Component | ||
| public class HTTPRequestParameterFilter implements javax.servlet.Filter { | ||
| public FilterConfig filterConfig; | ||
|
|
||
| public void doFilter(final ServletRequest request, | ||
| final ServletResponse response, FilterChain chain) | ||
| throws java.io.IOException, javax.servlet.ServletException { | ||
|
|
||
| String curMethod = ((HttpServletRequest) request).getMethod(); | ||
| //only allow for GET and POST requests. | ||
| if (curMethod.equalsIgnoreCase("get") || curMethod.equalsIgnoreCase("post")) | ||
| { | ||
| chain.doFilter(request, response); | ||
| } | ||
| } | ||
|
|
||
| public void init(final FilterConfig filterConfig) { | ||
| this.filterConfig = filterConfig; | ||
| } | ||
| public void destroy() {} | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| // frame busting | ||
| function buster(document_in, top_in) { | ||
| if (self === top_in) { | ||
| document_in.documentElement.style.display = "block"; | ||
| } else { | ||
| top_in.location = self.location; | ||
| } | ||
| } | ||
|
|
||
| // html escaping for potentially unsafe jQuery methods such as ".append()" | ||
| var entityMap = { | ||
| '&': '&', | ||
| '<': '<', | ||
| '>': '>', | ||
| '"': '"', | ||
| "'": ''', | ||
| '/': '/', | ||
| '`': '`', | ||
| '=': '=' | ||
| }; | ||
|
|
||
| function escapeHtml (string) { | ||
| return String(string).replace(/[&<>"'`=\/]/g, function (s) { | ||
| return entityMap[s]; | ||
| }); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters