Skip to content
Permalink
Browse files Browse the repository at this point in the history
xss robustness
  • Loading branch information
shopizer-ecommerce committed Dec 24, 2020
1 parent b46f134 commit 197f8c7
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 47 deletions.
Binary file modified sm-shop/SALESMANAGER.h2.db
Binary file not shown.
Binary file modified sm-shop/files/store/DownlaodRepository.dat
Binary file not shown.
Expand Up @@ -78,7 +78,7 @@ public TilesViewResolver tilesViewResolver() {
}


/* @Bean
@Bean
public FilterRegistrationBean<XssFilter> croseSiteFilter(){
FilterRegistrationBean<XssFilter> registrationBean
= new FilterRegistrationBean<>();
Expand All @@ -87,7 +87,7 @@ public FilterRegistrationBean<XssFilter> croseSiteFilter(){
registrationBean.addUrlPatterns("/*");

return registrationBean;
}*/
}

@Override
public void configureMessageConverters(List<HttpMessageConverter<?>> converters) {
Expand Down
43 changes: 5 additions & 38 deletions sm-shop/src/main/java/com/salesmanager/shop/filter/XssFilter.java
Expand Up @@ -16,8 +16,8 @@
import org.springframework.stereotype.Component;


//@Component
//@Order(5) //after other defined filters
@Component
@Order(0)
public class XssFilter implements Filter {

/**
Expand All @@ -30,49 +30,16 @@ public void init(FilterConfig filterConfig) throws ServletException {
LOGGER.debug("(XssFilter) initialize");
}

/* @Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
XssHttpServletRequestWrapper xssRequest =
new XssHttpServletRequestWrapper((HttpServletRequest) request);
chain.doFilter(xssRequest, response);
}*/


/* protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain filterChain) throws ServletException, IOException {
filterChain.doFilter(new XssHttpServletRequestWrapper(request) {
}, new HttpServletResponseWrapper(response));
}*/

@Override
public void doFilter(ServletRequest srequest, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {

/* HttpServletRequest request = (HttpServletRequest) srequest;
//final String realIp = request.getHeader(X_FORWARDED_FOR);
HttpServletRequest request = (HttpServletRequest) srequest;
filterChain.doFilter(new XssHttpServletRequestWrapper(request) {}, response);

//if (realIp != null) {
filterChain.doFilter(new XssHttpServletRequestWrapper(request) {
*//**
public String getRemoteAddr() {
return realIp;
}
public String getRemoteHost() {
return realIp;
}
**//*
}, response);
return;
//}
}

*/

}

@Override
public void destroy() {
Expand Down
@@ -1,5 +1,7 @@
package com.salesmanager.shop.filter;

import java.util.Enumeration;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

Expand All @@ -13,18 +15,17 @@
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {

public XssHttpServletRequestWrapper(HttpServletRequest request) {
super(request);
super(request);

}



@Override
public String getHeader(String name) {
//logger.info("Ineader .. parameter .......");
String value = super.getHeader(name);
if (value == null)
return null;
//logger.info("Ineader RequestWrapper ........... value ....");
return cleanXSS(value);
}

Expand Down
Expand Up @@ -23,6 +23,7 @@
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.util.HtmlUtils;

import com.salesmanager.core.business.services.catalog.category.CategoryService;
import com.salesmanager.core.business.services.catalog.product.PricingService;
Expand Down Expand Up @@ -112,9 +113,7 @@ public class ShoppingCategoryController {
*/
@RequestMapping("/shop/category/{friendlyUrl}.html/ref={ref}")
public String displayCategoryWithReference(@PathVariable final String friendlyUrl, @PathVariable final String ref, Model model, HttpServletRequest request, HttpServletResponse response, Locale locale) throws Exception {




return this.displayCategory(friendlyUrl,ref,model,request,response,locale);
}

Expand All @@ -141,7 +140,11 @@ private String displayCategory(final String friendlyUrl, final String ref, Model
MerchantStore store = (MerchantStore)request.getAttribute(Constants.MERCHANT_STORE);

//set ref as request attribute
request.setAttribute("ref", ref);
String encoded = HtmlUtils.htmlEscape(ref);
if(!encoded.equals(ref)) {//possible xss
throw new Exception("Wrong input");
}
request.setAttribute("ref", encoded);

//get category
Category category = categoryService.getBySeUrl(store, friendlyUrl);
Expand Down

0 comments on commit 197f8c7

Please sign in to comment.