Added sanitization filter for request sanitization

docker-compose.yml

@@ -1,16 +1,16 @@
-version: '3'
+version: "3"
 services:
   api:
     build:
       context: .
       dockerfile: Dockerfile.local
     ports:
-      - '8080:8080'
+      - "8080:8080"
     networks:
       - localdev
     volumes:
-      - './:/app'
-      - '~/.m2:/root/.m2'
+      - "./:/app"
+      - "~/.m2:/root/.m2"
     environment:
       - ENVIRONMENT=development
       - AWS_ACCESS_KEY_ID=local
@@ -27,12 +27,12 @@ services:
       context: .
       dockerfile: Dockerfile.local
     ports:
-      - '8080:8080'
+      - "8080:8080"
     networks:
       - localdev
     volumes:
-      - './:/app'
-      - '~/.m2:/root/.m2'      
+      - "./:/app"
+      - "~/.m2:/root/.m2"
     environment:
       - ENVIRONMENT=local-test
       - AWS_ACCESS_KEY_ID=local
@@ -47,14 +47,14 @@ services:
   memcached:
     image: memcached
     ports:
-      - '11211:11211'
+      - "11211:11211"
     networks:
       - localdev
-  
+
   localkms:
     image: nsmithuk/local-kms
     ports:
-      - '4599:8080'
+      - "4599:8080"
     volumes:
       - ./init:/init
     networks:
@@ -66,18 +66,18 @@ services:
       - KMS_ACCOUNT_ID='111122223333'
       - KMS_REGION='us-east-1'
       - KMS_SEED_PATH=init/seed.yaml
-  
+
   dynamodb:
     image: amazon/dynamodb-local:latest
     ports:
-      - '8000:8000'
+      - "8000:8000"
     networks:
       - localdev
     volumes:
-     - "./docker/dynamodb:/home/dynamodblocal/data"
+      - "./docker/dynamodb:/home/dynamodblocal/data"
     working_dir: /home/dynamodblocal
-    command: '-jar DynamoDBLocal.jar -sharedDb -dbPath ./data'
+    command: "-jar DynamoDBLocal.jar -sharedDb -dbPath ./data"
 
 networks:
   localdev:
-    driver: bridge
+    driver: bridge

pom.xml

@@ -163,6 +163,12 @@
 			<version>0.0.39</version>
 		</dependency>
 
+		<dependency>
+			<groupId>org.jsoup</groupId>
+			<artifactId>jsoup</artifactId>
+			<version>1.16.1</version>
+		</dependency>
+
  </dependencies>
 
 	<build>

repo-docs/LOCAL_SETUP.md

@@ -69,7 +69,7 @@ $ touch test.secrets.json
     "ERROR_MAIL_FROM": "",
     "ERROR_MAIL_TO": "",
     "COOKIE_DOMAIN": "",
-    "OPENAI_API_KEY: ""
+    "OPENAI_API_KEY": ""
 }
 ```
 

src/main/java/com/salessparrow/api/config/FilterConfig.java

@@ -5,6 +5,7 @@
 import org.springframework.context.annotation.Configuration;
 
 import com.salessparrow.api.filter.SameSiteCookieFilter;
+import com.salessparrow.api.filter.SanitizationFilter;
 
 @Configuration
 public class FilterConfig {
@@ -18,6 +19,20 @@ public FilterRegistrationBean<SameSiteCookieFilter> sameSiteCookieFilter() {
 		FilterRegistrationBean<SameSiteCookieFilter> registrationBean = new FilterRegistrationBean<>();
 		registrationBean.setFilter(new SameSiteCookieFilter());
 		registrationBean.addUrlPatterns("/*"); // or specific URL patterns
+		registrationBean.setOrder(1);
+		return registrationBean;
+	}
+
+	/**
+	 * Register SanitizationFilter
+	 * @return FilterRegistrationBean<SanitizationFilter>
+	 */
+	@Bean
+	public FilterRegistrationBean<SanitizationFilter> sanitizationFilter() {
+		FilterRegistrationBean<SanitizationFilter> registrationBean = new FilterRegistrationBean<>();
+		registrationBean.setFilter(new SanitizationFilter());
+		registrationBean.addUrlPatterns("/*");
+		registrationBean.setOrder(0);
 		return registrationBean;
 	}
 

src/main/java/com/salessparrow/api/config/InterceptorConfig.java

@@ -35,12 +35,16 @@ public InterceptorConfig(UserAuthInterceptor userAuthInterceptor, JsonOnlyInterc
 
 	@Override
 	public void addInterceptors(InterceptorRegistry registry) {
+		/* Add logger interceptor to all the routes */
 		registry.addInterceptor(loggerInterceptor).addPathPatterns("/**");
 
+		/* Add json only interceptor to all the routes */
 		registry.addInterceptor(jsonOnlyInterceptor).addPathPatterns("/**");
 
+		/* Add v1 interceptor only to all the routes */
 		registry.addInterceptor(V1Interceptor).addPathPatterns("/api/v1/**");
 
+		/* Add user auth interceptor to all the routes except the ones below */
 		registry.addInterceptor(userAuthInterceptor)
 			.addPathPatterns("/**")
 			.excludePathPatterns("/api/v1/auth/salesforce/**")

src/main/java/com/salessparrow/api/filter/SanitizationFilter.java

@@ -0,0 +1,159 @@
+package com.salessparrow.api.filter;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.safety.Safelist;
+import org.jsoup.nodes.Entities.EscapeMode;
+
+import com.salessparrow.api.lib.wrappers.SanitizedRequestWrapper;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.util.Enumeration;
+
+/**
+ * Class to sanitize the request
+ */
+public class SanitizationFilter implements Filter {
+
+	private SanitizedRequestWrapper sanitizedRequest;
+
+	@Override
+	public void init(FilterConfig filterConfig) {
+	}
+
+	/**
+	 * Method to sanitize the request
+	 * @param servletRequest - Servlet request object
+	 * @param servletResponse - Servlet response object
+	 * @param chain - Filter chain - Filter chain
+	 * @throws IOException - IOException
+	 * @throws ServletException - ServletException
+	 * @return void
+	 */
+	@Override
+	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
+			throws IOException, ServletException {
+		if (!(servletRequest instanceof HttpServletRequest)) {
+			throw new ServletException("Can only process HttpServletRequest");
+		}
+		HttpServletRequest request = (HttpServletRequest) servletRequest;
+		sanitizeRequestBody(request);
+		sanitizeRequestParams(request);
+		sanitizeRequestHeaders(request);
+
+		chain.doFilter(sanitizedRequest, servletResponse);
+	}
+
+	/**
+	 * Method to sanitize the request body
+	 * @param request - Servlet request object
+	 * @return void
+	 */
+	private void sanitizeRequestBody(HttpServletRequest request) {
+		String originalBody = getRequestBody(request);
+		String sanitizedBody = sanitizeHtml(originalBody);
+		this.sanitizedRequest = new SanitizedRequestWrapper(request, sanitizedBody);
+	}
+
+	/**
+	 * Method to sanitize the request params
+	 * @return void
+	 */
+	private void sanitizeRequestParams(HttpServletRequest request) {
+		request.getParameterMap().forEach((key, values) -> {
+			for (int index = 0; index < values.length; index++) {
+				String sanitizedValue = sanitizeHtml(values[index]);
+				this.sanitizedRequest.setParameter(key, sanitizedValue);
+			}
+		});
+	}
+
+	/**
+	 * Method to sanitize the request headers
+	 * @return void
+	 */
+	private void sanitizeRequestHeaders(HttpServletRequest request) {
+		Enumeration<String> headerNames = request.getHeaderNames();
+
+		while (headerNames != null && headerNames.hasMoreElements()) {
+			String headerName = headerNames.nextElement();
+			Enumeration<String> headerValues = request.getHeaders(headerName);
+
+			while (headerValues != null && headerValues.hasMoreElements()) {
+				String headerValue = headerValues.nextElement();
+				String sanitizedValue = sanitizeHtml(headerValue);
+				this.sanitizedRequest.setHeader(headerName, sanitizedValue);
+			}
+		}
+	}
+
+	/**
+	 * Method to get the request body
+	 * @param request - Servlet request object
+	 * @return String - Request body
+	 */
+	private String getRequestBody(HttpServletRequest request) {
+		try {
+			BufferedReader reader = request.getReader();
+			String line;
+			// TODO: Consider using a more efficient way to read the request body, such as
+			// streaming
+			StringBuilder requestBody = new StringBuilder();
+			while ((line = reader.readLine()) != null) {
+				requestBody.append(line);
+			}
+			return requestBody.toString();
+		}
+		catch (IOException e) {
+			throw new RuntimeException("Error reading request body: ", e.getCause());
+		}
+	}
+
+	/**
+	 * Sanitizes a given HTML string by removing all HTML tags and attributes, leaving
+	 * only the text content. Also handles basic HTML entity escaping using the 'base'
+	 * escape mode.
+	 *
+	 * This function uses the Jsoup library's 'clean' method with a 'none' safelist, which
+	 * means no HTML tags are allowed and will be removed.
+	 *
+	 * The function also disables pretty-printing to ensure the resulting HTML is not
+	 * reformatted, and sets the escape mode to 'base' to handle basic HTML entities like
+	 * &amp; and &lt;.
+	 *
+	 * If the input is null or empty, the function returns an empty string.
+	 * @param input The original HTML string that needs to be sanitized.
+	 * @return A sanitized version of the input string, safe for display as text.
+	 */
+	private String sanitizeHtml(String input) {
+		if (input == null || input.isEmpty()) {
+			return "";
+		}
+
+		Safelist safelist = Safelist.none();
+
+		Document.OutputSettings outputSettings = new Document.OutputSettings();
+		outputSettings.prettyPrint(false);
+		outputSettings.escapeMode(EscapeMode.base);
+
+		String sanitizedInput = Jsoup.clean(input, "", safelist, outputSettings);
+
+		return sanitizedInput;
+	}
+
+	/**
+	 * Method to destroy the filter
+	 */
+	@Override
+	public void destroy() {
+	}
+
+}

src/main/java/com/salessparrow/api/lib/Util.java

@@ -64,7 +64,7 @@ public static String generateHeaderLogString(HttpServletRequest request) {
 	}
 
 	/**
-	 * <<<<<<< HEAD Encode plain text to base64
+	 * Encode plain text to base64
 	 * @param plainText - String to be encoded
 	 * @return String - Encoded string
 	 */
@@ -160,4 +160,21 @@ public String getDateFormatFromDatetime(Date date) {
 		return null;
 	}
 
+	/**
+	 * Unescape special characters in a string intended for plaintext contexts only.
+	 *
+	 * This function is intended for use only with strings that will be rendered as
+	 * plaintext. It is NOT suitable for HTML strings, XML strings, or any other context
+	 * where special characters may have syntactic meaning.
+	 *
+	 * Current Implementation: - The ampersand ("&amp;") is unescaped to "&"
+	 *
+	 * Future versions may include additional un-escaping rules as needed.
+	 * @param input The original string containing escaped special characters.
+	 * @return A new string where certain special characters have been unescaped.
+	 */
+	public String unEscapeSpecialCharactersForPlainText(String input) {
+		return input.replace("&amp;", "&");
+	}
+
 }

src/main/java/com/salessparrow/api/lib/crmActions/createAccountNote/CreateSalesforceNote.java

@@ -54,6 +54,7 @@ public class CreateSalesforceNote implements CreateNoteInterface {
 	public CreateNoteFormatterDto createNote(SalesforceUser user, String accountId, NoteDto note) {
 		String salesforceUserId = user.getExternalUserId();
 
+		logger.info("createNote note text: ", note.getText());
 		String noteTitle = getNoteTitleFromContent(note);
 		String encodedNoteContent = base64Helper.base64Encode(note.getText());
 
@@ -127,11 +128,16 @@ private CreateNoteFormatterDto parseResponse(String createNoteResponse) {
 	 * @return String
 	 */
 	private String getNoteTitleFromContent(NoteDto note) {
-		if (note.getText().length() < 50) {
-			return note.getText();
+		String noteText = note.getText();
+
+		Util util = new Util();
+		noteText = util.unEscapeSpecialCharactersForPlainText(noteText);
+
+		if (noteText.length() < 50) {
+			return noteText;
 		}
 
-		return note.getText().substring(0, 50);
+		return noteText.substring(0, 50);
 	}
 
 }