-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added sanitization filter for request sanitization #78
Merged
Merged
Changes from 4 commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
4094d3e
added sanitization filter for request sanitization
kreloaded 9c4b7bc
added review changes for sanitization filter
kreloaded 36b5fdb
refactored sanitization filter and test cases
kreloaded 7ff2e5d
added review changes
kreloaded 3caac81
Merge branch 'milestone/v0.2.0' into sanitization
kreloaded fc6a6f8
added review changes
kreloaded 0f05622
updated test cases based on review
kreloaded f9b5c06
unescaped & from note tile and task subject
kreloaded 808643a
Merge branch 'milestone/v0.2.0' into sanitization
kreloaded 30128bb
sanitization review changes
kreloaded d93d616
Merge branch 'milestone/v0.2.0' into sanitization
kreloaded 6fe53b7
added logs for debugging sanitization changes
kreloaded 458e989
unescaped task description and subject
kreloaded 179ec79
formatted changes
kreloaded 2d2dec8
added logs for debugging
kreloaded e6541a2
added logs for debugging
kreloaded 2806314
replace new line with br
kreloaded 0f1a202
used local sanitization http request
kreloaded 573ace1
formatted code
kreloaded bfe04e8
removed logs added for debugging
kreloaded 9c9d440
updated Merging section in Release Process Docs
kreloaded 4af29a4
updated changelog with sanitization issue
kreloaded File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
140 changes: 140 additions & 0 deletions
140
src/main/java/com/salessparrow/api/filter/SanitizationFilter.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
package com.salessparrow.api.filter; | ||
|
||
import jakarta.servlet.Filter; | ||
import jakarta.servlet.FilterChain; | ||
import jakarta.servlet.FilterConfig; | ||
import jakarta.servlet.ServletException; | ||
import jakarta.servlet.ServletRequest; | ||
import jakarta.servlet.ServletResponse; | ||
import jakarta.servlet.http.HttpServletRequest; | ||
import org.owasp.html.HtmlPolicyBuilder; | ||
import org.owasp.html.PolicyFactory; | ||
|
||
import com.salessparrow.api.lib.wrappers.SanitizedRequestWrapper; | ||
|
||
import java.io.BufferedReader; | ||
import java.io.IOException; | ||
import java.util.Enumeration; | ||
|
||
/** | ||
* Class to sanitize the request | ||
*/ | ||
public class SanitizationFilter implements Filter { | ||
private SanitizedRequestWrapper sanitizedRequest; | ||
|
||
private final PolicyFactory policy = new HtmlPolicyBuilder().toFactory(); | ||
|
||
@Override | ||
public void init(FilterConfig filterConfig) {} | ||
|
||
/** | ||
* Method to sanitize the request | ||
* | ||
* @param servletRequest - Servlet request object | ||
* @param servletResponse - Servlet response object | ||
* @param chain - Filter chain - Filter chain | ||
* | ||
* @throws IOException - IOException | ||
* @throws ServletException - ServletException | ||
* | ||
* @return void | ||
*/ | ||
@Override | ||
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, | ||
FilterChain chain) throws IOException, ServletException { | ||
if (!(servletRequest instanceof HttpServletRequest)) { | ||
throw new ServletException("Can only process HttpServletRequest"); | ||
} | ||
HttpServletRequest request = (HttpServletRequest) servletRequest; | ||
sanitizeRequestBody(request); | ||
sanitizeRequestParams(request); | ||
sanitizeRequestHeaders(request); | ||
|
||
chain.doFilter(sanitizedRequest, servletResponse); | ||
} | ||
kreloaded marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
/** | ||
* Method to sanitize the request body | ||
* | ||
* @param request - Servlet request object | ||
* | ||
* @return void | ||
*/ | ||
private void sanitizeRequestBody(HttpServletRequest request) { | ||
String originalBody = getRequestBody(request); | ||
String sanitizedBody = sanitizeHtml(originalBody); | ||
this.sanitizedRequest = new SanitizedRequestWrapper(request, sanitizedBody); | ||
} | ||
kreloaded marked this conversation as resolved.
Show resolved
Hide resolved
kreloaded marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
/** | ||
* Method to sanitize the request params | ||
* | ||
* @return void | ||
*/ | ||
private void sanitizeRequestParams(HttpServletRequest request) { | ||
request.getParameterMap().forEach((key, values) -> { | ||
for (int index = 0; index < values.length; index++) { | ||
String sanitizedValue = sanitizeHtml(values[index]); | ||
this.sanitizedRequest.setParameter(key, sanitizedValue); | ||
} | ||
}); | ||
kreloaded marked this conversation as resolved.
Show resolved
Hide resolved
kreloaded marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
/** | ||
* Method to sanitize the request headers | ||
* | ||
* @return void | ||
*/ | ||
private void sanitizeRequestHeaders(HttpServletRequest request) { | ||
Enumeration<String> headerNames = request.getHeaderNames(); | ||
|
||
while (headerNames != null && headerNames.hasMoreElements()) { | ||
String headerName = headerNames.nextElement(); | ||
Enumeration<String> headerValues = request.getHeaders(headerName); | ||
|
||
while (headerValues != null && headerValues.hasMoreElements()) { | ||
String headerValue = headerValues.nextElement(); | ||
String sanitizedValue = sanitizeHtml(headerValue); | ||
this.sanitizedRequest.setHeader(headerName, sanitizedValue); | ||
} | ||
} | ||
kreloaded marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
/** | ||
* Method to get the request body | ||
* | ||
* @param request - Servlet request object | ||
* @return String - Request body | ||
*/ | ||
private String getRequestBody(HttpServletRequest request) { | ||
try { | ||
BufferedReader reader = request.getReader(); | ||
String line; | ||
// TODO: Consider using a more efficient way to read the request body, such as streaming | ||
StringBuilder requestBody = new StringBuilder(); | ||
while ((line = reader.readLine()) != null) { | ||
requestBody.append(line); | ||
} | ||
return requestBody.toString(); | ||
} catch (IOException e) { | ||
throw new RuntimeException("Error reading request body: ", e.getCause()); | ||
} | ||
kreloaded marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
/** | ||
* Method to sanitize the html | ||
* | ||
* @param input - Input string | ||
* @return String - Sanitized string | ||
*/ | ||
private String sanitizeHtml(String input) { | ||
String sanitizedInput = policy.sanitize(input); | ||
return sanitizedInput; | ||
} | ||
|
||
/** | ||
* Method to destroy the filter | ||
*/ | ||
@Override | ||
public void destroy() {} | ||
} |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The filter should be able to handle all types of
ServletRequest
. Instead of throwing an exception when the request is not an instance ofHttpServletRequest
, consider skipping the sanitization process and just pass the request to the next filter in the chain.