Added sanitization filter for request sanitization

docker-compose.yml

@@ -1,16 +1,16 @@
-version: '3'
+version: "3"
 services:
   api:
     build:
       context: .
       dockerfile: Dockerfile.local
     ports:
-      - '8080:8080'
+      - "8080:8080"
     networks:
       - localdev
     volumes:
-      - './:/app'
-      - '~/.m2:/root/.m2'
+      - "./:/app"
+      - "~/.m2:/root/.m2"
     environment:
       - ENVIRONMENT=development
       - AWS_ACCESS_KEY_ID=local
@@ -27,12 +27,12 @@ services:
       context: .
       dockerfile: Dockerfile.local
     ports:
-      - '8080:8080'
+      - "8080:8080"
     networks:
       - localdev
     volumes:
-      - './:/app'
-      - '~/.m2:/root/.m2'      
+      - "./:/app"
+      - "~/.m2:/root/.m2"
     environment:
       - ENVIRONMENT=local-test
       - AWS_ACCESS_KEY_ID=local
@@ -47,14 +47,14 @@ services:
   memcached:
     image: memcached
     ports:
-      - '11211:11211'
+      - "11211:11211"
     networks:
       - localdev
-  
+
   localkms:
     image: nsmithuk/local-kms
     ports:
-      - '4599:8080'
+      - "4599:8080"
     volumes:
       - ./init:/init
     networks:
@@ -66,18 +66,18 @@ services:
       - KMS_ACCOUNT_ID='111122223333'
       - KMS_REGION='us-east-1'
       - KMS_SEED_PATH=init/seed.yaml
-  
+
   dynamodb:
     image: amazon/dynamodb-local:latest
     ports:
-      - '8000:8000'
+      - "8000:8000"
     networks:
       - localdev
     volumes:
-     - "./docker/dynamodb:/home/dynamodblocal/data"
+      - "./docker/dynamodb:/home/dynamodblocal/data"
     working_dir: /home/dynamodblocal
-    command: '-jar DynamoDBLocal.jar -sharedDb -dbPath ./data'
+    command: "-jar DynamoDBLocal.jar -sharedDb -dbPath ./data"
 
 networks:
   localdev:
-    driver: bridge
+    driver: bridge

pom.xml

@@ -163,6 +163,18 @@
 			<version>0.0.39</version>
 		</dependency>
 
+		<dependency>
+			<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
+			<artifactId>owasp-java-html-sanitizer</artifactId>
+			<version>20220608.1</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-text</artifactId>
+			<version>1.10.0</version>
+		</dependency>
+
  </dependencies>
 
 	<build>

repo-docs/LOCAL_SETUP.md

@@ -69,7 +69,7 @@ $ touch test.secrets.json
     "ERROR_MAIL_FROM": "",
     "ERROR_MAIL_TO": "",
     "COOKIE_DOMAIN": "",
-    "OPENAI_API_KEY: ""
+    "OPENAI_API_KEY": ""
 }
 ```
 

src/main/java/com/salessparrow/api/config/FilterConfig.java

@@ -5,6 +5,7 @@
 import org.springframework.context.annotation.Configuration;
 
 import com.salessparrow.api.filter.SameSiteCookieFilter;
+import com.salessparrow.api.filter.SanitizationFilter;
 
 @Configuration
 public class FilterConfig {
@@ -18,6 +19,20 @@ public FilterRegistrationBean<SameSiteCookieFilter> sameSiteCookieFilter() {
 		FilterRegistrationBean<SameSiteCookieFilter> registrationBean = new FilterRegistrationBean<>();
 		registrationBean.setFilter(new SameSiteCookieFilter());
 		registrationBean.addUrlPatterns("/*"); // or specific URL patterns
+		registrationBean.setOrder(1);
+		return registrationBean;
+	}
+
+	/**
+	 * Register SanitizationFilter
+	 * @return FilterRegistrationBean<SanitizationFilter>
+	 */
+	@Bean
+	public FilterRegistrationBean<SanitizationFilter> sanitizationFilter() {
+		FilterRegistrationBean<SanitizationFilter> registrationBean = new FilterRegistrationBean<>();
+		registrationBean.setFilter(new SanitizationFilter());
+		registrationBean.addUrlPatterns("/*");
+		registrationBean.setOrder(0);
 		return registrationBean;
 	}
 

src/main/java/com/salessparrow/api/config/InterceptorConfig.java

@@ -35,12 +35,16 @@ public InterceptorConfig(UserAuthInterceptor userAuthInterceptor, JsonOnlyInterc
 
 	@Override
 	public void addInterceptors(InterceptorRegistry registry) {
+		/* Add logger interceptor to all the routes */
 		registry.addInterceptor(loggerInterceptor).addPathPatterns("/**");
 
+		/* Add json only interceptor to all the routes */
 		registry.addInterceptor(jsonOnlyInterceptor).addPathPatterns("/**");
 
+		/* Add v1 interceptor only to all the routes */
 		registry.addInterceptor(V1Interceptor).addPathPatterns("/api/v1/**");
 
+		/* Add user auth interceptor to all the routes except the ones below */
 		registry.addInterceptor(userAuthInterceptor)
 			.addPathPatterns("/**")
 			.excludePathPatterns("/api/v1/auth/salesforce/**")

src/main/java/com/salessparrow/api/filter/SanitizationFilter.java

@@ -0,0 +1,137 @@
+package com.salessparrow.api.filter;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.FilterConfig;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.PolicyFactory;
+
+import com.salessparrow.api.lib.wrappers.SanitizedRequestWrapper;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.util.Enumeration;
+
+/**
+ * Class to sanitize the request
+ */
+public class SanitizationFilter implements Filter {
+
+	private SanitizedRequestWrapper sanitizedRequest;
+
+	private final PolicyFactory policy = new HtmlPolicyBuilder().toFactory();
+
+	@Override
+	public void init(FilterConfig filterConfig) {
+	}
+
+	/**
+	 * Method to sanitize the request
+	 * @param servletRequest - Servlet request object
+	 * @param servletResponse - Servlet response object
+	 * @param chain - Filter chain - Filter chain
+	 * @throws IOException - IOException
+	 * @throws ServletException - ServletException
+	 * @return void
+	 */
+	@Override
+	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain)
+			throws IOException, ServletException {
+		if (!(servletRequest instanceof HttpServletRequest)) {
+			throw new ServletException("Can only process HttpServletRequest");
+		}
+		HttpServletRequest request = (HttpServletRequest) servletRequest;
+		sanitizeRequestBody(request);
+		sanitizeRequestParams(request);
+		sanitizeRequestHeaders(request);
+
+		chain.doFilter(sanitizedRequest, servletResponse);
+	}
+
+	/**
+	 * Method to sanitize the request body
+	 * @param request - Servlet request object
+	 * @return void
+	 */
+	private void sanitizeRequestBody(HttpServletRequest request) {
+		String originalBody = getRequestBody(request);
+		String sanitizedBody = sanitizeHtml(originalBody);
+		this.sanitizedRequest = new SanitizedRequestWrapper(request, sanitizedBody);
+	}
+
+	/**
+	 * Method to sanitize the request params
+	 * @return void
+	 */
+	private void sanitizeRequestParams(HttpServletRequest request) {
+		request.getParameterMap().forEach((key, values) -> {
+			for (int index = 0; index < values.length; index++) {
+				String sanitizedValue = sanitizeHtml(values[index]);
+				this.sanitizedRequest.setParameter(key, sanitizedValue);
+			}
+		});
+	}
+
+	/**
+	 * Method to sanitize the request headers
+	 * @return void
+	 */
+	private void sanitizeRequestHeaders(HttpServletRequest request) {
+		Enumeration<String> headerNames = request.getHeaderNames();
+
+		while (headerNames != null && headerNames.hasMoreElements()) {
+			String headerName = headerNames.nextElement();
+			Enumeration<String> headerValues = request.getHeaders(headerName);
+
+			while (headerValues != null && headerValues.hasMoreElements()) {
+				String headerValue = headerValues.nextElement();
+				String sanitizedValue = sanitizeHtml(headerValue);
+				this.sanitizedRequest.setHeader(headerName, sanitizedValue);
+			}
+		}
+	}
+
+	/**
+	 * Method to get the request body
+	 * @param request - Servlet request object
+	 * @return String - Request body
+	 */
+	private String getRequestBody(HttpServletRequest request) {
+		try {
+			BufferedReader reader = request.getReader();
+			String line;
+			// TODO: Consider using a more efficient way to read the request body, such as
+			// streaming
+			StringBuilder requestBody = new StringBuilder();
+			while ((line = reader.readLine()) != null) {
+				requestBody.append(line);
+			}
+			return requestBody.toString();
+		}
+		catch (IOException e) {
+			throw new RuntimeException("Error reading request body: ", e.getCause());
+		}
+	}
+
+	/**
+	 * Method to sanitize the html
+	 * @param input - Input string
+	 * @return String - Sanitized string
+	 */
+	private String sanitizeHtml(String input) {
+		String sanitizedInput = policy.sanitize(input);
+		return sanitizedInput;
+	}
+
+	/**
+	 * Method to destroy the filter
+	 */
+	@Override
+	public void destroy() {
+	}
+
+}

src/main/java/com/salessparrow/api/lib/Util.java

@@ -123,4 +123,13 @@ public String getDateFormatFromDatetime(Date date) {
 		return null;
 	}
 
+	/**
+	 * Unescape special characters in a string. Currently, only "&" is unescaped.
+	 * @param input
+	 * @return Unescaped string
+	 */
+	public String unEscapeSpecialCharacters(String input) {
+		return input.replace("&", "&");
+	}
+
 }

src/main/java/com/salessparrow/api/lib/crmActions/createAccountNote/CreateSalesforceNote.java

@@ -122,11 +122,16 @@ private CreateNoteFormatterDto parseResponse(String createNoteResponse) {
 	 * @return String
 	 */
 	private String getNoteTitleFromContent(NoteDto note) {
-		if (note.getText().length() < 50) {
-			return note.getText();
+		String noteText = note.getText();
+
+		Util util = new Util();
+		noteText = util.unEscapeSpecialCharacters(noteText);
+
+		if (noteText.length() < 50) {
+			return noteText;
 		}
 
-		return note.getText().substring(0, 50);
+		return noteText.substring(0, 50);
 	}
 
 }

src/main/java/com/salessparrow/api/lib/crmActions/createAccountTask/CreateSalesforceAccountTask.java

@@ -111,11 +111,17 @@ private CreateTaskFormatterDto parseResponse(String createTaskResponse) {
 	 */
 	private String getTaskSubjectFromDescription(CreateAccountTaskDto task) {
 		logger.info("getting task subject from description");
-		if (task.getDescription().length() < 60) {
-			return task.getDescription();
+
+		String taskDescription = task.getDescription();
+
+		Util util = new Util();
+		taskDescription = util.unEscapeSpecialCharacters(taskDescription);
+
+		if (taskDescription.length() < 60) {
+			return taskDescription;
 		}
 
-		return task.getDescription().substring(0, 60);
+		return taskDescription.substring(0, 60);
 	}
 
 }