#2992 Prevent XSS for body request

Added:
- changed PolicyRefactor for OwaspXssValidator.java
- Moved files to different packages (refactor)

src/org/scada_lts/web/beans/validation/xss/OwaspXssValidator.java

@@ -0,0 +1,36 @@
+package org.scada_lts.web.beans.validation.xss;
+
+import org.owasp.html.HtmlPolicyBuilder;
+import org.owasp.html.Sanitizers;
+import org.scada_lts.web.beans.validation.ScadaValidator;
+import org.owasp.html.PolicyFactory;
+
+public class OwaspXssValidator implements ScadaValidator<String> {
+
+    private final PolicyFactory policyFactory;
+
+    public OwaspXssValidator() {
+        PolicyFactory basePolicy = Sanitizers.FORMATTING
+                .and(Sanitizers.LINKS)
+                .and(Sanitizers.STYLES)
+                .and(Sanitizers.IMAGES);
+
+        this.policyFactory = new HtmlPolicyBuilder()
+                .allowCommonInlineFormattingElements()
+                .allowCommonBlockElements()
+                .allowStandardUrlProtocols()
+                .allowStyling()
+                .toFactory()
+                .and(basePolicy);
+    }
+
+    @Override
+    public void validate(String input) throws XssValidatorException {
+        System.out.println("input: " + input);
+        String sanitized = policyFactory.sanitize(input);
+        System.out.println("Sanitized: " + sanitized);
+        if (!sanitized.equals(input)) {
+            throw new XssValidatorException("Potential XSS attack detected");
+        }
+    }
+}

src/org/scada_lts/web/security/XssConstraintValidator.java → src/org/scada_lts/web/beans/validation/xss/XssConstraintValidator.java

@@ -1,4 +1,4 @@
-package org.scada_lts.web.security;
+package org.scada_lts.web.beans.validation.xss;
 
 import org.scada_lts.serorepl.utils.StringUtils;
 import org.scada_lts.web.beans.validation.AbstractConstraintValidator;

src/org/scada_lts/web/security/XssValid.java → src/org/scada_lts/web/beans/validation/xss/XssValid.java

@@ -1,4 +1,4 @@
-package org.scada_lts.web.security;
+package org.scada_lts.web.beans.validation.xss;
 
 import javax.validation.Constraint;
 import javax.validation.Payload;

src/org/scada_lts/web/security/XssValidatorException.java → src/org/scada_lts/web/beans/validation/xss/XssValidatorException.java

@@ -1,4 +1,4 @@
-package org.scada_lts.web.security;
+package org.scada_lts.web.beans.validation.xss;
 
 import org.scada_lts.web.beans.validation.ScadaValidatorException;
 

src/org/scada_lts/web/mvc/api/UserCommentAPI.java

@@ -7,7 +7,7 @@
 import org.scada_lts.mango.service.UserCommentService;
 import org.scada_lts.web.beans.ApplicationBeans;
 import org.scada_lts.web.mvc.api.json.JsonUserComment;
-import org.scada_lts.web.security.XssValid;
+import org.scada_lts.web.beans.validation.xss.XssValid;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.stereotype.Controller;

src/org/scada_lts/web/mvc/api/css/CssStyle.java

@@ -4,7 +4,7 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import org.scada_lts.web.beans.validation.css.CssValid;
-import org.scada_lts.web.security.XssValid;
+import org.scada_lts.web.beans.validation.xss.XssValid;
 
 public class CssStyle {
 

test/org/scada_lts/web/security/OwaspXssValidatorExceptionTest.java

@@ -0,0 +1,70 @@
+package org.scada_lts.web.security;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.scada_lts.web.beans.validation.xss.OwaspXssValidator;
+import org.scada_lts.web.beans.validation.xss.XssValidatorException;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+@RunWith(Parameterized.class)
+public class OwaspXssValidatorExceptionTest {
+
+    @Parameterized.Parameters
+    public static Collection<Object[]> testData() {
+        return Arrays.asList(new Object[][]{
+                {null},
+                {"<script>alert(1)</script>"},
+                {"<a href=\"javascript:alert(1)\">Link</a>"},
+                {"<div onclick=\"alert(1)\">Click me</div>"},
+                {"body { background-image: url('\"><img src=x onerror=alert(document.location)>'); }"},
+                {"div { content: \"<script>alert('XSS')</script>\"; }"},
+                {"h1 { font-family: \"<img src=x onerror=alert('XSS')>\"; }"},
+                {"@import url(\"javascript:alert('XSS')\");"},
+                {"div { /* comment: <img src=x onerror=alert('XSS')> */ }"},
+                {"span { content: '\"><script>alert(1)</script>'; }"},
+                {"h2 { color: expression(alert('XSS')); }"},
+                {"\"><img src=x onerror=alert(document.location)>"},
+                {"<img src='x' onerror='alert(1)'>"},
+                {"<input type=\"text\" value=\"\" onfocus=\"alert(1)\">"},
+                {"<iframe src=\"javascript:alert(1)\"></iframe>"},
+                {"<form action=\"javascript:alert(1)\"><input type=\"submit\"></form>"},
+                {"<object data=\"javascript:alert(1)\"></object>"},
+                {"<embed src=\"javascript:alert(1)\">"},
+                {"<base href=\"javascript:alert(1)//\">"},
+                {"<svg onload=\"alert(1)\">"},
+                {"<svg><script>alert(1)</script></svg>"},
+                {"<math><a xlink:href=\"javascript:alert(1)\">XSS</a></math>"},
+                {"<img src=x onerror=\"alert(String.fromCharCode(88,83,83))\">"},
+                {"<b onmouseover=\"alert(1)\">XSS</b>"},
+                {"<video><source onerror=\"javascript:alert(1)\"></video>"},
+                {"<details open ontoggle=\"alert(1)\">"},
+                {"<input onfocus=\"alert('XSS')\">"},
+                {"<div style=\"width: expression(alert('XSS'))\">"},
+                {"<meta http-equiv=\"refresh\" content=\"0;url=javascript:alert(1)\">"},
+                {"<link rel=\"stylesheet\" href=\"javascript:alert(1)\">"},
+                {"<textarea onfocus=\"alert(1)\"></textarea>"},
+                {"<a href=\"//example.com\" onclick=\"alert(1)\">Link</a>"},
+                {"<button onclick=\"alert(1)\">Click me</button>"},
+                {"<div style=\"background-image: url(javascript:alert(1))\">XSS</div>"},
+                {"<audio src=\"javascript:alert(1)\"></audio>"},
+                {"<marquee onstart=\"alert(1)\">XSS</marquee>"},
+                {"<keygen autofocus onfocus=\"alert(1)\">"},
+                {"<command onclick=\"alert(1)\">Click me</command>"}
+        });
+    }
+
+    private final String input;
+    private final OwaspXssValidator owaspXssValidator = new OwaspXssValidator();
+
+    public OwaspXssValidatorExceptionTest(String input) {
+        this.input = input;
+    }
+
+    @Test(expected = XssValidatorException.class)
+    public void testValidateHttpBodyException() throws XssValidatorException {
+        owaspXssValidator.validate(input);
+    }
+}

test/org/scada_lts/web/security/XssUtilsValidateHttpBodyTest.java → test/org/scada_lts/web/security/OwaspXssValidatorTest.java

@@ -3,12 +3,14 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.Parameterized;
+import org.scada_lts.web.beans.validation.xss.OwaspXssValidator;
+import org.scada_lts.web.beans.validation.xss.XssValidatorException;
 
 import java.util.Arrays;
 import java.util.Collection;
 
 @RunWith(Parameterized.class)
-public class XssUtilsValidateHttpBodyTest {
+public class OwaspXssValidatorTest {
 
     @Parameterized.Parameters
     public static Collection<Object[]> testData() {
@@ -26,13 +28,14 @@ public static Collection<Object[]> testData() {
                 {"body { font-size: 14px; }"},
                 {"h1 { font-weight: bold; }"},
                 {"p { margin: 0; padding: 0; }"},
+                {"<img src=\"http://example.com/image.jpg\" alt=\"Example Image\" width=\"600\" height=\"400\" border=\"0\" />"}
         });
     }
 
     private final String input;
     private final OwaspXssValidator owaspXssValidator = new OwaspXssValidator();
 
-    public XssUtilsValidateHttpBodyTest(String input) {
+    public OwaspXssValidatorTest(String input) {
         this.input = input;
     }
 

test/org/scada_lts/web/security/XssUtilsValidateHttpQueryTest.java → test/org/scada_lts/web/security/XssUtilsTest.java

@@ -11,12 +11,12 @@
 import java.util.Collection;
 
 @RunWith(Parameterized.class)
-public class XssUtilsValidateHttpQueryTest {
+public class XssUtilsTest {
 
     private final String input;
     private final boolean expectedResult;
 
-    public XssUtilsValidateHttpQueryTest(String input, boolean expectedResult) {
+    public XssUtilsTest(String input, boolean expectedResult) {
         this.input = input;
         this.expectedResult = expectedResult;
     }

test/org/scada_lts/web/security/XssUtilsTestsSuite.java

@@ -5,9 +5,9 @@
 
 @RunWith(Suite.class)
 @Suite.SuiteClasses({
-        XssUtilsValidateHttpQueryTest.class,
-        XssUtilsValidateHttpBodyTest.class,
-        XssUtilsValidateHttpBodyExceptionTest.class
+        XssUtilsTest.class,
+        OwaspXssValidatorTest.class,
+        OwaspXssValidatorExceptionTest.class
 })
 public class XssUtilsTestsSuite {
 }