All Downloads are FREE. Search and download functionalities are using the official Maven repository.
  • Log In
  • Register

    • org.owasp.esapi.waf.internal.InterceptingHTTPServletRequest Maven / Gradle / Ivy

    Go to download

    The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP website. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.

    There is a newer version: 2.5.5.0
    Show newest version
    /**
 * OWASP Enterprise Security API (ESAPI)
 * 
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project. For details, please see
 * http://www.owasp.org/index.php/ESAPI.
 *
 * Copyright (c) 2009 - The OWASP Foundation
 * 
 * The ESAPI is published by OWASP under the BSD license. You should read and accept the
 * LICENSE before you use, modify, and/or redistribute this software.
 * 
 * @author Arshan Dabirsiaghi Aspect Security
 * @created 2009
 */
package org.owasp.esapi.waf.internal;

import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.RandomAccessFile;
import java.util.Enumeration;
import java.util.Vector;

import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;

import org.apache.commons.fileupload.FileItemIterator;
import org.apache.commons.fileupload.FileItemStream;
import org.apache.commons.fileupload.FileUploadException;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.apache.commons.fileupload.util.Streams;

/**
 * The wrapper for the HttpServletRequest object which will be passed to the application
 * being protected by the WAF. It contains logic for parsing multipart parameters out of
 * the request and provided downstream application logic a way of accessing it like it 
 * hasn't been touched.
 * 
 * @author Arshan Dabirsiaghi
 *
 */
public class InterceptingHTTPServletRequest extends HttpServletRequestWrapper {

	private Vector allParameters;
	private Vector allParameterNames;
	private static int CHUNKED_BUFFER_SIZE = 1024;
	
	private boolean isMultipart = false;
	private RandomAccessFile requestBody;
	private RAFInputStream is;
	
	public ServletInputStream getInputStream() throws IOException {
		
		if ( isMultipart ) {
			return is;	
		} else {
			return super.getInputStream();
		}
        
    }
	
	public BufferedReader getReader() throws IOException {
        String enc = getCharacterEncoding();
        if(enc == null) enc = "UTF-8";
        return new BufferedReader(new InputStreamReader(getInputStream(), enc));
    }
	
	public InterceptingHTTPServletRequest(HttpServletRequest request) throws FileUploadException, IOException {

		super(request);

		allParameters = new Vector();
		allParameterNames = new Vector();


		/*
		 * Get all the regular parameters.
		 */

		Enumeration e = request.getParameterNames();

		while(e.hasMoreElements()) {
			String param = (String)e.nextElement();
			allParameters.add(new Parameter(param,request.getParameter(param),false));
			allParameterNames.add(param);
		}


		/*
		 * Get all the multipart fields.
		 */

		isMultipart = ServletFileUpload.isMultipartContent(request);

		if ( isMultipart ) {

			requestBody = new RandomAccessFile( File.createTempFile("oew","mpc"), "rw");
	    	
	    	byte buffer[] = new byte[CHUNKED_BUFFER_SIZE];

	    	long size = 0;
	    	int len = 0;

	    	while ( len != -1 && size <= Integer.MAX_VALUE) {
	    		len = request.getInputStream().read(buffer, 0, CHUNKED_BUFFER_SIZE);
	    		if ( len != -1 ) {
	    			size += len;
	    			requestBody.write(buffer,0,len);	
	    		}
	    	}
			
	    	is = new RAFInputStream(requestBody);
	    	
			ServletFileUpload sfu = new ServletFileUpload();
			FileItemIterator iter = sfu.getItemIterator(this);

			while(iter.hasNext()) {
				FileItemStream item = iter.next();
				String name = item.getFieldName();
				InputStream stream = item.openStream();

				/*
				 * If this is a regular form field, add it to our
				 * parameter collection.
				 */

				if (item.isFormField()) {

					String value = Streams.asString(stream);

					allParameters.add(new Parameter(name,value,true));
			    	allParameterNames.add(name);

			    } else {
			    	/*
			    	 * This is a multipart content that is not a
			    	 * regular form field. Nothing to do here.
			    	 */
			    	
			    }

			}
			
			requestBody.seek(0);
			
		}

	}

	public String getDictionaryParameter(String s) {

		for(int i=0;i




    © 2015 - 2024 Weber Informatics LLC | Privacy Policy