fix(rest): Prevent stored XSS

Signed-off-by: Smruti Prakash Sahoo <[email protected]>

pom.xml

@@ -162,6 +162,7 @@
     <version.jee.jaxb.api>2.3.1</version.jee.jaxb.api>
     <keycloak.version>26.0.7</keycloak.version>
     <spring.security.crypto>6.3.3</spring.security.crypto>
+    <org.owasp.encoder.version>1.3.1</org.owasp.encoder.version>
   </properties>
   <dependencyManagement>
     <dependencies>

rest/authorization-server/src/main/java/org/eclipse/sw360/rest/authserver/Sw360AuthorizationServer.java

@@ -16,13 +16,14 @@
 import org.eclipse.sw360.datahandler.thrift.users.UserGroup;
 import org.eclipse.sw360.rest.common.PropertyUtils;
 import org.eclipse.sw360.rest.common.Sw360CORSFilter;
+import org.eclipse.sw360.rest.common.Sw360XssFilter;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.builder.SpringApplicationBuilder;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.context.annotation.Import;
 
 @SpringBootApplication
-@Import(Sw360CORSFilter.class)
+@Import({Sw360CORSFilter.class, Sw360XssFilter.class})
 public class Sw360AuthorizationServer extends SpringBootServletInitializer {
 
     private static final String SW360_PROPERTIES_FILE_PATH = "/sw360.properties";

rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/Sw360ResourceServer.java

@@ -27,6 +27,7 @@
 import org.eclipse.sw360.datahandler.thrift.users.UserGroup;
 import org.eclipse.sw360.rest.common.PropertyUtils;
 import org.eclipse.sw360.rest.common.Sw360CORSFilter;
+import org.eclipse.sw360.rest.common.Sw360XssFilter;
 import org.eclipse.sw360.rest.resourceserver.core.OpenAPIPaginationHelper;
 import org.eclipse.sw360.rest.resourceserver.core.RestControllerHelper;
 import org.eclipse.sw360.rest.resourceserver.security.apiToken.ApiTokenAuthenticationFilter;
@@ -50,7 +51,7 @@
 import java.util.*;
 
 @SpringBootApplication
-@Import(Sw360CORSFilter.class)
+@Import({Sw360CORSFilter.class, Sw360XssFilter.class})
 public class Sw360ResourceServer extends SpringBootServletInitializer {
 
     public static final String REST_BASE_PATH = "/api";

rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/security/ResourceServerConfiguration.java

@@ -34,6 +34,7 @@
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
 
 @Profile("!SECURITY_MOCK")
 @Configuration
@@ -74,6 +75,8 @@ public SecurityFilterChain securityFilterChainRS1(HttpSecurity http) throws Exce
                         .jwkSetUri(issuerUri)))
                 .httpBasic(Customizer.withDefaults())
                 .exceptionHandling(x -> x.authenticationEntryPoint(saep))
+                .headers(headers -> headers.xssProtection(xXssConfig -> xXssConfig.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK))
+                        .contentSecurityPolicy(cps -> cps.policyDirectives("script-src 'self'")))
                 .csrf(csrf -> csrf.disable()).build();
     }
 

rest/rest-common/pom.xml

@@ -42,6 +42,12 @@
             <artifactId>jakarta.servlet-api</artifactId>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.owasp.encoder</groupId>
+            <artifactId>encoder</artifactId>
+            <version>${org.owasp.encoder.version}</version>
+        </dependency>
+
     </dependencies>
     <build>
         <finalName>rest-common</finalName>

rest/rest-common/src/main/java/org/eclipse/sw360/rest/common/Sw360XSSRequestWrapper.java

@@ -0,0 +1,113 @@
+/*
+SPDX-FileCopyrightText: © 2024 Siemens AG
+SPDX-License-Identifier: EPL-2.0
+*/
+package org.eclipse.sw360.rest.common;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import com.fasterxml.jackson.databind.node.JsonNodeFactory;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import jakarta.servlet.ReadListener;
+import jakarta.servlet.ServletInputStream;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequestWrapper;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+/**
+ * This class is used to sanitize the input from the user to prevent XSS attacks.
+ *
+ * @author [email protected]
+ */
+public class Sw360XSSRequestWrapper extends HttpServletRequestWrapper {
+
+	public Sw360XSSRequestWrapper(HttpServletRequest request) {
+		super(request);
+	}
+
+	@Override
+	public ServletInputStream getInputStream() throws IOException {
+		ServletInputStream originalInputStream = super.getInputStream();
+		String requestBody = new String(originalInputStream.readAllBytes());
+
+		JsonNode requestBodyJSON = sanitizeInput(new ObjectMapper().readTree(requestBody));
+		String sanitizedBody = requestBodyJSON.toString();
+		return new ServletInputStream() {
+			private final ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(
+					sanitizedBody.getBytes()
+			);
+
+			@Override
+			public int read() throws IOException {
+				return byteArrayInputStream.read();
+			}
+
+			@Override
+			public boolean isFinished() {
+				return byteArrayInputStream.available() == 0;
+			}
+
+			@Override
+			public boolean isReady() {
+				return true;
+			}
+
+			@Override
+			public void setReadListener(ReadListener readListener) {
+			}
+		};
+	}
+
+	@Override
+	public String[] getParameterValues(String parameter) {
+		String[] values = super.getParameterValues(parameter);
+		if (values == null) {
+			return null;
+		}
+		int count = values.length;
+		String[] encodedValues = new String[count];
+		for (int i = 0; i < count; i++) {
+			encodedValues[i] = stripXSS(values[i]);
+		}
+		return encodedValues;
+	}
+
+	@Override
+	public String getParameter(String parameter) {
+		String value = super.getParameter(parameter);
+		return stripXSS(value);
+	}
+
+	@Override
+	public String getHeader(String name) {
+		String value = super.getHeader(name);
+		return stripXSS(value);
+	}
+
+	private String stripXSS(String value) {
+		return org.owasp.encoder.Encode.forHtml(value);
+
+	}
+
+	private JsonNode sanitizeInput(JsonNode input) {
+		if (input.isTextual()) {
+			return JsonNodeFactory.instance.textNode(stripXSS(input.asText()));
+		} else if (input.isArray()) {
+			ArrayNode arrayNode = JsonNodeFactory.instance.arrayNode();
+			for (JsonNode element : input) {
+				arrayNode.add(sanitizeInput(element));
+			}
+			return arrayNode;
+		} else if (input.isObject()) {
+			ObjectNode objectNode = JsonNodeFactory.instance.objectNode();
+			input.fields().forEachRemaining(entry -> objectNode.set(entry.getKey(), sanitizeInput(entry.getValue())));
+			return objectNode;
+		} else {
+			return input;
+		}
+	}
+
+}

rest/rest-common/src/main/java/org/eclipse/sw360/rest/common/Sw360XssFilter.java

@@ -0,0 +1,35 @@
+/*
+SPDX-FileCopyrightText: © 2024 Siemens AG
+SPDX-License-Identifier: EPL-2.0
+*/
+package org.eclipse.sw360.rest.common;
+
+
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+
+import java.io.IOException;
+
+/**
+ * This filter is used to sanitize the input from the user to prevent XSS attacks.
+ * @author [email protected]
+ */
+@Configuration
+@Order(Ordered.HIGHEST_PRECEDENCE)
+public class Sw360XssFilter implements Filter {
+
+	/**
+	 * @param servletRequest
+	 * @param servletResponse
+	 * @param filterChain
+	 * @throws IOException
+	 * @throws ServletException
+	 */
+	@Override
+	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+		filterChain.doFilter(new Sw360XSSRequestWrapper((HttpServletRequest) servletRequest), servletResponse);
+	}
+}