Skip to content

Commit

Permalink
Mejorar persistencia de parámetros, regex y trazas
Browse files Browse the repository at this point in the history
Ahora, los parámetros que formen un array también se obtendrán al completo, permitiendo así la persistencia de todos sus parámetros que pasen la validación.

Respecto a la validación, se ha hecho un poco más permisiva para que admita fechas y todos los caracteres Unicode.

También se ha optimizado la escritura de trazas, sustituyendo la concatenación de parámetros por marcadores (placeholders).
  • Loading branch information
xaabi6 committed Jan 20, 2023
1 parent 67b3a0d commit 20c3806
Showing 1 changed file with 31 additions and 13 deletions.
44 changes: 31 additions & 13 deletions x38ShLibClasses/src/com/ejie/x38/UdaFilter.java
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@
*/
package com.ejie.x38;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.regex.Pattern;
Expand Down Expand Up @@ -49,6 +51,7 @@
public class UdaFilter extends DelegatingFilterProxy {

private static final Logger logger = LoggerFactory.getLogger(UdaFilter.class);
private static final String validationPattern = "[\\p{L}0-9\\.,\\-\\+_:~\\(\\)\\\\/¿\\?@&%#\\$\\* ]*$";

public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) {

Expand All @@ -64,13 +67,14 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
+ "|(?:desant01\\.|pruebasnt01\\.)?jakina.ejgvdns"
+ "|sargune(?:\\.sb|\\.des|\\.pru)?\\.(?:euskadi|ejgv\\.euskalsarea)?\\.eus",
Pattern.CASE_INSENSITIVE).matcher(httpServletRequest.getHeader("referer")).find();
logger.debug("Referer is {} and the pattern result is {}", httpServletRequest.getHeader("referer"), refersFromSecuritySystem);
} else {
refersFromSecuritySystem = false;
logger.debug("Referer is null. If a value was expected, check if the protocol is still the same.");
}

try {
logger.debug("New request with UDA identificator " + ThreadStorageManager.getCurrentThreadId() + " has started");
logger.debug("New request with UDA identificator {} has started", ThreadStorageManager.getCurrentThreadId());

if (httpServletRequest.getHeader("RUP") != null) {
ThreadSafeCache.addValue("RUP", "RUP");
Expand All @@ -89,25 +93,35 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
// Esta gestión es necesaria para disponer de los datos una vez se obtenga una credencial válida a través del sistema de seguridad.
if (SecurityContextHolder.getContext().getAuthentication() == null && !refersFromSecuritySystem) {
Map<String, String[]> extraParams = new HashMap<String, String[]>();
boolean validated = true;

// Validar parámetros recibidos para evitar un "Trust boundary".
for (Map.Entry<String, String[]> entry : ((Map<String, String[]>) httpServletRequest.getParameterMap()).entrySet()) {
for (String entryValue : entry.getValue()) {
if (!entryValue.matches("[a-zA-Z0-9@\\.,\\-_:~\\(\\) ]*$")) {
validated = !validated;
break;
} else {
if (entry.getValue().length > 1) {
List<String> values = new ArrayList<String>();
for (int index = 0; index < entry.getValue().length; index++) {
if (entry.getValue()[index].matches(validationPattern)) {
values.add(entry.getValue()[index]);
logger.debug("Added parameter with key {} and value {} from index {}", entry.getKey(), entry.getValue()[index], index);
} else {
logger.debug(
"Parameter with key {} and value {} in index {} does not match the pattern",
entry.getKey(), entry.getValue()[index], index);
}
}
extraParams.put(entry.getKey(), values.toArray(new String[0]));
} else {
if (entry.getValue()[0].matches(validationPattern)) {
extraParams.put(entry.getKey(), entry.getValue());
logger.debug("Added parameter with key {} and value {}", entry.getKey(), entry.getValue()[0]);
} else {
logger.debug("Parameter with key {} and value {} does not match the pattern", entry.getKey(), entry.getValue()[0]);
}
}
}

// En caso de ser validados, se guardan en sesión para disponer de ellos una vez se obtenga la credencial.
if (validated) {
httpServletRequest.getSession().setAttribute("REQUESTED_PARAMS", extraParams);
httpServletRequest.getSession().setAttribute("REQUEST_METHOD", httpServletRequest.getMethod());
}
// Se guardan los parámetros en sesión para disponer de ellos una vez se obtenga la credencial.
httpServletRequest.getSession().setAttribute("REQUESTED_PARAMS", extraParams);
httpServletRequest.getSession().setAttribute("REQUEST_METHOD", httpServletRequest.getMethod());
}
}

Expand All @@ -117,16 +131,20 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
&& httpServletRequest.getSession().getAttribute("REQUEST_METHOD") != null
&& !httpServletRequest.getSession().getAttribute("REQUEST_METHOD").equals("GET")
&& refersFromSecuritySystem) {
logger.debug(
"Request will be wrapped using WrappedRequest because both REQUESTED_PARAMS and REQUEST_METHOD (with {} value) exist in session",
httpServletRequest.getSession().getAttribute("REQUEST_METHOD"));
filterChain.doFilter(
new WrappedRequest(httpServletRequest,
(Map<String, String[]>) httpServletRequest.getSession().getAttribute("REQUESTED_PARAMS"),
httpServletRequest.getSession().getAttribute("REQUEST_METHOD").toString()),
response);
} else {
logger.debug("Request won't be wrapped");
filterChain.doFilter(request, response);
}

logger.debug("Request with UDA identificator " + ThreadStorageManager.getCurrentThreadId() + " has ended");
logger.debug("Request with UDA identificator {} has ended", ThreadStorageManager.getCurrentThreadId());
} catch (Exception exception) {
logger.error(StackTraceManager.getStackTrace(exception));

Expand Down

0 comments on commit 20c3806

Please sign in to comment.