Decorator pattern with HttpServerRequest
public class HttpServletRequestDecoratorFilter implements Filter { | |
@Override | |
public void init(FilterConfig filterConfig) throws ServletException { | |
//do nothing | |
} | |
@Override | |
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { | |
request = decorate(request); | |
chain.doFilter(request, response); | |
} | |
private ServletRequest decorate(ServletRequest request) { | |
try { | |
HttpServletRequest req = (HttpServletRequest) request; | |
return new XFFAwareReq(req); | |
} | |
catch (ClassCastException e) { | |
// As we are not able to cast the request to an Http one, we just return the same object | |
return request; | |
} | |
} | |
@Override | |
public void destroy() { | |
// Do nothing | |
} | |
} |
public class XFFAwareReq extends HttpServletRequestWrapper { | |
public XFFAwareReq(HttpServletRequest request) { | |
super(request); | |
} | |
@Override | |
public String getRemoteAddr() { | |
String xff = getXForwardedFor(); | |
return xff != null ? xff : super.getRemoteAddr(); | |
} | |
public String getXForwardedFor() { | |
String xff = getHeader("X-Forwarded-For"); | |
if (xff == null || "".equals(xff)) return null; | |
return getIpFromXFF(xff); | |
} | |
protected static final String getIpFromXFF(String xff) { | |
//extract and return the ip from the X-Forwarded-For header | |
} | |
} |
public class XSSAwareReq extends HttpServletRequestWrapper { | |
protected XSSAwareReq(HttpServletRequest req) { | |
super(req); | |
} | |
@Override | |
public String getParameter(String name) { | |
return super.getParameter(name) | |
.replaceAll("<", "<") | |
.replaceAll(">", ">") | |
.replaceAll("\\(", "(") | |
.replaceAll("\\)", ")") | |
.replaceAll("'", "'") | |
.replaceAll("eval\\((.*)\\)", "") | |
.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\"") | |
.replaceAll("script", ""); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment