org.owasp.esapi.filters

Class SecurityWrapperResponse

java.lang.Object

javax.servlet.ServletResponseWrapper

javax.servlet.http.HttpServletResponseWrapper

org.owasp.esapi.filters.SecurityWrapperResponse

All Implemented Interfaces:

javax.servlet.http.HttpServletResponse, javax.servlet.ServletResponse

public class SecurityWrapperResponse
extends javax.servlet.http.HttpServletResponseWrapper
implements javax.servlet.http.HttpServletResponse

This response wrapper simply overrides unsafe methods in the HttpServletResponse API with safe versions.

Field Summary

Fields inherited from interface javax.servlet.http.HttpServletResponse

SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY

Constructor Summary

Constructors

Constructor and Description
SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response) Construct a safe response that overrides the default response methods with safer versions.
SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response, String mode) Construct a safe response that overrides the default response methods with safer versions.

Method Summary

Modifier and Type	Method and Description
void	addCookie(javax.servlet.http.Cookie cookie) Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value.
void	addDateHeader(String name, long date) Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name.
void	addHeader(String name, String value) Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value.
void	addIntHeader(String name, int value) Add an int header to the response after ensuring that there are no encoded or illegal characters in the name and value.
void	addReferer(String uri) Add a referer header to the response, after validating there are no illegal characters according to the Validator.isValidURI() method, as well as ensuring there are no instances of mixed or double encoding depending on how you have configured ESAPI defaults.
boolean	containsHeader(String name) Same as HttpServletResponse, no security changes required.
String	encodeRedirectUrl(String url) Deprecated. in servlet spec 2.1. Use encodeRedirectUrl(String) instead.
String	encodeRedirectURL(String url) Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected.
String	encodeUrl(String url) Deprecated. in servlet spec 2.1. Use encodeURL(String) instead.
String	encodeURL(String url) Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected.
void	flushBuffer() Same as HttpServletResponse, no security changes required.
int	getBufferSize() Same as HttpServletResponse, no security changes required.
String	getCharacterEncoding() Same as HttpServletResponse, no security changes required.
String	getContentType() Same as HttpServletResponse, no security changes required.
Locale	getLocale() Same as HttpServletResponse, no security changes required.
javax.servlet.ServletOutputStream	getOutputStream() Same as HttpServletResponse, no security changes required.
PrintWriter	getWriter() Same as HttpServletResponse, no security changes required.
boolean	isCommitted() Same as HttpServletResponse, no security changes required.
void	reset() Same as HttpServletResponse, no security changes required.
void	resetBuffer() Same as HttpServletResponse, no security changes required.
void	sendError(int sc) Override the error code with a 200 in order to confound attackers using automated scanners.
void	sendError(int sc, String msg) Override the error code with a 200 in order to confound attackers using automated scanners.
void	sendRedirect(String location) This method generates a redirect response that can only be used to redirect the browser to safe locations, as configured in the ESAPI security configuration.
void	setBufferSize(int size) Same as HttpServletResponse, no security changes required.
void	setCharacterEncoding(String charset) Sets the character encoding to the ESAPI configured encoding.
void	setContentLength(int len) Same as HttpServletResponse, no security changes required.
void	setContentType(String type) Same as HttpServletResponse, no security changes required.
void	setDateHeader(String name, long date) Add a date header to the response after ensuring that there are no encoded or illegal characters in the name.
void	setHeader(String name, String value) Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value.
void	setIntHeader(String name, int value) Add an int header to the response after ensuring that there are no encoded or illegal characters in the name.
void	setLocale(Locale loc) Same as HttpServletResponse, no security changes required.
void	setStatus(int sc) Override the status code with a 200 in order to confound attackers using automated scanners.
void	setStatus(int sc, String sm) Deprecated. In Servlet spec 2.1.

Methods inherited from class javax.servlet.http.HttpServletResponseWrapper

getHeader, getHeaderNames, getHeaders, getStatus

Methods inherited from class javax.servlet.ServletResponseWrapper

getResponse, isWrapperFor, isWrapperFor, setContentLengthLong, setResponse

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface javax.servlet.http.HttpServletResponse

getHeader, getHeaderNames, getHeaders, getStatus

Methods inherited from interface javax.servlet.ServletResponse

setContentLengthLong

Constructor Detail

SecurityWrapperResponse

public SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response)

Construct a safe response that overrides the default response methods with safer versions. Default is 'log' mode.

Parameters:

response -

SecurityWrapperResponse

public SecurityWrapperResponse(javax.servlet.http.HttpServletResponse response,
                               String mode)

Construct a safe response that overrides the default response methods with safer versions.

Parameters:

response -

mode - The mode for this wrapper. Legal modes are "log", "skip", "sanitize", "throw".

Method Detail

addCookie

public void addCookie(javax.servlet.http.Cookie cookie)

Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value. This method also sets the secure and HttpOnly flags on the cookie. This implementation uses a custom "set-cookie" header instead of using Java's cookie interface which doesn't allow the use of HttpOnly.

Specified by:

addCookie in interface javax.servlet.http.HttpServletResponse

Overrides:

addCookie in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

cookie -

addDateHeader

public void addDateHeader(String name,
                          long date)

Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name.

Specified by:

addDateHeader in interface javax.servlet.http.HttpServletResponse

Overrides:

addDateHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

name -

date -

addHeader

public void addHeader(String name,
                      String value)

Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value. This implementation follows the following recommendation: "A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2

Specified by:

addHeader in interface javax.servlet.http.HttpServletResponse

Overrides:

addHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

name -

value -

addReferer

public void addReferer(String uri)

Add a referer header to the response, after validating there are no illegal characters according to the Validator.isValidURI() method, as well as ensuring there are no instances of mixed or double encoding depending on how you have configured ESAPI defaults.

Parameters:

uri -

addIntHeader

public void addIntHeader(String name,
                         int value)

Add an int header to the response after ensuring that there are no encoded or illegal characters in the name and value. git

Specified by:

addIntHeader in interface javax.servlet.http.HttpServletResponse

Overrides:

addIntHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

name -

value -

containsHeader

public boolean containsHeader(String name)

Same as HttpServletResponse, no security changes required.

Specified by:

containsHeader in interface javax.servlet.http.HttpServletResponse

Overrides:

containsHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

name -

Returns:

True if the current response already contains a header of the supplied name.

encodeRedirectUrl

@Deprecated
public String encodeRedirectUrl(String url)

Deprecated. in servlet spec 2.1. Use encodeRedirectUrl(String) instead.

Return the URL without any changes, to prevent disclosure of the Session ID. The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.

Specified by:

encodeRedirectUrl in interface javax.servlet.http.HttpServletResponse

Overrides:

encodeRedirectUrl in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

url -

Returns:

original url

encodeRedirectURL

public String encodeRedirectURL(String url)

Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.

Specified by:

encodeRedirectURL in interface javax.servlet.http.HttpServletResponse

Overrides:

encodeRedirectURL in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

url -

Returns:

original url

encodeUrl

@Deprecated
public String encodeUrl(String url)

Deprecated. in servlet spec 2.1. Use encodeURL(String) instead.

Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.

Specified by:

encodeUrl in interface javax.servlet.http.HttpServletResponse

Overrides:

encodeUrl in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

url -

Returns:

original url

encodeURL

public String encodeURL(String url)

Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.

Specified by:

encodeURL in interface javax.servlet.http.HttpServletResponse

Overrides:

encodeURL in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

url -

Returns:

original url

flushBuffer

public void flushBuffer()
                 throws IOException

Same as HttpServletResponse, no security changes required.

Specified by:

flushBuffer in interface javax.servlet.ServletResponse

Overrides:

flushBuffer in class javax.servlet.ServletResponseWrapper

Throws:

IOException

getBufferSize

public int getBufferSize()

Same as HttpServletResponse, no security changes required.

Specified by:

getBufferSize in interface javax.servlet.ServletResponse

Overrides:

getBufferSize in class javax.servlet.ServletResponseWrapper

Returns:

The buffer size of the current HTTP response.

getCharacterEncoding

public String getCharacterEncoding()

Same as HttpServletResponse, no security changes required.

Specified by:

getCharacterEncoding in interface javax.servlet.ServletResponse

Overrides:

getCharacterEncoding in class javax.servlet.ServletResponseWrapper

Returns:

The character encoding of the current HTTP response.

getContentType

public String getContentType()

Same as HttpServletResponse, no security changes required.

Specified by:

getContentType in interface javax.servlet.ServletResponse

Overrides:

getContentType in class javax.servlet.ServletResponseWrapper

Returns:

The content type of the current HTTP response.

getLocale

public Locale getLocale()

Same as HttpServletResponse, no security changes required.

Specified by:

getLocale in interface javax.servlet.ServletResponse

Overrides:

getLocale in class javax.servlet.ServletResponseWrapper

Returns:

The Locale of the current HTTP response.

getOutputStream

public javax.servlet.ServletOutputStream getOutputStream()
                                                  throws IOException

Same as HttpServletResponse, no security changes required.

Specified by:

getOutputStream in interface javax.servlet.ServletResponse

Overrides:

getOutputStream in class javax.servlet.ServletResponseWrapper

Returns:

The ServletOutputStream of the current HTTP response.

Throws:

IOException

getWriter

public PrintWriter getWriter()
                      throws IOException

Same as HttpServletResponse, no security changes required.

Specified by:

getWriter in interface javax.servlet.ServletResponse

Overrides:

getWriter in class javax.servlet.ServletResponseWrapper

Returns:

The PrintWriter of the current HTTP response.

Throws:

IOException

isCommitted

public boolean isCommitted()

Same as HttpServletResponse, no security changes required.

Specified by:

isCommitted in interface javax.servlet.ServletResponse

Overrides:

isCommitted in class javax.servlet.ServletResponseWrapper

Returns:

The isCommitted() status of the current HTTP response.

reset

public void reset()

Same as HttpServletResponse, no security changes required.

Specified by:

reset in interface javax.servlet.ServletResponse

Overrides:

reset in class javax.servlet.ServletResponseWrapper

resetBuffer

public void resetBuffer()

Same as HttpServletResponse, no security changes required.

Specified by:

resetBuffer in interface javax.servlet.ServletResponse

Overrides:

resetBuffer in class javax.servlet.ServletResponseWrapper

sendError

public void sendError(int sc)
               throws IOException

Override the error code with a 200 in order to confound attackers using automated scanners. Overwriting is controlled by HttpUtilities.OverwriteStatusCodes in ESAPI.properties.

Specified by:

sendError in interface javax.servlet.http.HttpServletResponse

Overrides:

sendError in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

sc - -- http status code

Throws:

IOException

sendError

public void sendError(int sc,
                      String msg)
               throws IOException

Override the error code with a 200 in order to confound attackers using automated scanners. The message is canonicalized and filtered for dangerous characters. Overwriting is controlled by HttpUtilities.OverwriteStatusCodes in ESAPI.properties.

Specified by:

sendError in interface javax.servlet.http.HttpServletResponse

Overrides:

sendError in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

sc - -- http status code

msg - -- error message

Throws:

IOException

sendRedirect

public void sendRedirect(String location)
                  throws IOException

This method generates a redirect response that can only be used to redirect the browser to safe locations, as configured in the ESAPI security configuration. This method does not that redirect requests can be modified by attackers, so do not rely information contained within redirect requests, and do not include sensitive information in a redirect.

Specified by:

sendRedirect in interface javax.servlet.http.HttpServletResponse

Overrides:

sendRedirect in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

location -

Throws:

IOException

setBufferSize

public void setBufferSize(int size)

Same as HttpServletResponse, no security changes required.

Specified by:

setBufferSize in interface javax.servlet.ServletResponse

Overrides:

setBufferSize in class javax.servlet.ServletResponseWrapper

Parameters:

size -

setCharacterEncoding

public void setCharacterEncoding(String charset)

Sets the character encoding to the ESAPI configured encoding.

Specified by:

setCharacterEncoding in interface javax.servlet.ServletResponse

Overrides:

setCharacterEncoding in class javax.servlet.ServletResponseWrapper

Parameters:

charset -

setContentLength

public void setContentLength(int len)

Same as HttpServletResponse, no security changes required.

Specified by:

setContentLength in interface javax.servlet.ServletResponse

Overrides:

setContentLength in class javax.servlet.ServletResponseWrapper

Parameters:

len -

setContentType

public void setContentType(String type)

Same as HttpServletResponse, no security changes required.

Specified by:

setContentType in interface javax.servlet.ServletResponse

Overrides:

setContentType in class javax.servlet.ServletResponseWrapper

Parameters:

type -

setDateHeader

public void setDateHeader(String name,
                          long date)

Add a date header to the response after ensuring that there are no encoded or illegal characters in the name.

Specified by:

setDateHeader in interface javax.servlet.http.HttpServletResponse

Overrides:

setDateHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

name -

date -

setHeader

public void setHeader(String name,
                      String value)

Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value. "A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2

Specified by:

setHeader in interface javax.servlet.http.HttpServletResponse

Overrides:

setHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

name -

value -

setIntHeader

public void setIntHeader(String name,
                         int value)

Add an int header to the response after ensuring that there are no encoded or illegal characters in the name.

Specified by:

setIntHeader in interface javax.servlet.http.HttpServletResponse

Overrides:

setIntHeader in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

name -

value -

setLocale

public void setLocale(Locale loc)

Same as HttpServletResponse, no security changes required.

Specified by:

setLocale in interface javax.servlet.ServletResponse

Overrides:

setLocale in class javax.servlet.ServletResponseWrapper

Parameters:

loc -

setStatus

public void setStatus(int sc)

Override the status code with a 200 in order to confound attackers using automated scanners.

Specified by:

setStatus in interface javax.servlet.http.HttpServletResponse

Overrides:

setStatus in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

sc -

setStatus

@Deprecated
public void setStatus(int sc,
                                  String sm)

Deprecated. In Servlet spec 2.1.

Override the status code with a 200 in order to confound attackers using automated scanners. The message is canonicalized and filtered for dangerous characters.

Specified by:

setStatus in interface javax.servlet.http.HttpServletResponse

Overrides:

setStatus in class javax.servlet.http.HttpServletResponseWrapper

Parameters:

sc -

sm -