Merge pull request #14656 from manfred106/BAEL-6848-jsp-set-param
BAEL-6848: Set a Parameter in a HttpServletRequest in Java
This commit is contained in:
		
						commit
						ffddf2b07f
					
				| @ -22,6 +22,11 @@ | ||||
|             <artifactId>commons-fileupload</artifactId> | ||||
|             <version>${commons-fileupload.version}</version> | ||||
|         </dependency> | ||||
|         <dependency> | ||||
|             <groupId>org.apache.commons</groupId> | ||||
|             <artifactId>commons-text</artifactId> | ||||
|             <version>${commons-text.version}</version> | ||||
|         </dependency> | ||||
|         <!-- Servlet --> | ||||
|         <dependency> | ||||
|             <groupId>javax.servlet</groupId> | ||||
| @ -76,6 +81,16 @@ | ||||
|                     </argLine> | ||||
|                 </configuration> | ||||
|             </plugin> | ||||
|             <plugin> | ||||
|                 <groupId>org.eclipse.jetty</groupId> | ||||
|                 <artifactId>jetty-maven-plugin</artifactId> | ||||
|                 <version>${jetty-maven-plugin.version}</version> | ||||
|                 <configuration> | ||||
|                     <webApp> | ||||
|                         <contextPath>/</contextPath> | ||||
|                     </webApp> | ||||
|                 </configuration> | ||||
|             </plugin> | ||||
|         </plugins> | ||||
|     </build> | ||||
| 
 | ||||
| @ -84,6 +99,8 @@ | ||||
|         <jmockit.version>1.49</jmockit.version> | ||||
|         <spring-test.version>5.3.20</spring-test.version> | ||||
|         <maven-surefire-plugin.version>2.22.2</maven-surefire-plugin.version> | ||||
|         <jetty-maven-plugin.version>10.0.4</jetty-maven-plugin.version> | ||||
|         <commons-text.version>1.10.0</commons-text.version> | ||||
|     </properties> | ||||
| 
 | ||||
| </project> | ||||
| @ -0,0 +1,21 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import java.io.IOException; | ||||
| import java.util.Locale; | ||||
| 
 | ||||
| import javax.servlet.ServletException; | ||||
| import javax.servlet.annotation.WebServlet; | ||||
| import javax.servlet.http.*; | ||||
| 
 | ||||
| @WebServlet(name = "LanguageServlet", urlPatterns = "/setparam/lang") | ||||
| public class LanguageServlet extends HttpServlet { | ||||
| 
 | ||||
|     @Override | ||||
|     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { | ||||
| 
 | ||||
|         SetParameterRequestWrapper requestWrapper = new SetParameterRequestWrapper(request); | ||||
|         requestWrapper.setParameter("locale", Locale.getDefault().getLanguage()); | ||||
|         request.getRequestDispatcher("/setparam/3rd_party_module.jsp").forward(requestWrapper, response); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
| @ -0,0 +1,17 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import java.io.IOException; | ||||
| import javax.servlet.*; | ||||
| import javax.servlet.annotation.WebFilter; | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| 
 | ||||
| @WebFilter(urlPatterns = { "/setparam/with-sanitize.jsp" }) | ||||
| public class SanitizeParametersFilter implements Filter { | ||||
| 
 | ||||
|     @Override | ||||
|     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { | ||||
|         HttpServletRequest httpReq = (HttpServletRequest) request; | ||||
|         chain.doFilter(new SanitizeParametersRequestWrapper(httpReq), response); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
| @ -0,0 +1,46 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import java.util.*; | ||||
| import java.util.stream.Collectors; | ||||
| 
 | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import javax.servlet.http.HttpServletRequestWrapper; | ||||
| 
 | ||||
| import org.apache.commons.text.StringEscapeUtils; | ||||
| 
 | ||||
| public class SanitizeParametersRequestWrapper extends HttpServletRequestWrapper { | ||||
| 
 | ||||
|     private final Map<String, String[]> sanitizedMap; | ||||
| 
 | ||||
|     public SanitizeParametersRequestWrapper(HttpServletRequest request) { | ||||
|         super(request); | ||||
|         sanitizedMap = Collections.unmodifiableMap( | ||||
|             request.getParameterMap().entrySet().stream() | ||||
|                 .collect(Collectors.toMap( | ||||
|                     Map.Entry::getKey, | ||||
|                     entry -> Arrays.stream(entry.getValue()) | ||||
|                         .map(StringEscapeUtils::escapeHtml4) | ||||
|                         .toArray(String[]::new) | ||||
|                 ))); | ||||
|     } | ||||
| 
 | ||||
|     @Override | ||||
|     public Map<String, String[]> getParameterMap() { | ||||
|         return sanitizedMap; | ||||
|     } | ||||
| 
 | ||||
|     @Override | ||||
|     public String[] getParameterValues(String name) { | ||||
|         return Optional.ofNullable(getParameterMap().get(name)) | ||||
|             .map(values -> Arrays.copyOf(values, values.length)) | ||||
|             .orElse(null); | ||||
|     } | ||||
| 
 | ||||
|     @Override | ||||
|     public String getParameter(String name) { | ||||
|         return Optional.ofNullable(getParameterValues(name)) | ||||
|             .map(values -> values[0]) | ||||
|             .orElse(null); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
| @ -0,0 +1,40 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import java.util.*; | ||||
| 
 | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| import javax.servlet.http.HttpServletRequestWrapper; | ||||
| 
 | ||||
| public class SetParameterRequestWrapper extends HttpServletRequestWrapper { | ||||
| 
 | ||||
|     private final Map<String, String[]> paramMap; | ||||
| 
 | ||||
|     public SetParameterRequestWrapper(HttpServletRequest request) { | ||||
|         super(request); | ||||
|         paramMap = new HashMap<>(request.getParameterMap()); | ||||
|     } | ||||
| 
 | ||||
|     @Override | ||||
|     public Map<String, String[]> getParameterMap() { | ||||
|         return Collections.unmodifiableMap(paramMap); | ||||
|     } | ||||
| 
 | ||||
|     @Override | ||||
|     public String[] getParameterValues(String name) { | ||||
|         return Optional.ofNullable(getParameterMap().get(name)) | ||||
|             .map(values -> Arrays.copyOf(values, values.length)) | ||||
|             .orElse(null); | ||||
|     } | ||||
| 
 | ||||
|     @Override | ||||
|     public String getParameter(String name) { | ||||
|         return Optional.ofNullable(getParameterValues(name)) | ||||
|             .map(values -> values[0]) | ||||
|             .orElse(null); | ||||
|     } | ||||
| 
 | ||||
|     public void setParameter(String name, String value) { | ||||
|         paramMap.put(name, new String[] {value}); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
| @ -0,0 +1,13 @@ | ||||
| <%@ page import="java.util.*"%> | ||||
| <html> | ||||
| <head> | ||||
|     <title>3rd party Module</title> | ||||
| </head> | ||||
| <body> | ||||
|     <% | ||||
|         String localeStr = request.getParameter("locale"); | ||||
|         Locale currentLocale = (localeStr != null ? new Locale(localeStr) : null); | ||||
|     %> | ||||
|     The language you have selected: <%=currentLocale != null ? currentLocale.getDisplayLanguage(currentLocale) : " None"%> | ||||
| </body> | ||||
| </html> | ||||
| @ -0,0 +1,10 @@ | ||||
| <html> | ||||
| <head> | ||||
|     <title>Sanitized request parameter</title> | ||||
| </head> | ||||
| <body> | ||||
|     The text below comes from request parameter "input": | ||||
|     <br/> | ||||
|     <%=request.getParameter("input")%> | ||||
| </body> | ||||
| </html> | ||||
| @ -0,0 +1,10 @@ | ||||
| <html> | ||||
| <head> | ||||
|     <title>Non sanitized request parameter</title> | ||||
| </head> | ||||
| <body> | ||||
|     The text below comes from request parameter "input": | ||||
|     <br/> | ||||
|     <%=request.getParameter("input")%> | ||||
| </body> | ||||
| </html> | ||||
| @ -0,0 +1,34 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import static org.junit.Assert.assertTrue; | ||||
| 
 | ||||
| import java.util.Locale; | ||||
| 
 | ||||
| import org.apache.http.HttpEntity; | ||||
| import org.apache.http.HttpResponse; | ||||
| import org.apache.http.client.HttpClient; | ||||
| import org.apache.http.client.methods.HttpGet; | ||||
| import org.apache.http.impl.client.HttpClientBuilder; | ||||
| import org.apache.http.util.EntityUtils; | ||||
| import org.junit.Test; | ||||
| 
 | ||||
| public class LanguageServletIntegrationTest { | ||||
| 
 | ||||
|     @Test | ||||
|     public void whenGetRequestUsingHttpClient_thenResponseBodyContainsDefaultLanguage() throws Exception { | ||||
| 
 | ||||
|         // When | ||||
|         HttpClient client = HttpClientBuilder.create().build(); | ||||
|         HttpGet method = new HttpGet("http://localhost:8080/setparam/lang"); | ||||
|         HttpResponse httpResponse = client.execute(method); | ||||
| 
 | ||||
|         // Then | ||||
|         Locale defaultLocale = Locale.getDefault(); | ||||
|         String expectedLanguage = defaultLocale.getDisplayLanguage(defaultLocale); | ||||
| 
 | ||||
|         HttpEntity entity = httpResponse.getEntity(); | ||||
|         String responseBody = EntityUtils.toString(entity, "UTF-8"); | ||||
|         assertTrue(responseBody.contains("The language you have selected: " + expectedLanguage)); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
| @ -0,0 +1,40 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import static org.junit.Assert.assertTrue; | ||||
| 
 | ||||
| import java.io.UnsupportedEncodingException; | ||||
| import java.net.URLEncoder; | ||||
| 
 | ||||
| import org.apache.http.HttpEntity; | ||||
| import org.apache.http.HttpResponse; | ||||
| import org.apache.http.client.HttpClient; | ||||
| import org.apache.http.client.methods.HttpGet; | ||||
| import org.apache.http.impl.client.HttpClientBuilder; | ||||
| import org.apache.http.util.EntityUtils; | ||||
| import org.junit.BeforeClass; | ||||
| import org.junit.Test; | ||||
| 
 | ||||
| public class SanitizeParametersRequestIntegrationTest { | ||||
| 
 | ||||
|     private static String PARAM_INPUT; | ||||
| 
 | ||||
|     @BeforeClass | ||||
|     public static void init() throws UnsupportedEncodingException { | ||||
|         PARAM_INPUT = URLEncoder.encode("<script>alert('Hello');</script>", "UTF-8"); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void whenInputParameterContainsXss_thenResponseBodyContainsSanitizedValue() throws Exception { | ||||
| 
 | ||||
|         // When | ||||
|         HttpClient client = HttpClientBuilder.create().build(); | ||||
|         HttpGet method = new HttpGet(String.format("http://localhost:8080/setparam/with-sanitize.jsp?input=%s", PARAM_INPUT)); | ||||
|         HttpResponse httpResponse = client.execute(method); | ||||
| 
 | ||||
|         // Then | ||||
|         HttpEntity entity = httpResponse.getEntity(); | ||||
|         String responseBody = EntityUtils.toString(entity, "UTF-8"); | ||||
|         assertTrue(responseBody.contains("<script>alert('Hello');</script>")); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
| @ -0,0 +1,60 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import static org.junit.Assert.assertEquals; | ||||
| import static org.junit.jupiter.api.Assertions.assertNotEquals; | ||||
| import static org.mockito.Mockito.when; | ||||
| 
 | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
| 
 | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| 
 | ||||
| import org.junit.Before; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.mockito.Mock; | ||||
| import org.mockito.junit.MockitoJUnitRunner; | ||||
| 
 | ||||
| @RunWith(MockitoJUnitRunner.class) | ||||
| public class SanitizeParametersRequestWrapperUnitTest { | ||||
| 
 | ||||
|     private String NEW_VALUE = "NEW VALUE"; | ||||
| 
 | ||||
|     private Map<String, String[]> parameterMap; | ||||
| 
 | ||||
|     @Mock | ||||
|     private HttpServletRequest request; | ||||
| 
 | ||||
|     @Before | ||||
|     public void initBeforeEachTest() { | ||||
|         parameterMap = new HashMap<>(); | ||||
|         parameterMap.put("input", new String[] {"<script>alert('Hello');</script>"}); | ||||
|         when(request.getParameterMap()).thenReturn(parameterMap); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void whenGetParameterViaWrapper_thenParameterReturnedIsSanitized() { | ||||
|         SanitizeParametersRequestWrapper wrapper = new SanitizeParametersRequestWrapper(request); | ||||
|         String actualValue = wrapper.getParameter("input"); | ||||
| 
 | ||||
|         assertEquals(actualValue, "<script>alert('Hello');</script>"); | ||||
|     } | ||||
| 
 | ||||
|     @Test(expected = UnsupportedOperationException.class) | ||||
|     public void whenPutValueToWrapperParameterMap_thenThrowsUnsupportedOperationException() { | ||||
|         SanitizeParametersRequestWrapper wrapper = new SanitizeParametersRequestWrapper(request); | ||||
|         Map<String, String[]> wrapperParamMap = wrapper.getParameterMap(); | ||||
|         wrapperParamMap.put("input", new String[] {NEW_VALUE}); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void whenSetValueToWrapperParametersStringArray_thenThe2ndCallShouldNotEqualToNewValue() { | ||||
|         SanitizeParametersRequestWrapper wrapper = new SanitizeParametersRequestWrapper(request); | ||||
|         String[] firstCallValues = wrapper.getParameterValues("input"); | ||||
| 
 | ||||
|         firstCallValues[0] = NEW_VALUE; | ||||
|         String[] secondCallValues = wrapper.getParameterValues("input"); | ||||
|         assertNotEquals(firstCallValues, secondCallValues); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
| @ -0,0 +1,61 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import static org.junit.Assert.assertEquals; | ||||
| import static org.junit.jupiter.api.Assertions.assertNotEquals; | ||||
| import static org.mockito.Mockito.when; | ||||
| 
 | ||||
| import java.util.HashMap; | ||||
| import java.util.Map; | ||||
| 
 | ||||
| import javax.servlet.http.HttpServletRequest; | ||||
| 
 | ||||
| import org.junit.Before; | ||||
| import org.junit.Test; | ||||
| import org.junit.runner.RunWith; | ||||
| import org.mockito.Mock; | ||||
| import org.mockito.junit.MockitoJUnitRunner; | ||||
| 
 | ||||
| @RunWith(MockitoJUnitRunner.class) | ||||
| public class SetParameterRequestWrapperUnitTest { | ||||
| 
 | ||||
|     private String NEW_VALUE = "NEW VALUE"; | ||||
| 
 | ||||
|     private Map<String, String[]> parameterMap; | ||||
| 
 | ||||
|     @Mock | ||||
|     private HttpServletRequest request; | ||||
| 
 | ||||
|     @Before | ||||
|     public void initBeforeEachTest() { | ||||
|         parameterMap = new HashMap<>(); | ||||
|         parameterMap.put("input", new String[] {"inputValue"}); | ||||
|         when(request.getParameterMap()).thenReturn(parameterMap); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void whenSetParameterViaWrapper_thenGetParameterShouldReturnTheSameValue() { | ||||
|         SetParameterRequestWrapper wrapper = new SetParameterRequestWrapper(request); | ||||
|         wrapper.setParameter("newInput", "newInputValue"); | ||||
|         String actualValue = wrapper.getParameter("newInput"); | ||||
| 
 | ||||
|         assertEquals(actualValue, "newInputValue"); | ||||
|     } | ||||
| 
 | ||||
|     @Test(expected = UnsupportedOperationException.class) | ||||
|     public void whenPutValueToWrapperParameterMap_thenThrowsUnsupportedOperationException() { | ||||
|         SetParameterRequestWrapper wrapper = new SetParameterRequestWrapper(request); | ||||
|         Map<String, String[]> wrapperParamMap = wrapper.getParameterMap(); | ||||
|         wrapperParamMap.put("input", new String[] {NEW_VALUE}); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void whenSetValueToWrapperParametersStringArray_thenThe2ndCallShouldNotEqualToNewValue() { | ||||
|         SetParameterRequestWrapper wrapper = new SetParameterRequestWrapper(request); | ||||
|         String[] firstCallValues = wrapper.getParameterValues("input"); | ||||
| 
 | ||||
|         firstCallValues[0] = NEW_VALUE; | ||||
|         String[] secondCallValues = wrapper.getParameterValues("input"); | ||||
|         assertNotEquals(firstCallValues, secondCallValues); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
| @ -0,0 +1,42 @@ | ||||
| package com.baeldung.setparam; | ||||
| 
 | ||||
| import static org.junit.Assert.assertTrue; | ||||
| 
 | ||||
| import java.io.UnsupportedEncodingException; | ||||
| import java.net.URLEncoder; | ||||
| 
 | ||||
| import org.apache.http.HttpEntity; | ||||
| import org.apache.http.HttpResponse; | ||||
| import org.apache.http.client.HttpClient; | ||||
| import org.apache.http.client.methods.HttpGet; | ||||
| import org.apache.http.impl.client.HttpClientBuilder; | ||||
| import org.apache.http.util.EntityUtils; | ||||
| import org.junit.BeforeClass; | ||||
| import org.junit.Test; | ||||
| 
 | ||||
| public class UnsanitizedParametersRequestIntegrationTest { | ||||
| 
 | ||||
|     private static final String TAG_SCRIPT = "<script>alert('Hello');</script>"; | ||||
| 
 | ||||
|     private static String PARAM_INPUT; | ||||
| 
 | ||||
|     @BeforeClass | ||||
|     public static void init() throws UnsupportedEncodingException { | ||||
|         PARAM_INPUT = URLEncoder.encode(TAG_SCRIPT, "UTF-8"); | ||||
|     } | ||||
| 
 | ||||
|     @Test | ||||
|     public void whenInputParameterContainsXss_thenResponseBodyContainsUnsanitizedValue() throws Exception { | ||||
| 
 | ||||
|         // When | ||||
|         HttpClient client = HttpClientBuilder.create().build(); | ||||
|         HttpGet method = new HttpGet(String.format("http://localhost:8080/setparam/without-sanitize.jsp?input=%s", PARAM_INPUT)); | ||||
|         HttpResponse httpResponse = client.execute(method); | ||||
| 
 | ||||
|         // Then | ||||
|         HttpEntity entity = httpResponse.getEntity(); | ||||
|         String responseBody = EntityUtils.toString(entity, "UTF-8"); | ||||
|         assertTrue(responseBody.contains(TAG_SCRIPT)); | ||||
|     } | ||||
| 
 | ||||
| } | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user