Package org.owasp.esapi.filters

Class SecurityWrapperResponse

  • All Implemented Interfaces:
    javax.servlet.http.HttpServletResponse, javax.servlet.ServletResponse
    public class SecurityWrapperResponse
extends javax.servlet.http.HttpServletResponseWrapper
implements javax.servlet.http.HttpServletResponse
    This response wrapper simply overrides unsafe methods in the HttpServletResponse API with safe versions.

    • Field Summary

      • Fields inherited from interface javax.servlet.http.HttpServletResponse

        SC_ACCEPTED, SC_BAD_GATEWAY, SC_BAD_REQUEST, SC_CONFLICT, SC_CONTINUE, SC_CREATED, SC_EXPECTATION_FAILED, SC_FORBIDDEN, SC_FOUND, SC_GATEWAY_TIMEOUT, SC_GONE, SC_HTTP_VERSION_NOT_SUPPORTED, SC_INTERNAL_SERVER_ERROR, SC_LENGTH_REQUIRED, SC_METHOD_NOT_ALLOWED, SC_MOVED_PERMANENTLY, SC_MOVED_TEMPORARILY, SC_MULTIPLE_CHOICES, SC_NO_CONTENT, SC_NON_AUTHORITATIVE_INFORMATION, SC_NOT_ACCEPTABLE, SC_NOT_FOUND, SC_NOT_IMPLEMENTED, SC_NOT_MODIFIED, SC_OK, SC_PARTIAL_CONTENT, SC_PAYMENT_REQUIRED, SC_PRECONDITION_FAILED, SC_PROXY_AUTHENTICATION_REQUIRED, SC_REQUEST_ENTITY_TOO_LARGE, SC_REQUEST_TIMEOUT, SC_REQUEST_URI_TOO_LONG, SC_REQUESTED_RANGE_NOT_SATISFIABLE, SC_RESET_CONTENT, SC_SEE_OTHER, SC_SERVICE_UNAVAILABLE, SC_SWITCHING_PROTOCOLS, SC_TEMPORARY_REDIRECT, SC_UNAUTHORIZED, SC_UNSUPPORTED_MEDIA_TYPE, SC_USE_PROXY

    • Constructor Summary

      Constructors 
      Constructor Description
      SecurityWrapperResponse​(javax.servlet.http.HttpServletResponse response)
      Construct a safe response that overrides the default response methods with safer versions.
      SecurityWrapperResponse​(javax.servlet.http.HttpServletResponse response, java.lang.String mode)
      Construct a safe response that overrides the default response methods with safer versions.

    • Method Summary

      All Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      void addCookie​(javax.servlet.http.Cookie cookie)
      Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value.
      void addDateHeader​(java.lang.String name, long date)
      Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name.
      void addHeader​(java.lang.String name, java.lang.String value)
      Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value.
      void addIntHeader​(java.lang.String name, int value)
      Add an int header to the response after ensuring that there are no encoded or illegal characters in the name and value.
      void addReferer​(java.lang.String uri)
      Add a referer header to the response, after validating there are no illegal characters according to the Validator.isValidURI() method, as well as ensuring there are no instances of mixed or double encoding depending on how you have configured ESAPI defaults.
      boolean containsHeader​(java.lang.String name)
      Same as HttpServletResponse, no security changes required.
      java.lang.String encodeRedirectUrl​(java.lang.String url)
      Deprecated.
      in servlet spec 2.1.
      java.lang.String encodeRedirectURL​(java.lang.String url)
      Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected.
      java.lang.String encodeUrl​(java.lang.String url)
      Deprecated.
      in servlet spec 2.1.
      java.lang.String encodeURL​(java.lang.String url)
      Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected.
      void flushBuffer()
      Same as HttpServletResponse, no security changes required.
      int getBufferSize()
      Same as HttpServletResponse, no security changes required.
      java.lang.String getCharacterEncoding()
      Same as HttpServletResponse, no security changes required.
      java.lang.String getContentType()
      Same as HttpServletResponse, no security changes required.
      java.util.Locale getLocale()
      Same as HttpServletResponse, no security changes required.
      javax.servlet.ServletOutputStream getOutputStream()
      Same as HttpServletResponse, no security changes required.
      java.io.PrintWriter getWriter()
      Same as HttpServletResponse, no security changes required.
      boolean isCommitted()
      Same as HttpServletResponse, no security changes required.
      void reset()
      Same as HttpServletResponse, no security changes required.
      void resetBuffer()
      Same as HttpServletResponse, no security changes required.
      void sendError​(int sc)
      Override the error code with a 200 in order to confound attackers using automated scanners.
      void sendError​(int sc, java.lang.String msg)
      Override the error code with a 200 in order to confound attackers using automated scanners.
      void sendRedirect​(java.lang.String location)
      This method generates a redirect response that can only be used to redirect the browser to safe locations, as configured in the ESAPI security configuration.
      void setBufferSize​(int size)
      Same as HttpServletResponse, no security changes required.
      void setCharacterEncoding​(java.lang.String charset)
      Sets the character encoding to the ESAPI configured encoding.
      void setContentLength​(int len)
      Same as HttpServletResponse, no security changes required.
      void setContentType​(java.lang.String type)
      Same as HttpServletResponse, no security changes required.
      void setDateHeader​(java.lang.String name, long date)
      Add a date header to the response after ensuring that there are no encoded or illegal characters in the name.
      void setHeader​(java.lang.String name, java.lang.String value)
      Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value.
      void setIntHeader​(java.lang.String name, int value)
      Add an int header to the response after ensuring that there are no encoded or illegal characters in the name.
      void setLocale​(java.util.Locale loc)
      Same as HttpServletResponse, no security changes required.
      void setStatus​(int sc)
      Override the status code with a 200 in order to confound attackers using automated scanners.
      void setStatus​(int sc, java.lang.String sm)
      Deprecated.
      In Servlet spec 2.1.

      • Methods inherited from class javax.servlet.http.HttpServletResponseWrapper

        getHeader, getHeaderNames, getHeaders, getStatus, getTrailerFields, setTrailerFields

      • Methods inherited from class javax.servlet.ServletResponseWrapper

        getResponse, isWrapperFor, isWrapperFor, setContentLengthLong, setResponse

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

      • Methods inherited from interface javax.servlet.http.HttpServletResponse

        getHeader, getHeaderNames, getHeaders, getStatus, getTrailerFields, setTrailerFields

      • Methods inherited from interface javax.servlet.ServletResponse

        setContentLengthLong

    • Constructor Detail

      • SecurityWrapperResponse

        public SecurityWrapperResponse​(javax.servlet.http.HttpServletResponse response)
        Construct a safe response that overrides the default response methods with safer versions. Default is 'log' mode.
        Parameters:
        response -

      • SecurityWrapperResponse

        public SecurityWrapperResponse​(javax.servlet.http.HttpServletResponse response,
                               java.lang.String mode)
        Construct a safe response that overrides the default response methods with safer versions.
        Parameters:
        response -
        mode - The mode for this wrapper. Legal modes are "log", "skip", "sanitize", "throw".

    • Method Detail

      • addCookie

        public void addCookie​(javax.servlet.http.Cookie cookie)
        Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name and name and value. This method also sets the secure and HttpOnly flags on the cookie. This implementation uses a custom "set-cookie" header instead of using Java's cookie interface which doesn't allow the use of HttpOnly.
        Specified by:
        addCookie in interface javax.servlet.http.HttpServletResponse
        Overrides:
        addCookie in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        cookie -

      • addDateHeader

        public void addDateHeader​(java.lang.String name,
                          long date)
        Add a cookie to the response after ensuring that there are no encoded or illegal characters in the name.
        Specified by:
        addDateHeader in interface javax.servlet.http.HttpServletResponse
        Overrides:
        addDateHeader in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        name -
        date -

      • addHeader

        public void addHeader​(java.lang.String name,
                      java.lang.String value)
        Add a header to the response after ensuring that there are no encoded or illegal characters in the name and name and value. This implementation follows the following recommendation: "A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
        Specified by:
        addHeader in interface javax.servlet.http.HttpServletResponse
        Overrides:
        addHeader in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        name -
        value -

      • addReferer

        public void addReferer​(java.lang.String uri)
        Add a referer header to the response, after validating there are no illegal characters according to the Validator.isValidURI() method, as well as ensuring there are no instances of mixed or double encoding depending on how you have configured ESAPI defaults.
        Parameters:
        uri -

      • addIntHeader

        public void addIntHeader​(java.lang.String name,
                         int value)
        Add an int header to the response after ensuring that there are no encoded or illegal characters in the name and value. git
        Specified by:
        addIntHeader in interface javax.servlet.http.HttpServletResponse
        Overrides:
        addIntHeader in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        name -
        value -

      • containsHeader

        public boolean containsHeader​(java.lang.String name)
        Same as HttpServletResponse, no security changes required.
        Specified by:
        containsHeader in interface javax.servlet.http.HttpServletResponse
        Overrides:
        containsHeader in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        name -
        Returns:
        True if the current response already contains a header of the supplied name.

      • encodeRedirectUrl

        @Deprecated
public java.lang.String encodeRedirectUrl​(java.lang.String url)
        Deprecated.
        in servlet spec 2.1. Use encodeRedirectUrl(String) instead.
        Return the URL without any changes, to prevent disclosure of the Session ID. The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.
        Specified by:
        encodeRedirectUrl in interface javax.servlet.http.HttpServletResponse
        Overrides:
        encodeRedirectUrl in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        url -
        Returns:
        original url

      • encodeRedirectURL

        public java.lang.String encodeRedirectURL​(java.lang.String url)
        Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.
        Specified by:
        encodeRedirectURL in interface javax.servlet.http.HttpServletResponse
        Overrides:
        encodeRedirectURL in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        url -
        Returns:
        original url

      • encodeUrl

        @Deprecated
public java.lang.String encodeUrl​(java.lang.String url)
        Deprecated.
        in servlet spec 2.1. Use encodeURL(String) instead.
        Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.
        Specified by:
        encodeUrl in interface javax.servlet.http.HttpServletResponse
        Overrides:
        encodeUrl in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        url -
        Returns:
        original url

      • encodeURL

        public java.lang.String encodeURL​(java.lang.String url)
        Return the URL without any changes, to prevent disclosure of the Session ID The default implementation of this method can add the Session ID to the URL if support for cookies is not detected. This exposes the Session ID credential in bookmarks, referer headers, server logs, and more.
        Specified by:
        encodeURL in interface javax.servlet.http.HttpServletResponse
        Overrides:
        encodeURL in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        url -
        Returns:
        original url

      • flushBuffer

        public void flushBuffer()
                 throws java.io.IOException
        Same as HttpServletResponse, no security changes required.
        Specified by:
        flushBuffer in interface javax.servlet.ServletResponse
        Overrides:
        flushBuffer in class javax.servlet.ServletResponseWrapper
        Throws:
        java.io.IOException

      • getBufferSize

        public int getBufferSize()
        Same as HttpServletResponse, no security changes required.
        Specified by:
        getBufferSize in interface javax.servlet.ServletResponse
        Overrides:
        getBufferSize in class javax.servlet.ServletResponseWrapper
        Returns:
        The buffer size of the current HTTP response.

      • getCharacterEncoding

        public java.lang.String getCharacterEncoding()
        Same as HttpServletResponse, no security changes required.
        Specified by:
        getCharacterEncoding in interface javax.servlet.ServletResponse
        Overrides:
        getCharacterEncoding in class javax.servlet.ServletResponseWrapper
        Returns:
        The character encoding of the current HTTP response.

      • getContentType

        public java.lang.String getContentType()
        Same as HttpServletResponse, no security changes required.
        Specified by:
        getContentType in interface javax.servlet.ServletResponse
        Overrides:
        getContentType in class javax.servlet.ServletResponseWrapper
        Returns:
        The content type of the current HTTP response.

      • getLocale

        public java.util.Locale getLocale()
        Same as HttpServletResponse, no security changes required.
        Specified by:
        getLocale in interface javax.servlet.ServletResponse
        Overrides:
        getLocale in class javax.servlet.ServletResponseWrapper
        Returns:
        The Locale of the current HTTP response.

      • getOutputStream

        public javax.servlet.ServletOutputStream getOutputStream()
                                                  throws java.io.IOException
        Same as HttpServletResponse, no security changes required.
        Specified by:
        getOutputStream in interface javax.servlet.ServletResponse
        Overrides:
        getOutputStream in class javax.servlet.ServletResponseWrapper
        Returns:
        The ServletOutputStream of the current HTTP response.
        Throws:
        java.io.IOException

      • getWriter

        public java.io.PrintWriter getWriter()
                              throws java.io.IOException
        Same as HttpServletResponse, no security changes required.
        Specified by:
        getWriter in interface javax.servlet.ServletResponse
        Overrides:
        getWriter in class javax.servlet.ServletResponseWrapper
        Returns:
        The PrintWriter of the current HTTP response.
        Throws:
        java.io.IOException

      • isCommitted

        public boolean isCommitted()
        Same as HttpServletResponse, no security changes required.
        Specified by:
        isCommitted in interface javax.servlet.ServletResponse
        Overrides:
        isCommitted in class javax.servlet.ServletResponseWrapper
        Returns:
        The isCommitted() status of the current HTTP response.

      • reset

        public void reset()
        Same as HttpServletResponse, no security changes required.
        Specified by:
        reset in interface javax.servlet.ServletResponse
        Overrides:
        reset in class javax.servlet.ServletResponseWrapper

      • resetBuffer

        public void resetBuffer()
        Same as HttpServletResponse, no security changes required.
        Specified by:
        resetBuffer in interface javax.servlet.ServletResponse
        Overrides:
        resetBuffer in class javax.servlet.ServletResponseWrapper

      • sendError

        public void sendError​(int sc)
               throws java.io.IOException
        Override the error code with a 200 in order to confound attackers using automated scanners. Overwriting is controlled by HttpUtilities.OverwriteStatusCodes in ESAPI.properties.
        Specified by:
        sendError in interface javax.servlet.http.HttpServletResponse
        Overrides:
        sendError in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        sc - -- http status code
        Throws:
        java.io.IOException

      • sendError

        public void sendError​(int sc,
                      java.lang.String msg)
               throws java.io.IOException
        Override the error code with a 200 in order to confound attackers using automated scanners. The message is canonicalized and filtered for dangerous characters. Overwriting is controlled by HttpUtilities.OverwriteStatusCodes in ESAPI.properties.
        Specified by:
        sendError in interface javax.servlet.http.HttpServletResponse
        Overrides:
        sendError in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        sc - -- http status code
        msg - -- error message
        Throws:
        java.io.IOException

      • sendRedirect

        public void sendRedirect​(java.lang.String location)
                  throws java.io.IOException
        This method generates a redirect response that can only be used to redirect the browser to safe locations, as configured in the ESAPI security configuration. This method does not that redirect requests can be modified by attackers, so do not rely information contained within redirect requests, and do not include sensitive information in a redirect.
        Specified by:
        sendRedirect in interface javax.servlet.http.HttpServletResponse
        Overrides:
        sendRedirect in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        location -
        Throws:
        java.io.IOException

      • setBufferSize

        public void setBufferSize​(int size)
        Same as HttpServletResponse, no security changes required.
        Specified by:
        setBufferSize in interface javax.servlet.ServletResponse
        Overrides:
        setBufferSize in class javax.servlet.ServletResponseWrapper
        Parameters:
        size -

      • setCharacterEncoding

        public void setCharacterEncoding​(java.lang.String charset)
        Sets the character encoding to the ESAPI configured encoding.
        Specified by:
        setCharacterEncoding in interface javax.servlet.ServletResponse
        Overrides:
        setCharacterEncoding in class javax.servlet.ServletResponseWrapper
        Parameters:
        charset -

      • setContentLength

        public void setContentLength​(int len)
        Same as HttpServletResponse, no security changes required.
        Specified by:
        setContentLength in interface javax.servlet.ServletResponse
        Overrides:
        setContentLength in class javax.servlet.ServletResponseWrapper
        Parameters:
        len -

      • setContentType

        public void setContentType​(java.lang.String type)
        Same as HttpServletResponse, no security changes required.
        Specified by:
        setContentType in interface javax.servlet.ServletResponse
        Overrides:
        setContentType in class javax.servlet.ServletResponseWrapper
        Parameters:
        type -

      • setDateHeader

        public void setDateHeader​(java.lang.String name,
                          long date)
        Add a date header to the response after ensuring that there are no encoded or illegal characters in the name.
        Specified by:
        setDateHeader in interface javax.servlet.http.HttpServletResponse
        Overrides:
        setDateHeader in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        name -
        date -

      • setHeader

        public void setHeader​(java.lang.String name,
                      java.lang.String value)
        Add a header to the response after ensuring that there are no encoded or illegal characters in the name and value. "A recipient MAY replace any linear white space with a single SP before interpreting the field value or forwarding the message downstream." http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html#sec2.2
        Specified by:
        setHeader in interface javax.servlet.http.HttpServletResponse
        Overrides:
        setHeader in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        name -
        value -

      • setIntHeader

        public void setIntHeader​(java.lang.String name,
                         int value)
        Add an int header to the response after ensuring that there are no encoded or illegal characters in the name.
        Specified by:
        setIntHeader in interface javax.servlet.http.HttpServletResponse
        Overrides:
        setIntHeader in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        name -
        value -

      • setLocale

        public void setLocale​(java.util.Locale loc)
        Same as HttpServletResponse, no security changes required.
        Specified by:
        setLocale in interface javax.servlet.ServletResponse
        Overrides:
        setLocale in class javax.servlet.ServletResponseWrapper
        Parameters:
        loc -

      • setStatus

        public void setStatus​(int sc)
        Override the status code with a 200 in order to confound attackers using automated scanners.
        Specified by:
        setStatus in interface javax.servlet.http.HttpServletResponse
        Overrides:
        setStatus in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        sc -

      • setStatus

        @Deprecated
public void setStatus​(int sc,
                      java.lang.String sm)
        Deprecated.
        In Servlet spec 2.1.
        Override the status code with a 200 in order to confound attackers using automated scanners. The message is canonicalized and filtered for dangerous characters.
        Specified by:
        setStatus in interface javax.servlet.http.HttpServletResponse
        Overrides:
        setStatus in class javax.servlet.http.HttpServletResponseWrapper
        Parameters:
        sc -
        sm -