From 3f159b85ac2cf2bb34ef8bc38b46a4fdeda83322 Mon Sep 17 00:00:00 2001
From: Jordan Padams <jordan.h.padams@jpl.nasa.gov>
Date: Thu, 11 Apr 2024 07:48:37 -0700
Subject: [PATCH] Remove debug logs

---
 .../search/servlet/RegistryLegacyServlet.java |  9 ++-
 .../gov/nasa/pds/search/util/XssUtils.java    | 71 +++++++++++++++++++
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 src/main/java/gov/nasa/pds/search/util/XssUtils.java

diff --git a/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java b/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java
index a4e8bbd..bfb03d3 100644
--- a/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java
+++ b/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java
@@ -138,6 +138,14 @@ public void doPost(HttpServletRequest req, HttpServletResponse res)
         "POST requests are not supported by this API");
   }
 
+  /**
+   * Generate query string from subset of allowable query parameters
+   * 
+   * 
+   * @param request
+   * @return
+   * @throws UnsupportedEncodingException
+   */
   private String getQueryString(HttpServletRequest request) throws UnsupportedEncodingException {
     String queryString = "";
 
@@ -172,7 +180,6 @@ private String appendQueryParameters(String key, String[] parameterValues)
     String queryString = "";
     for (String v : Arrays.asList(parameterValues)) {
       value = URLDecoder.decode(v, "UTF-8");
-      LOG.info(v);
       queryString += String.format("%s=%s&", key, URLEncoder.encode(value, "UTF-8"));
     }
     return queryString;
diff --git a/src/main/java/gov/nasa/pds/search/util/XssUtils.java b/src/main/java/gov/nasa/pds/search/util/XssUtils.java
new file mode 100644
index 0000000..c79dae1
--- /dev/null
+++ b/src/main/java/gov/nasa/pds/search/util/XssUtils.java
@@ -0,0 +1,71 @@
+package gov.nasa.pds.search.util;
+
+import java.net.URLDecoder;
+import java.util.regex.Pattern;
+
+public class XssUtils {
+
+	private XssUtils() {
+	}
+
+	// Patterns for Cross-Site Scripting filter.
+	private static Pattern[] xssPatterns = new Pattern[] {
+			// script fragments
+			Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE),
+			// src='...'
+			Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'",
+					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+			Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"",
+					Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+			// lonely script tags
+			Pattern.compile("</script>", Pattern.CASE_INSENSITIVE),
+			Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+			// eval(...)
+			Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+			// expression(...)
+			Pattern.compile("expression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+			// javascript:...
+			Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE),
+			// vbscript:...
+			Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE),
+			// onload(...)=...
+			Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL),
+			// alert(...)
+			Pattern.compile("alert\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL) };
+
+	/**
+	 * This method makes up a simple anti cross-site scripting (XSS) filter written
+	 * for Java web applications. What it basically does is remove all suspicious
+	 * strings from request parameters before returning them to the application.
+	 */
+	public static String clean(String value) {
+		if (value != null) {
+			// Avoid null characters
+			value = value.replaceAll("\0", "");
+
+			// Remove all sections that match a pattern
+			for (Pattern scriptPattern : xssPatterns) {
+				value = scriptPattern.matcher(value).replaceAll("");
+			}
+
+			// After all of the above has been removed just blank out the value
+			// if any of the offending characters are present that facilitate
+			// Cross-Site Scripting and Blind SQL Injection.
+			// We normally exclude () but they often show up in queries.
+			char badChars[] = { '|', ';', '$', '@', '\'', '"', '<', '>', ',', '\\', /* CR */ '\r', /* LF */ '\n',
+					/* Backspace */ '\b' };
+			try {
+				String decodedStr = URLDecoder.decode(value);
+				for (int i = 0; i < badChars.length; i++) {
+					if (decodedStr.indexOf(badChars[i]) >= 0) {
+						value = "";
+					}
+				}
+			} catch (IllegalArgumentException e) {
+				value = "";
+			}
+		}
+		return value;
+	}
+
+}