Cleanse query string prior to passing to Solr

Also cleansed prior to logging in Tomcat logs Resolves #30
NASA-PDS · Jun 10, 2024 · e813459 · e813459
1 parent 363cd9a
commit e813459
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java b/src/main/java/gov/nasa/pds/search/servlet/RegistryLegacyServlet.java
@@ -3,7 +3,6 @@
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
-import java.net.URLDecoder;
 import java.net.URLEncoder;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
@@ -20,6 +19,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.apache.http.HttpHeaders;
+import gov.nasa.pds.search.util.XssUtils;
 
 public class RegistryLegacyServlet extends HttpServlet {
 
@@ -179,8 +179,9 @@ private String appendQueryParameters(String key, String[] parameterValues)
     String value = "";
     String queryString = "";
     for (String v : Arrays.asList(parameterValues)) {
-      value = URLDecoder.decode(v, "UTF-8");
-      queryString += String.format("%s=%s&", key, URLEncoder.encode(value, "UTF-8"));
+      value = XssUtils.clean(v);
+      queryString +=
+          String.format("%s=%s&", key, URLEncoder.encode(value, "UTF-8"));
     }
     return queryString;
   }

diff --git a/src/main/java/gov/nasa/pds/search/util/XssUtils.java b/src/main/java/gov/nasa/pds/search/util/XssUtils.java
@@ -1,5 +1,6 @@
 package gov.nasa.pds.search.util;
 
+import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.util.regex.Pattern;
 
@@ -34,11 +35,13 @@ private XssUtils() {
 			Pattern.compile("alert\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL) };
 
 	/**
-	 * This method makes up a simple anti cross-site scripting (XSS) filter written
-	 * for Java web applications. What it basically does is remove all suspicious
-	 * strings from request parameters before returning them to the application.
-	 */
-	public static String clean(String value) {
+     * This method makes up a simple anti cross-site scripting (XSS) filter written for Java web
+     * applications. What it basically does is remove all suspicious strings from request parameters
+     * before returning them to the application.
+     * 
+     * @throws UnsupportedEncodingException
+     */
+    public static String clean(String value) throws UnsupportedEncodingException {
 		if (value != null) {
 			// Avoid null characters
 			value = value.replaceAll("\0", "");
@@ -55,7 +58,7 @@ public static String clean(String value) {
 			char badChars[] = { '|', ';', '$', '@', '\'', '"', '<', '>', ',', '\\', /* CR */ '\r', /* LF */ '\n',
 					/* Backspace */ '\b' };
 			try {
-				String decodedStr = URLDecoder.decode(value);
+              String decodedStr = URLDecoder.decode(value, "UTF-8");
 				for (int i = 0; i < badChars.length; i++) {
 					if (decodedStr.indexOf(badChars[i]) >= 0) {
 						value = "";