[NCITERM-644] Reduce SQL injection AppScan delays.

NCIEVS · Feb 19, 2015 · 50efb2d · 50efb2d
1 parent c13cbc2
commit 50efb2d
Show file tree

Hide file tree

Showing 2 changed files with 62 additions and 31 deletions.
diff --git a/software/ncitbrowser/src/java/gov/nih/nci/evs/browser/common/HTTPParameterConstants.java b/software/ncitbrowser/src/java/gov/nih/nci/evs/browser/common/HTTPParameterConstants.java
@@ -100,7 +100,11 @@ public class HTTPParameterConstants {
        "valueSetSearchForm:valueset_search.x",
        "valueSetSearchForm:valueset_search.y",
        "value_set_home",
-       "valueset_search_algorithm"
+       "valueset_search_algorithm",
+       "searchTerm:multi_search.x",
+       "searchTerm:multi_search.y",
+       "searchTerm:multipleSearch.x",
+       "searchTerm:multipleSearch.y"
     };
 
     public static final List HTTP_REQUEST_PARAMETER_NAME_LIST = Arrays.asList(HTTP_REQUEST_PARAMETER_NAMES);

diff --git a/software/ncitbrowser/src/java/gov/nih/nci/evs/browser/utils/HTTPUtils.java b/software/ncitbrowser/src/java/gov/nih/nci/evs/browser/utils/HTTPUtils.java
@@ -377,36 +377,45 @@ public static boolean validateRequestParameters(HttpServletRequest request) {
             Enumeration<?> enumeration =
                 SortUtils.sort(request.getParameterNames());
             while (enumeration.hasMoreElements()) {
-                String name = (String) enumeration.nextElement();
-                if (!list.contains(name)) {
-					System.out.println("(*) name: " + name + " not in the list.");
-			        request.getSession().setAttribute("error_msg", "WARNING: Unknown parameter name encountered - '" + name + "'.");
-					return false;
-				}
-				String value = (String) request.getParameter(name);
-				Boolean bool_obj = validateRadioButtonNameAndValue(name, value);
-				if (bool_obj != null && bool_obj.equals(Boolean.FALSE)) {
-			        request.getSession().setAttribute("error_msg", "WARNING: Invalid parameter value encountered - '" + value + "'.");
-					return false;
-				}
-
-				bool_obj = containsPercentSign(name, value);
-				if (bool_obj != null && bool_obj.equals(Boolean.FALSE)) {
-			        request.getSession().setAttribute("error_msg", "WARNING: Invalid parameter value encountered - '" + value + "'.");
-					return false;
-				}
-
-				bool_obj = validateValueSetCheckBox(name, value);
-				if (bool_obj != null && bool_obj.equals(Boolean.FALSE)) {
-			        request.getSession().setAttribute("error_msg", "WARNING: Invalid parameter value encountered - '" + value + "'.");
-					return false;
-				}
-
-				bool_obj = containsHarzardCharacters(value);
-				if (bool_obj != null && bool_obj.equals(Boolean.TRUE)) {
-			        request.getSession().setAttribute("error_msg", "WARNING: Hazard characters found in parameter value - '" + value + "'.");
-					return false;
-				}
+
+				String name = (String) enumeration.nextElement();
+
+                Boolean isDynamic = isDynamicId(name);
+                Boolean issearchFormParameter = isSearchFormParameter(name);
+
+                if (issearchFormParameter != null && issearchFormParameter.equals(Boolean.FALSE)) {
+					if (isDynamic != null && isDynamic.equals(Boolean.FALSE)) {
+						if (!list.contains(name)) {
+							System.out.println("(*) name: " + name + " not in the list.");
+							request.getSession().setAttribute("error_msg", "WARNING: Unknown parameter name encountered - '" + name + "'.");
+							return false;
+						}
+						String value = (String) request.getParameter(name);
+						Boolean bool_obj = validateRadioButtonNameAndValue(name, value);
+						if (bool_obj != null && bool_obj.equals(Boolean.FALSE)) {
+							request.getSession().setAttribute("error_msg", "WARNING: Invalid parameter value encountered - '" + value + "'.");
+							return false;
+						}
+
+						bool_obj = containsPercentSign(name, value);
+						if (bool_obj != null && bool_obj.equals(Boolean.FALSE)) {
+							request.getSession().setAttribute("error_msg", "WARNING: Invalid parameter value encountered - '" + value + "'.");
+							return false;
+						}
+
+						bool_obj = validateValueSetCheckBox(name, value);
+						if (bool_obj != null && bool_obj.equals(Boolean.FALSE)) {
+							request.getSession().setAttribute("error_msg", "WARNING: Invalid parameter value encountered - '" + value + "'.");
+							return false;
+						}
+
+						bool_obj = containsHarzardCharacters(value);
+						if (bool_obj != null && bool_obj.equals(Boolean.TRUE)) {
+							request.getSession().setAttribute("error_msg", "WARNING: Hazard characters found in parameter value - '" + value + "'.");
+							return false;
+						}
+					}
+			    }
             }
             return true;
         } catch (Exception e) {
@@ -497,4 +506,22 @@ public static Boolean containsHarzardCharacters(String value) {
 		}
 		return Boolean.FALSE;
 	}
+
+	public static Boolean isDynamicId(String id) {
+		if (id == null) return null;
+		if (id.startsWith("j_id_jsp_")) {
+			return Boolean.TRUE;
+		}
+		return Boolean.FALSE;
+	}
+
+	public static Boolean isSearchFormParameter(String name) {
+		if (name == null) return null;
+		String nm = name.toLowerCase();
+		if (nm.endsWith("search.x") || nm.endsWith("search.y")) {
+			return Boolean.TRUE;
+		}
+		return Boolean.FALSE;
+	}
+
 }