- switched response buffering from ByteArrayOutputStream to RandomAccessFile due to BAOS being awful at that type of thing (multiple files)

arshan.dabirsiaghi · arshan.dabirsiaghi · commit b261d018805f · 2009-11-01T04:08:19.000Z
- refactored early failing code in egress rules to be smarter (ReplaceContentRule.java and DetectOutboundContentRule.java)
- fixed dump() in FileBasedAuthenticator.java to handle IndexOutOfBoundsException when there are no entries (this was breaking a few of the WAF test cases)
diff --git a/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java b/src/main/java/org/owasp/esapi/reference/FileBasedAuthenticator.java
@@ -761,7 +761,11 @@ private String dump(Collection<String> c) {
         for (String s : c) {
             sb.append(s).append(",");
         }
-        return sb.toString().substring(0, sb.length() - 1);
+        if ( c.size() > 0) {
+        	return sb.toString().substring(0, sb.length() - 1);
+        }
+        return "";
+        
     }
 
     /**
diff --git a/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletRequest.java b/src/main/java/org/owasp/esapi/waf/internal/InterceptingHTTPServletRequest.java
@@ -15,9 +15,10 @@
  */
 package org.owasp.esapi.waf.internal;
 
-import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.RandomAccessFile;
 import java.util.Enumeration;
 import java.util.Vector;
 
@@ -89,17 +90,22 @@ public InterceptingHTTPServletRequest(HttpServletRequest request) throws UploadT
 			    	 * regular form field. Our job is to stream it
 			    	 * to make sure it's not too big.
 			    	 */
+			    	
+			    	//oew=owasp esapi waf, mpc=multipart content
 
-			    	ByteArrayOutputStream baos = new ByteArrayOutputStream(request.getContentLength());
+			    	RandomAccessFile raf = new RandomAccessFile( File.createTempFile("oew-"+item.getFieldName(),"mpc"), "r");
+			    	
 			    	byte buffer[] = new byte[CHUNKED_BUFFER_SIZE];
 
 			    	int size = 0;
 			    	int len = 0;
 
-			    	while ( len != -1 || size <= AppGuardianConfiguration.MAX_FILE_SIZE ) {
+			    	while ( len != -1 && size <= AppGuardianConfiguration.MAX_FILE_SIZE ) {
 			    		len = stream.read(buffer, 0, CHUNKED_BUFFER_SIZE);
-			    		size += len;
-			    		baos.write(stream.read());
+			    		if ( len != -1 ) {
+			    			size += len;
+				    		raf.write(buffer,0,len);	
+			    		}
 			    	}
 
 		    		if ( size > AppGuardianConfiguration.MAX_FILE_SIZE) {
@@ -108,6 +114,8 @@ public InterceptingHTTPServletRequest(HttpServletRequest request) throws UploadT
 			    }
 
 			}
+			
+			request.getInputStream().reset();
 		}
 
 	}
@@ -120,6 +128,7 @@ public String getDictionaryParameter(String s) {
 				return p.getValue();
 			}
 		}
+		
 		return null;
 	}
 
diff --git a/src/main/java/org/owasp/esapi/waf/internal/InterceptingServletOutputStream.java b/src/main/java/org/owasp/esapi/waf/internal/InterceptingServletOutputStream.java
@@ -15,8 +15,10 @@
  */
 package org.owasp.esapi.waf.internal;
 
-import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.RandomAccessFile;
 
 import javax.servlet.ServletOutputStream;
 
@@ -31,76 +33,126 @@
 
 public class InterceptingServletOutputStream extends ServletOutputStream {
 
+	private static final int FLUSH_BLOCK_SIZE = 1024;
 	private ServletOutputStream os;
-	private ByteArrayOutputStream bos;
 	private boolean buffering;
-
-	public InterceptingServletOutputStream(ServletOutputStream os, boolean buffered) {
+	private boolean committed;
+	private boolean closed;
+	
+	private RandomAccessFile out;
+	
+	public InterceptingServletOutputStream(ServletOutputStream os, boolean buffered) throws FileNotFoundException, IOException {
 		super();
 		this.os = os;
 		this.buffering = buffered;
-		this.bos = new ByteArrayOutputStream();
+		this.committed = false;
+		this.closed = false;
+		
+		/*
+		 * Creating a RandomAccessFile to keep track of output generated. I made
+		 * the prefix and suffix small for less processing. The "oew" is intended
+		 * to stand for "OWASP ESAPI WAF" and the "hop" for HTTP output.
+		 */
+		this.out = new RandomAccessFile ( File.createTempFile("oew", ".hop"), "rw" ); 
 	}
 
-	public void reset() {
-		bos.reset();
+	public void reset() throws IOException {
+		out.setLength(0L);
 	}
 
-	public byte[] getResponseBytes() {
-		return bos.toByteArray();
+	public byte[] getResponseBytes() throws IOException {
+		
+		byte[] buffer = new byte[(int) out.length()];
+		out.seek(0);
+		out.read(buffer, 0, (int)out.length());
+		out.seek(out.length());
+		return buffer;
+		
 	}
 
 	public void setResponseBytes(byte[] responseBytes) throws IOException {
-		if ( ! buffering && bos.toByteArray().length > 0 ) {
+		
+		if ( ! buffering && out.length() > 0 ) {
 			throw new IOException("Already committed response because not currently buffering");
 		}
 
-		bos = new ByteArrayOutputStream();
-		bos.write(responseBytes);
+		out.setLength(0L);
+		out.write(responseBytes);
 	}
 
 	public void write(int i) throws IOException {
 		if (!buffering) {
 			os.write(i);
 		}
-		bos.write(i);
+		out.write(i);
 	}
 
 	public void write(byte[] b) throws IOException {
         if (!buffering) {
         	os.write(b, 0, b.length);
         }
-        bos.write(b, 0, b.length);
+        out.write(b, 0, b.length);
     }
 
 	public void write(byte[] b, int off, int len) throws IOException {
         if (!buffering) {
         	os.write(b, off, len);
         }
-        bos.write(b, off, len);
+        out.write(b, off, len);
     }
 
 	public void flush() throws IOException {
+		
 		if (buffering) {
-			os.write(bos.toByteArray());
+		
+			synchronized(out) {
+
+				out.seek(0);
+				
+				byte[] buff = new byte[FLUSH_BLOCK_SIZE];
+				
+				for(int i=0;i<out.length();) {
+					
+					long currentPos = out.getFilePointer();
+					long totalSize = out.length();
+					int amountToWrite = FLUSH_BLOCK_SIZE;
+					
+					if ( (totalSize - currentPos) < FLUSH_BLOCK_SIZE ) {
+						amountToWrite = (int) (totalSize - currentPos);
+					}
+			
+					out.read(buff, 0, (int)amountToWrite);
+					String s = new String(buff);System.out.println(s);
+					os.write(buff,0,amountToWrite);
+					
+					i+=amountToWrite;
+					
+				}
+				
+				out.setLength(0);
+				
+			}
 		}
 
-		bos.reset();
 	}
 
 	public void commit() throws IOException {
-		if (!buffering) {
+		
+		if (!buffering) { // || committed || closed
         	return;
+        } else {
+        	flush();
         }
-        bos.writeTo(os);
-        os.close();
-        bos.close();
+		committed = true;
     }
 
     public void close() throws IOException {
+    	
         if (!buffering)  {
         	os.close();
         }
+        closed = true;
+
     }
 
 }
diff --git a/src/main/java/org/owasp/esapi/waf/rules/DetectOutboundContentRule.java b/src/main/java/org/owasp/esapi/waf/rules/DetectOutboundContentRule.java
@@ -15,6 +15,7 @@
  */
 package org.owasp.esapi.waf.rules;
 
+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.util.regex.Pattern;
 
@@ -44,8 +45,6 @@ public Action check(HttpServletRequest request,
 			InterceptingHTTPServletResponse response, 
 			HttpServletResponse httpResponse) {
 
-		byte[] bytes = response.getInterceptingServletOutputStream().getResponseBytes();
-
 		/*
 		 * Early fail: if URL doesn't match.
 		 */
@@ -82,6 +81,15 @@ public Action check(HttpServletRequest request,
 			 */
 			try {
 
+				byte[] bytes = null;
+				
+				try {
+					bytes = response.getInterceptingServletOutputStream().getResponseBytes();
+				} catch (IOException ioe) {
+					log(request,"Error matching pattern '" + pattern.pattern() + "', IOException encountered (possibly too large?): " + ioe.getMessage() + " (in response to URL: '" + request.getRequestURL() + "')");
+					return new DoNothingAction(); // yes this is a fail open!
+				}
+
 				String s = new String(bytes,charEnc);
 
 				if ( pattern.matcher(s).matches() ) {
diff --git a/src/main/java/org/owasp/esapi/waf/rules/ReplaceContentRule.java b/src/main/java/org/owasp/esapi/waf/rules/ReplaceContentRule.java
@@ -51,8 +51,6 @@ public Action check(HttpServletRequest request,
 			InterceptingHTTPServletResponse response, 
 			HttpServletResponse httpResponse) {
 
-		byte[] bytes = response.getInterceptingServletOutputStream().getResponseBytes();
-
 		/*
 		 * First early fail: if the URL doesn't match the paths we're interested in.
 		 */
@@ -70,6 +68,16 @@ public Action check(HttpServletRequest request,
 				return new DoNothingAction();
 			}
 		}
+
+		byte[] bytes = null;
+
+		try {
+			bytes = response.getInterceptingServletOutputStream().getResponseBytes();
+		} catch (IOException ioe) {
+			log(request,"Error matching pattern '" + pattern.pattern() + "', IOException encountered (possibly too large?): " + ioe.getMessage() + " (in response to URL: '" + request.getRequestURL() + "')");
+			return new DoNothingAction(); // yes this is a fail open!
+		}
+
 		
 		try {
 
diff --git a/src/test/java/org/owasp/esapi/waf/DynamicInsertionTest.java b/src/test/java/org/owasp/esapi/waf/DynamicInsertionTest.java
@@ -45,8 +45,9 @@ public void testShouldReplaceContent() throws Exception {
     	WAFTestUtility.createAndExecuteWAFTransaction( "waf-policies/dynamic-insertion-policy.xml", request, response );
     	
     	assertTrue ( response.getStatus() == HttpServletResponse.SC_OK );
-    	assertTrue ( response.getBody().indexOf("test") > -1 );
-    	System.out.println( response.getBody() );
+    	String body = response.getBody();
+    	assertTrue ( body.indexOf("test") > -1 );
+    	System.out.println( body );
    	
 	}
 	

Original file line number	Diff line number	Diff line change
`@@ -761,7 +761,11 @@ private String dump(Collection<String> c) {`
`761`	`761`	`for (String s : c) {`
`762`	`762`	`sb.append(s).append(",");`
`763`	`763`	`}`
`764`		`- return sb.toString().substring(0, sb.length() - 1);`
	`764`	`+ if ( c.size() > 0) {`
	`765`	`+ return sb.toString().substring(0, sb.length() - 1);`
	`766`	`+ }`
	`767`	`+ return "";`
	`768`	`+`
`765`	`769`	`}`
`766`	`770`
`767`	`771`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,10 @@`
`15`	`15`	`*/`
`16`	`16`	`package org.owasp.esapi.waf.internal;`
`17`	`17`
`18`		`-import java.io.ByteArrayOutputStream;`
	`18`	`+import java.io.File;`
`19`	`19`	`import java.io.IOException;`
`20`	`20`	`import java.io.InputStream;`
	`21`	`+import java.io.RandomAccessFile;`
`21`	`22`	`import java.util.Enumeration;`
`22`	`23`	`import java.util.Vector;`
`23`	`24`
`@@ -89,17 +90,22 @@ public InterceptingHTTPServletRequest(HttpServletRequest request) throws UploadT`
`89`	`90`	`* regular form field. Our job is to stream it`
`90`	`91`	`* to make sure it's not too big.`
`91`	`92`	`*/`
	`93`	`+`
	`94`	`+ //oew=owasp esapi waf, mpc=multipart content`
`92`	`95`
`93`		`- ByteArrayOutputStream baos = new ByteArrayOutputStream(request.getContentLength());`
	`96`	`+ RandomAccessFile raf = new RandomAccessFile( File.createTempFile("oew-"+item.getFieldName(),"mpc"), "r");`
	`97`	`+`
`94`	`98`	`byte buffer[] = new byte[CHUNKED_BUFFER_SIZE];`
`95`	`99`
`96`	`100`	`int size = 0;`
`97`	`101`	`int len = 0;`
`98`	`102`
`99`		`- while ( len != -1 \|\| size <= AppGuardianConfiguration.MAX_FILE_SIZE ) {`
	`103`	`+ while ( len != -1 && size <= AppGuardianConfiguration.MAX_FILE_SIZE ) {`
`100`	`104`	`len = stream.read(buffer, 0, CHUNKED_BUFFER_SIZE);`
`101`		`- size += len;`
`102`		`- baos.write(stream.read());`
	`105`	`+ if ( len != -1 ) {`
	`106`	`+ size += len;`
	`107`	`+ raf.write(buffer,0,len);`
	`108`	`+ }`
`103`	`109`	`}`
`104`	`110`
`105`	`111`	`if ( size > AppGuardianConfiguration.MAX_FILE_SIZE) {`
`@@ -108,6 +114,8 @@ public InterceptingHTTPServletRequest(HttpServletRequest request) throws UploadT`
`108`	`114`	`}`
`109`	`115`
`110`	`116`	`}`
	`117`	`+`
	`118`	`+ request.getInputStream().reset();`
`111`	`119`	`}`
`112`	`120`
`113`	`121`	`}`
`@@ -120,6 +128,7 @@ public String getDictionaryParameter(String s) {`
`120`	`128`	`return p.getValue();`
`121`	`129`	`}`
`122`	`130`	`}`
	`131`	`+`
`123`	`132`	`return null;`
`124`	`133`	`}`
`125`	`134`
Original file line number	Diff line number	Diff line change
`@@ -45,8 +45,9 @@ public void testShouldReplaceContent() throws Exception {`
`45`	`45`	`WAFTestUtility.createAndExecuteWAFTransaction( "waf-policies/dynamic-insertion-policy.xml", request, response );`
`46`	`46`
`47`	`47`	`assertTrue ( response.getStatus() == HttpServletResponse.SC_OK );`
`48`		`- assertTrue ( response.getBody().indexOf("test") > -1 );`
`49`		`- System.out.println( response.getBody() );`
	`48`	`+ String body = response.getBody();`
	`49`	`+ assertTrue ( body.indexOf("test") > -1 );`
	`50`	`+ System.out.println( body );`
`50`	`51`
`51`	`52`	`}`
`52`	`53`