Java security interceptor

Author: imdeepakchahar

JavaSecurityInterceptor.java

@@ -0,0 +1,220 @@
+package cgs.interceptor;  // Your package name
+
+import org.springframework.web.multipart.MultipartHttpServletRequest;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.ModelAndView;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Enumeration;
+import java.util.regex.Pattern;
+
+/**
+ * JavaSecurityInterceptor
+ *
+ * This interceptor validates HTTP requests to safeguard against security vulnerabilities
+ * such as SQL Injection, Cross-Site Scripting (XSS), and malicious file uploads.
+ * It performs validation checks on request parameters and file uploads, rejecting
+ * any that appear to be malicious or invalid.
+ *
+ * Author: Deepak Kumar
+ * Email: imchahardeepak@gmail.com
+ * GitHub: https://github.com/imdeepakchahar/java-security-interceptor
+ */
+public class JavaSecurityInterceptor implements HandlerInterceptor {
+
+    // Pattern to detect SQL injection keywords in request parameters.
+    private static final String SQL_INJECTION_PATTERN =
+            "(?i).*\\b(select|insert|drop|update|delete|exec|union|create|alter|truncate|declare|--|\\/\\*|\\*\\/|;|where|having|limit|group)\\b.*";
+
+    // Pattern to detect dangerous characters such as <, >, ', ", %, and &.
+    private static final String DANGEROUS_CHARACTERS_PATTERN = ".*[<>'\"%&].*";
+
+    // Pattern to ensure input is valid UTF-8 encoded.
+    private static final String UTF8_PATTERN = "[\\u0000-\\u007F]+";
+
+    // Pattern to identify potential XSS payloads in the input.
+    private static final String XSS_PATTERN = "<.*?>";
+
+    // Patterns to detect newline characters and null bytes in input.
+    private static final String NEWLINE_PATTERN = "[\\r\\n]";
+    private static final String NULL_BYTE_PATTERN = "%00";
+
+    // List of allowed file extensions for uploaded files.
+    private static final String[] ALLOWED_FILE_EXTENSIONS = {"jpg", "jpeg", "png", "pdf", "docx"};
+
+    /**
+     * Pre-handle method to validate HTTP requests before they reach the controller.
+     *
+     * @param request  the HTTP request object
+     * @param response the HTTP response object
+     * @param handler  the handler for the request
+     * @return true if the request passes all validations, false otherwise
+     * @throws Exception in case of any unexpected errors
+     */
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
+        Enumeration<String> parameterNames = request.getParameterNames();
+
+        // Validate uploaded files for allowed extensions.
+        if (!validateFileInput(request)) {
+            response.sendError(400, "Invalid file type detected.");
+            return false;
+        }
+
+        // Iterate through all request parameters to validate their content.
+        while (parameterNames.hasMoreElements()) {
+            String paramName = parameterNames.nextElement();
+            String paramValue = request.getParameter(paramName);
+
+            if (containsSQLInjection(paramValue)) {
+                response.sendError(400, "SQL Injection detected in parameter: " + paramName);
+                return false;
+            }
+
+            if (containsDangerousCharacters(paramValue)) {
+                response.sendError(400, "Dangerous characters detected in parameter: " + paramName);
+                return false;
+            }
+
+            if (containsXSS(paramValue)) {
+                response.sendError(400, "XSS attack detected in parameter: " + paramName);
+                return false;
+            }
+
+            if (!isValidUTF8(paramValue)) {
+                response.sendError(400, "Invalid UTF-8 encoding detected in parameter: " + paramName);
+                return false;
+            }
+
+            if (containsNewLine(paramValue) || containsNullByte(paramValue)) {
+                response.sendError(400, "Invalid characters detected in parameter: " + paramName);
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Validates uploaded files for allowed extensions.
+     *
+     * @param request the HTTP request object
+     * @return true if all files have valid extensions, false otherwise
+     * @throws IOException in case of file handling errors
+     */
+    private boolean validateFileInput(HttpServletRequest request) throws IOException {
+        if (request instanceof MultipartHttpServletRequest) {
+            MultipartHttpServletRequest multiRequest = (MultipartHttpServletRequest) request;
+
+            java.util.Iterator<String> fileNames = multiRequest.getFileNames();
+            while (fileNames.hasNext()) {
+                String fileName = fileNames.next();
+                String fileExtension = getFileExtension(fileName);
+
+                if (!isValidFileExtension(fileExtension)) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Extracts the file extension from a filename.
+     *
+     * @param filename the name of the file
+     * @return the file extension, or an empty string if none is found
+     */
+    private String getFileExtension(String filename) {
+        if (filename == null || filename.isEmpty()) return "";
+        int lastIndexOfDot = filename.lastIndexOf(".");
+        return (lastIndexOfDot == -1) ? "" : filename.substring(lastIndexOfDot + 1);
+    }
+
+    /**
+     * Checks if the file extension is allowed.
+     *
+     * @param fileExtension the file extension to check
+     * @return true if the extension is allowed, false otherwise
+     */
+    private boolean isValidFileExtension(String fileExtension) {
+        for (String allowedExtension : ALLOWED_FILE_EXTENSIONS) {
+            if (allowedExtension.equalsIgnoreCase(fileExtension)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Validates input for SQL injection patterns.
+     *
+     * @param input the input string to validate
+     * @return true if the input contains SQL injection patterns, false otherwise
+     */
+    private boolean containsSQLInjection(String input) {
+        return input != null && Pattern.compile(SQL_INJECTION_PATTERN).matcher(input).matches();
+    }
+
+    /**
+     * Checks if the input contains dangerous characters.
+     *
+     * @param input the input string to validate
+     * @return true if dangerous characters are detected, false otherwise
+     */
+    private boolean containsDangerousCharacters(String input) {
+        return input != null && Pattern.compile(DANGEROUS_CHARACTERS_PATTERN).matcher(input).matches();
+    }
+
+    /**
+     * Validates input for Cross-Site Scripting (XSS) patterns.
+     *
+     * @param input the input string to validate
+     * @return true if XSS patterns are detected, false otherwise
+     */
+    private boolean containsXSS(String input) {
+        return input != null && Pattern.compile(XSS_PATTERN).matcher(input).matches();
+    }
+
+    /**
+     * Checks if the input is valid UTF-8 encoded.
+     *
+     * @param input the input string to validate
+     * @return true if the input is valid UTF-8 encoded, false otherwise
+     */
+    private boolean isValidUTF8(String input) {
+        return input == null || Pattern.compile(UTF8_PATTERN).matcher(input).matches();
+    }
+
+    /**
+     * Checks if the input contains newline characters.
+     *
+     * @param input the input string to validate
+     * @return true if newline characters are detected, false otherwise
+     */
+    private boolean containsNewLine(String input) {
+        return input != null && Pattern.compile(NEWLINE_PATTERN).matcher(input).matches();
+    }
+
+    /**
+     * Checks if the input contains null byte characters.
+     *
+     * @param input the input string to validate
+     * @return true if null byte characters are detected, false otherwise
+     */
+    private boolean containsNullByte(String input) {
+        return input != null && input.contains(NULL_BYTE_PATTERN);
+    }
+
+    @Override
+    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
+        // This method can be used for additional processing after the controller handles the request.
+    }
+
+    @Override
+    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {
+        // This method can be used for cleanup activities after the request has been completed.
+    }
+}

README.md

@@ -1 +1,116 @@
-# java-security-interceptor
+
+# Java Security Interceptor
+
+This project is a Spring MVC-based Java application that implements a security interceptor to validate incoming HTTP requests and prevent common vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), and malicious file uploads.
+
+## Features
+
+- **SQL Injection Prevention**: Detects and blocks SQL injection patterns in request parameters.
+- **XSS Protection**: Filters out potential cross-site scripting attacks.
+- **File Upload Validation**: Allows only specific file types to be uploaded.
+- **Input Sanitization**: Rejects inputs with dangerous characters, invalid UTF-8 encoding, null bytes, or newline characters.
+
+## Technologies Used
+
+- **Spring Framework**: Core framework for building the application and managing interceptors.
+- **Java**: Programming language.
+- **Regex Patterns**: Used for input validation.
+
+---
+
+## Files Overview
+
+### 1. **JavaSecurityInterceptor.java**
+This is the main interceptor that performs the following tasks:
+- Validates request parameters for SQL Injection, XSS, and other dangerous inputs.
+- Checks uploaded files for allowed extensions.
+- Rejects invalid or malicious requests.
+
+#### Key Methods:
+- **`preHandle`**: Validates incoming requests before they reach the controller.
+- **`validateFileInput`**: Ensures uploaded files have valid extensions.
+- **`containsSQLInjection`**, **`containsXSS`**, etc.: Helper methods to check for specific vulnerabilities.
+
+---
+
+### 2. **WebConfig.java**
+This is the Spring configuration class that:
+- Registers the `JavaSecurityInterceptor` as a Spring Bean.
+- Adds the interceptor to the application's request handling pipeline to validate all incoming requests.
+
+---
+
+## Setup Instructions
+
+### Prerequisites
+- Java 8 or higher
+- Maven 3.6+
+- Spring Framework 5+
+- An IDE (e.g., IntelliJ IDEA, Eclipse)
+
+---
+
+### Installation
+1. Clone this repository:
+   ```bash
+   git clone https://github.com/imdeepakchahar/java-security-interceptor.git
+   cd java-security-interceptor
+   ```
+
+2. Import the project into your IDE.
+
+3. Build the project using Maven:
+   ```bash
+   mvn clean install
+   ```
+
+4. Run the Spring Boot application:
+   ```bash
+   mvn spring-boot:run
+   ```
+
+---
+
+## Usage
+
+1. **Interceptor Behavior**:
+   - The interceptor is applied to all request paths (`/**`).
+   - Malicious requests are blocked with a `400 Bad Request` response.
+
+2. **File Uploads**:
+   - Allowed file extensions: `jpg`, `jpeg`, `png`, `pdf`, `docx`.
+
+3. **Request Validation**:
+   - SQL keywords, XSS payloads, dangerous characters, invalid UTF-8, and null bytes are blocked.
+
+4. **Customization**:
+   - Modify allowed file extensions in `ALLOWED_FILE_EXTENSIONS` in `JavaSecurityInterceptor.java`.
+   - Update regex patterns to match your security requirements.
+
+---
+
+## Project Structure
+
+```
+src/main/java/cgs/
+├── config/
+│   └── WebConfig.java          # Spring configuration
+├── interceptor/
+│   └── JavaSecurityInterceptor.java # Security interceptor
+```
+
+---
+
+## Contact
+
+**Author**: Deepak Kumar  
+**Email**: [imchahardeepak@gmail.com](mailto:imchahardeepak@gmail.com)  
+**GitHub**: [imdeepakchahar](https://github.com/imdeepakchahar)
+
+Feel free to raise issues or contribute to this project!
+
+---
+
+## License
+
+This project is open-source and available under the [MIT License](LICENSE).

WebConfig.java

@@ -0,0 +1,46 @@
+package cgs.config; // Your package name
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import cgs.interceptor.JavaSecurityInterceptor;
+
+/**
+ * WebConfig
+ * 
+ * This configuration class sets up the Spring MVC web context.
+ * It registers the JavaSecurityInterceptor to validate incoming requests for security risks.
+ * 
+ * Author: Deepak Kumar
+ * Email: imchahardeepak@gmail.com
+ * GitHub: https://github.com/imdeepakchahar/java-security-interceptor
+ */
+@Configuration
+@EnableWebMvc
+public class WebConfig implements WebMvcConfigurer {
+
+    /**
+     * Defines a JavaSecurityInterceptor bean.
+     * 
+     * @return an instance of JavaSecurityInterceptor
+     */
+    @Bean
+    public JavaSecurityInterceptor javaSecurityInterceptor() {
+        return new JavaSecurityInterceptor();
+    }
+
+    /**
+     * Adds the JavaSecurityInterceptor to the application's interceptor registry.
+     * This ensures that all incoming requests are processed through the interceptor for validation.
+     * 
+     * @param registry the registry to which the interceptor is added
+     */
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(javaSecurityInterceptor())
+                .addPathPatterns("/**"); // Applies the interceptor to all request paths.
+    }
+}