XSS Vulnerabilities Issue in a Servlet Class for response.getOutputStream().write(buffer)

Question

I am fixing issues against the code audit report for my module. The issue is XSS VULNERABILITIES. It has reported issue at the syntax response.getOutputStream().write(buffer); How to fix it ? I have done sufficient home work and found that ESAPI recommended by OWASP can help me to fix it, but how to implement it ? The issue is in a servlet class ? or any other api or anything else could help me to fix it? please share you relevant experience.

FileOutputStream fos = null;
        FileInputStream fileInuptStream =null;
        BufferedInputStream bufferedInputStream = null;
        ByteArrayOutputStream byteArrayOutputStream =null;
        try{
           ServletContext servletContext = request.getSession().getServletContext();
            File attachmentDir = new File(servletContext.getRealPath("")+File.separator+"Reports" );
            String uploadDir=attachmentDir.getPath();
            if (!attachmentDir.exists()) {
                attachmentDir.mkdirs();
            }

            HSSFWorkbook wb= new HSSFWorkbook();
             AAAA  aaa=new AAAA();          
            wb=aaa.getExportXLS(request, response, fileName, wb);
             if(request.getSession().getAttribute("SESSION_AAAAA")!=null){
                    request.getSession().removeAttribute("SESSION_AAAAA");
            }           
              fos=new FileOutputStream(uploadDir+File.separator+fileName);
            wb.write(fos);

            File fileXls=new File(uploadDir+File.separator+fileName);
              fileInuptStream = new FileInputStream(fileXls);
              bufferedInputStream = new BufferedInputStream(fileInuptStream);
              byteArrayOutputStream = new ByteArrayOutputStream();
            int start = INT_ZERO;
            int length = ONE_ZERO_TWO_FOUR;
            int offset = MINUS_ONE;
            byte [] buffer = new byte [length];
            while ((offset = bufferedInputStream.read(buffer, start, length)) != -1)
                byteArrayOutputStream.write(buffer, start, offset);


            buffer = byteArrayOutputStream.toByteArray();

            response.setHeader("Expires", "0");
            response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
            response.setHeader("Pragma", "public");
            response.setContentType("application/xls");
            response.setHeader("Content-disposition","attachment; filename="+fileName );
            response.setContentLength((int ) fileXls.length());
            response.getOutputStream().write(buffer);  --- REPORTED AT THIS LINE
            response.getOutputStream().flush(); 

Answer 1

This is a false warning. This servlet is returning a XLS file which is created by Apache POI, not a HTML document. There can impossibly be means of a XSS attack.

This code is however rather clumsy and inefficient. It is creating a file in the expanded WAR folder (which would get lost anyway when the WAR get redeployed) and then it's copying its entire content fully into server's memory, instead of writing to the response directly. Probably this clumsy approach has confused the audit tool. You should just be passing HttpServletResponse#getOutputStream() to Workbook#write() instead.

Here's a full rewrite based on the code posted so far:

HSSFWorkbook wb = new HSSFWorkbook();
AAAA aaa = new AAAA();          
wb = aaa.getExportXLS(request, response, fileName, wb);
response.setHeader("Expires", "0");
response.setHeader("Cache-Control", "must-revalidate, post-check=0, pre-check=0");
response.setHeader("Pragma", "public");
response.setContentType("application/xls");
response.setHeader("Content-disposition", "attachment; filename=" + fileName);
wb.write(response.getOutputStream());