Produced by Araxis Merge on 3/8/2018 10:14:53 AM Eastern Standard Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | PRE_PPS-N_v3.0.1.zip\PS_PPS_security\src\main\java\gov\va\med\pharmacy\peps\common\utility\security | ESAPIValidator.java | Fri Jan 12 15:43:44 2018 UTC |
2 | PRE_PPS-N_v3.0.1.zip\PS_PPS_security\src\main\java\gov\va\med\pharmacy\peps\common\utility\security | ESAPIValidator.java | Wed Mar 7 18:22:26 2018 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 2 | 440 |
Changed | 1 | 2 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | package go v.va.med.p harmacy.pe ps.common. utility.se curity; | |
2 | ||
3 | import sta tic org.ow asp.esapi. ESAPI.vali dator; | |
4 | ||
5 | import jav a.io.File; | |
6 | import jav a.nio.file .Path; | |
7 | import jav a.nio.file .Paths; | |
8 | import jav a.util.Lis t; | |
9 | ||
10 | import org .owasp.esa pi.ESAPI; | |
11 | import org .owasp.esa pi.errors. Validation Exception; | |
12 | ||
13 | /** | |
14 | * ESAPI V alidator w rapper. | |
15 | * | |
16 | * @author DNS DN S
|
|
17 | * | |
18 | */ | |
19 | public fin al class E SAPIValida tor { | |
20 | pr ivate stat ic final o rg.apache. logging.lo g4j.Logger LOG = org .apache.lo gging.log4 j.LogManag er.getLogg er(ESAPIVa lidator.cl ass); | |
21 | ||
22 | /** | |
23 | * The maximum v alid lengt h of a URL intended to trigger the execu tion of a Spring MVC controlle r method. Used to pr event | |
24 | * den ial of ser vice attac ks based o n the leng th of the URL submit ted by the browser. | |
25 | */ | |
26 | public static fi nal int MA X_MVC_EXEC UTION_URL_ LENGTH = 1 0000; | |
27 | ||
28 | /** | |
29 | * Pri vate const ructor. | |
30 | */ | |
31 | privat e ESAPIVal idator() { | |
32 | } | |
33 | ||
34 | /** | |
35 | * Val idate meth od. | |
36 | * | |
37 | * @pa ram input | |
38 | * th e input st ring to va lidate | |
39 | * @pa ram type | |
40 | * th e type of validation to be per formed | |
41 | * @re turn the s crubbed ou tput strin g if able to validat e/scrub - null if un able for L og Forging . | |
42 | * | |
43 | */ | |
44 | public static St ring valid ateStringI nput(Strin g input, E SAPIValida tionType t ype) { | |
45 | ||
46 | // Exit imme diately if input is null | |
47 | if (input == null) { | |
48 | return n ull; | |
49 | } | |
50 | ||
51 | // Exit imme diately if input is Empty | |
52 | if (input.le ngth() < 1 ) { | |
53 | return " "; | |
54 | } | |
55 | ||
56 | sw itch (type ) { | |
57 | ||
58 | ca se ACCESS_ CONTROL_DB : | |
59 | try { | |
60 | retu rn validat or().getVa lidInput(" accessCont rolDb", in put, "acce ssControlD b", Intege r.MAX_VALU E, false, false); | |
61 | } catch (Exception e) { | |
62 | thro w new Runt imeExcepti on("Invali d characte rs found i n input. Access Con trol: DB v iolation." ); | |
63 | } | |
64 | ||
65 | ca se COMMAND _INJECTION : | |
66 | try { | |
67 | ||
68 | retu rn validat or() | |
69 | .getVa lidInput(" commandInj ection", i nput, "com mandInject ion", Inte ger.MAX_VA LUE, false , false); | |
70 | ||
71 | } catch (Exception e) { | |
72 | thro w new Runt imeExcepti on("Invali d characte rs found i n input. Command In jection vi olation.") ; | |
73 | } | |
74 | ||
75 | ca se CROSS_S ITE_SCRIPT ING_REFLEC TED: | |
76 | try { | |
77 | retu rn validat or().getVa lidInput(" crossSiteS criptingRe flected", input, "cr ossSiteScr iptingRefl ected", | |
78 | Integer.MA X_VALUE, f alse, fals e); | |
79 | } catch (Exception e) { | |
80 | thro w new Runt imeExcepti on("Invali d characte rs found i n input. Cross Site Scripting : Reflect ed violati on."); | |
81 | } | |
82 | ||
83 | ca se LOG_FOR GING: | |
84 | // scrub out cr/lf | |
85 | input = input.repl ace('\n', ' ').repla ce('\r', ' '); | |
86 | try { | |
87 | retu rn validat or().getVa lidInput(" logForging ", input, "logForgin g", Intege r.MAX_VALU E, false, false); | |
88 | } catch (Exception e) { | |
89 | retu rn null; | |
90 | } | |
91 | ||
92 | ca se PATH_MA NIPULATION : | |
93 | try { | |
94 | retu rn validat or() | |
95 | .getVa lidInput(" pathManipu lation", i nput, "pat hManipulat ion", Inte ger.MAX_VA LUE, false , false); | |
96 | } catch (Exception e) { | |
97 | LOG. error("Str ing failed ESAPI PAT H_MANIPULA TION valid ation: " + input, e) ; | |
98 | thro w new Runt imeExcepti on("Invali d characte rs found i n input. P ath Manipu lation vio lation."); | |
99 | } | |
100 | ||
101 | ca se PORTABI LITY_FLAW_ FILE_SEPAR ATOR: | |
102 | try { | |
103 | inpu t = input. replace('\ \', File.s eparator.t oCharArray ()[0]).rep lace('/', File.separ ator.toCha rArray()[0 ]); | |
104 | retu rn validat or().getVa lidInput(" portabilit yFlawFileS eparator", input, "p ortability FlawFileSe parator", | |
105 | Intege r.MAX_VALU E, false, false); | |
106 | } catch (Exception e) { | |
107 | thro w new Runt imeExcepti on("Invali d characte rs found i n input. P ortability Flaw File Separator violation ."); | |
108 | } | |
109 | ||
110 | ca se REQUEST _URI: | |
111 | try { | |
112 | retu rn validat or().getVa lidInput( | |
113 | // We shou ld probabl y pass in the contex t paramete r, but jus t use some thing vagu e for now. | |
114 | "some_uri" , input, " requestUri ", MAX_MVC _EXECUTION _URL_LENGT H, true, f alse); | |
115 | } catch (Validatio nException e) { | |
116 | // I t would pr obably be better jus t to throw the Valid ationExcep tion here but have t o keep the method | |
117 | // c ontract fo r now. | |
118 | thro w new Runt imeExcepti on("Input was not a valid " + type, e); | |
119 | } | |
120 | ||
121 | ca se SYSTEM_ INFORMATIO N_LEAK_EXT ERNAL: | |
122 | try { | |
123 | retu rn validat or().getVa lidInput(" systemInfo rmationLea kExternal" , input, " systemInfo rmationLea kExternal" , | |
124 | Intege r.MAX_VALU E, false, false); | |
125 | } catch (Exception e) { | |
126 | retu rn null; | |
127 | } | |
128 | ||
129 | ca se XML_EXT _ENTITY_IN J: | |
130 | try { | |
131 | retu rn validat or().getVa lidInput(" xmlExtEnti tyInj", in put, "xmlE xtEntityIn j", Intege r.MAX_VALU E, false, false); | |
132 | } catch (Exception e) { | |
133 | thro w new Runt imeExcepti on("Invali d characte rs found i n input. Open Redir ect violat ion."); | |
134 | } | |
135 | ||
136 | ca se VA_HTTP S_URL: | |
137 | try { | |
138 | retu rn validat or().getVa lidInput( | |
139 | // We shou ld probabl y pass in the contex t paramete r, but jus t use some thing vagu e for now. | |
140 | "some_url" , input, " vaHttpsUrl ", Integer .MAX_VALUE , true); | |
141 | } catch (Validatio nException e) { | |
142 | // I t would pr obably be better jus t to throw the Valid ationExcep tion here but have t o keep the method | |
143 | // c ontract fo r now. | |
144 | thro w new Runt imeExcepti on("Input was not a valid " + ESAPIValid ationType. VA_HTTPS_U RL, e); | |
145 | } | |
146 | ||
147 | de fault: | |
148 | return n ull; | |
149 | } | |
150 | } | |
151 | ||
152 | /** | |
153 | * Val idate long method. | |
154 | * | |
155 | * @pa ram input | |
156 | * th e input st ring to va lidate | |
157 | * @re turn the l ong value if able to validate - -1 if un able. | |
158 | */ | |
159 | public static lo ng validat eLongInput (String in put) { | |
160 | tr y { | |
161 | return E SAPI.valid ator().get ValidNumbe r("validat eLong", in put, 0, Lo ng.MAX_VAL UE, false) .longValue (); | |
162 | } catch (Exc eption e) { | |
163 | throw ne w RuntimeE xception(" Invalid lo ng value f ound in in put."); | |
164 | } | |
165 | } | |
166 | ||
167 | /** | |
168 | * Val idate doub le input m ethod. | |
169 | * | |
170 | * @pa ram input the input string to validate | |
171 | * @re turn the d ouble valu e if able to validat e | |
172 | */ | |
173 | public static do uble valid ateDoubleI nput(Strin g input) { | |
174 | tr y { | |
175 | return E SAPI.valid ator().get ValidDoubl e("validat eDouble", input, 0, Double.MAX _VALUE, fa lse).doubl eValue(); | |
176 | } catch (Exc eption e) { | |
177 | throw ne w RuntimeE xception(" Invalid do uble value found in input."); | |
178 | } | |
179 | } | |
180 | ||
181 | /** | |
182 | * Val idate file name meth od. | |
183 | * | |
184 | * @pa ram input | |
185 | * th e input fi le name st ring to va lidate | |
186 | * @pa ram allowe dExtension s | |
187 | * Li st of allo wable file extension s in strin g format | |
188 | * @re turn a can onicalized and valid ated file name as a String. | |
189 | */ | |
190 | public static St ring valid ateFileNam eInput(Str ing input, List<Stri ng> allowe dExtension s) { | |
191 | tr y { | |
192 | return E SAPI.valid ator().get ValidFileN ame("valid ateFileNam eInput", i nput, allo wedExtensi ons, false ); | |
193 | } catch (Exc eption e) { | |
194 | throw ne w RuntimeE xception(" Invalid fi le name va lue found in input." ); | |
195 | } | |
196 | } | |
197 | ||
198 | ||
199 | ||
200 | /** | |
201 | * Val idates a f ile name a t the end of a path. Performs essentiall y no valid ation on t he other p arts (e.g. , | |
202 | * pre ceding dir ectories) of the pat h. | |
203 | * | |
204 | * @pa ram input | |
205 | * th e input fi le name st ring to va lidate | |
206 | * @pa ram allowe dExtension s | |
207 | * Li st of allo wable file extension s in strin g format | |
208 | * @re turn a can onicalized and valid ated file name as a String. | |
209 | */ | |
210 | public static St ring valid ateFileNam eInputWith Path(Strin g input, L ist<String > allowedE xtensions) { | |
211 | fi nal String processed Input = va lidateStri ngInput(in put, ESAPI Validation Type.LOG_F ORGING); | |
212 | Pa th path = Paths.get( processedI nput); | |
213 | St ring fileN ame = path .getFileNa me().toStr ing(); | |
214 | if (validate FileNameIn put(fileNa me, allowe dExtension s).equals( fileName)) { | |
215 | return p rocessedIn put; | |
216 | } else { | |
217 | throw ne w RuntimeE xception(" Invalid fi le name va lue found in input." ); | |
218 | } | |
219 | ||
220 | } | |
221 | } |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.