84. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 6/11/2019 10:54:10 AM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

84.1 Files compared

#	Location	File	Last Modified
1	HTRE_P3_v14.5_iter_4_build_14.zip\java\gov\va\med\ccht\util	ESAPIValidator.java	Wed May 29 15:26:14 2019 UTC
2	HTRE_P3_v14.5_iter_4_build_14.zip\java\gov\va\med\ccht\util	ESAPIValidator.java	Mon Jun 10 19:32:43 2019 UTC

84.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	2	758
Changed	1	2
Inserted	0	0
Removed	0	0

84.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

84.4 Active regular expressions

No regular expressions were active.

84.5 Comparison detail

	1	package go v.va.med.c cht.util;
	2
	3	import sta tic org.ow asp.esapi. ESAPI.vali dator;
	4
	5	import jav a.io.File;
	6	import jav a.nio.file .Path;
	7	import jav a.nio.file .Paths;
	8	import jav a.text.Sim pleDateFor mat;
	9	import jav a.util.Dat e;
	10	import jav a.util.Lis t;
	11
	12	import org .owasp.esa pi.ESAPI;
	13
	14	/**
	15	* ESAPI V alidator w rapper.
	16	*
	17	* @author DN S
	18	*
	19	*/
	20	public fin al class E SAPIValida tor {
	21
	22	/**
	23	* Pri vate const ructor.
	24	*/
	25	privat e ESAPIVal idator() {
	26	}
	27
	28	/**
	29	* Val idate meth od.
	30	*
	31	* @pa ram input
	32	* th e input st ring to va lidate
	33	* @pa ram type
	34	* th e type of validation to be per formed
	35	* @re turn the s crubbed ou tput strin g if able to validat e/scrub - null if un able for L og Forging .
	36	*
	37	*/
	38	public static St ring valid ateStringI nput(Strin g input, E SAPIValida tionType t ype) {
	39
	40
	41	// Exit imme diately if input is null
	42	if (input == null) {
	43	return n ull;
	44	}
	45
	46	// Exit imme diately if input is Empty
	47	if (input.le ngth() < 1 ) {
	48	return " ";
	49	}
	50
	51	sw itch (type ) {
	52
	53	ca se ACCESS_ CONTROL_DB :
	54	try {
	55	retu rn validat or().getVa lidInput(" accessCont rolDb", in put, "acce ssControlD b", Intege r.MAX_VALU E, false, false);
	56	} catch (Exception e) {
	57	thro w new Runt imeExcepti on("Invali d characte rs found i n input. Access Con trol: DB v iolation." );
	58	}
	59
	60	ca se COMMAND _INJECTION :
	61	try {
	62
	63	retu rn validat or()
	64	.getVa lidInput(" commandInj ection", i nput, "com mandInject ion", Inte ger.MAX_VA LUE, false , false);
	65
	66	} catch (Exception e) {
	67	thro w new Runt imeExcepti on("Invali d characte rs found i n input. Command In jection vi olation.") ;
	68	}
	69
	70	ca se CROSS_S ITE_SCRIPT ING_PERSIS TENT:
	71	try {
	72
	73	retu rn validat or().getVa lidInput(" crossSiteS criptingPe rsistent", input, "c rossSiteSc riptingPer sistent",
	74	Intege r.MAX_VALU E, false, false);
	75	} catch (Exception e) {
	76	thro w new Runt imeExcepti on("Invali d characte rs found i n input. Cross Site Scripting : Persiste nt violati on.");
	77	}
	78
	79	ca se CROSS_S ITE_SCRIPT ING_REFLEC TED:
	80	try {
	81	retur n validato r().getVal idInput("c rossSiteSc riptingRef lected", i nput, "cro ssSiteScri ptingRefle cted",
	82	Intege r.MAX_VALU E, false, false);
	83	} catch (Exception e) {
	84	thro w new Runt imeExcepti on("Invali d characte rs found i n input. Cross Site Scripting : Reflect ed violati on.");
	85	}
	86
	87	ca se DENIAL_ OF_SERVICE _REG_EXP:
	88	try {
	89	retu rn validat or().getVa lidInput(" denialOfSe rviceRegEx p", input, "denialOf ServiceReg Exp", Inte ger.MAX_VA LUE,
	90	false, false);
	91	} catch (Exception e) {
	92	thro w new Runt imeExcepti on("Invali d characte rs found i n input. "
	93	+ "Den ial Of Ser vice: Regu lar Expres sion viola tion.");
	94	}
	95
	96	ca se JSON_IN JECTION:
	97	try {
	98	retu rn validat or().getVa lidInput(" jsonInject ion", inpu t, "jsonIn jection", Integer.MA X_VALUE, f alse, fals e);
	99	} catch (Exception e) {
	100	thro w new Runt imeExcepti on("Invali d characte rs found i n input. JSON Injec tion viola tion.");
	101	}
	102
	103	ca se LOG_FOR GING:
	104	// scrub out cr/lf
	105	input = input.repl ace('\n', ' ').repla ce('\r', ' ');
	106	try {
	107	retu rn validat or().getVa lidInput(" logForging ", input, "logForgin g", Intege r.MAX_VALU E, false, false);
	108	} catch (Exception e) {
	109	retu rn null;
	110	}
	111
	112	ca se OPEN_RE DIRECT:
	113	try {
	114	retu rn validat or().getVa lidInput(" openRedire ct", input , "openRed irect", In teger.MAX_ VALUE, fal se, false) ;
	115	} catch (Exception e) {
	116	thro w new Runt imeExcepti on("Invali d characte rs found i n input. Open Redir ect violat ion.");
	117	}
	118
	119	ca se PATH_MA NIPULATION :
	120	try {
	121	retu rn validat or()
	122	.getVa lidInput(" pathManipu lation", i nput, "pat hManipulat ion", Inte ger.MAX_VA LUE, false , false);
	123	} catch (Exception e) {
	124	thro w new Runt imeExcepti on("Invali d characte rs found i n input. P ath Manipu lation vio lation.");
	125	}
	126
	127	ca se PORTABI LITY_FLAW_ FILE_SEPAR ATOR:
	128	try {
	129	inpu t = input. replace('\ \', File.s eparator.t oCharArray ()[0]).rep lace('/', File.separ ator.toCha rArray()[0 ]);
	130	retu rn validat or().getVa lidInput(" portabilit yFlawFileS eparator", input, "p ortability FlawFileSe parator",
	131	Intege r.MAX_VALU E, false, false);
	132	} catch (Exception e) {
	133	thro w new Runt imeExcepti on("Invali d characte rs found i n input. P ortability Flaw File Separator violation .");
	134	}
	135
	136	ca se PORTABI LITY_FLAW_ LOCALE:
	137	try {
	138	retu rn validat or().getVa lidInput(" portabilit yFlawLocal e", input, "portabil ityFlawLoc ale", Inte ger.MAX_VA LUE,
	139	false, false);
	140	} catch (Exception e) {
	141	thro w new Runt imeExcepti on("Invali d characte rs found i n input. P ortability Flaw Loca le violati on.");
	142	}
	143
	144	ca se PRIVACY _VIOLATION :
	145	// scrub out cr/lf
	146	input = input.repl ace('\n', ' ').repla ce('\r', ' ');
	147	try {
	148	retu rn validat or()
	149	.getVa lidInput(" privacyVio lation", i nput, "pri vacyViolat ion", Inte ger.MAX_VA LUE, false , false);
	150	} catch (Exception e) {
	151	retu rn null;
	152	}
	153
	154	ca se SQL_INJ ECTION:
	155	// scrub out cr/lf
	156	input = input.repl ace('\n', ' ').repla ce('\r', ' ');
	157	try {
	158	retu rn validat or().getVa lidInput(" sqlInjecti on", input , "sqlInje ction", In teger.MAX_ VALUE, fal se, false) ;
	159	} catch (Exception e) {
	160	retu rn null;
	161	}
	162
	163	ca se SYSTEM_ INFORMATIO N_LEAK_EXT ERNAL:
	164	try {
	165	retu rn validat or().getVa lidInput(" systemInfo rmationLea kExternal" , input, " systemInfo rmationLea kExternal" ,
	166	Intege r.MAX_VALU E, false, false);
	167	} catch (Exception e) {
	168	retu rn null;
	169	}
	170
	171	ca se XML_EXT _ENTITY_IN J:
	172	try {
	173	retu rn validat or().getVa lidInput(" xmlExtEnti tyInj", in put, "xmlE xtEntityIn j", Intege r.MAX_VALU E, false, false);
	174	} catch (Exception e) {
	175	thro w new Runt imeExcepti on("Invali d characte rs found i n input. Open Redir ect violat ion.");
	176	}
	177	ca se Documen tName_Whit elist:
	178	try {
	179	retu rn validat or().getVa lidInput(" DocumentNa meWhitelis t", input, "Document NameWhitel ist", Inte ger.MAX_VA LUE, false , false);
	180	} catch (Exception e) {
	181	thro w new Runt imeExcepti on("Invali d characte rs found D ocumentNam e");
	182	}
	183	ca se Schedul edJob_Whit elist:
	184	try {
	185	retu rn validat or().getVa lidInput(" JobNameAnd GroupWhite list", inp ut, "JobNa meAndGroup Whitelist" , Integer. MAX_VALUE, false, fa lse);
	186	} catch (Exception e) {
	187	thro w new Runt imeExcepti on("Invali d characte rs found i n JobName or GroupNa met");
	188	}
	189	ca se EmailSu bject_Whit elist:
	190	try {
	191	retu rn validat or().getVa lidInput(" EmailSubje ctWhitelis t", input, "EmailSub jectWhitel ist", Inte ger.MAX_VA LUE, false , false);
	192	} catch (Exception e) {
	193	thro w new Runt imeExcepti on("Invali d characte rs found i n EmailSub ject");
	194	}
	195	ca se Content Type_White list:
	196	try {
	197	retu rn validat or().getVa lidInput(" ContentTyp eWhitelist ", input, "ContentTy peWhitelis t", Intege r.MAX_VALU E, false, false);
	198	} catch (Exception e) {
	199	thro w new Runt imeExcepti on("Invali d characte rs found i n ContentT ype");
	200	}
	201	ca se JdbcUrl _Whitelist :
	202	try {
	203	retu rn validat or().getVa lidInput(" JdbcUrlWhi telist", i nput, "Jdb cUrlWhitel ist", Inte ger.MAX_VA LUE, false , false);
	204	} catch (Exception e) {
	205	thro w new Runt imeExcepti on("Invali d characte rs found i n JdbcUrl" );
	206	}
	207	ca se LogStri ng_WhiteLi st:
	208	try {
	209	retu rn validat or().getVa lidInput(" LogStringW hitelist", input, "L ogStringWh itelist", Integer.MA X_VALUE, f alse, fals e);
	210	} catch (Exception e) {
	211	thro w new Runt imeExcepti on("Invali d characte rs found i n Log Stri ng");
	212	}
	213	ca se Redirec tStr_White List:
	214	try {
	215	retu rn validat or().getVa lidInput(" RedirectSt rWhitelist ", input, "RedirectS trWhitelis t", Intege r.MAX_VALU E, false, false);
	216	} catch (Exception e) {
	217	thro w new Runt imeExcepti on("Invali d characte rs found i n Redirect String");
	218	}
	219	ca se FromPag e_WhiteLis t:
	220	try {
	221	retu rn validat or().getVa lidInput(" FromPageWh itelist", input, "Fr omPageWhit elist", In teger.MAX_ VALUE, fal se, false) ;
	222	} catch (Exception e) {
	223	thro w new Runt imeExcepti on("Invali d characte rs found i n FromPage ");
	224	}
	225	ca se IsDmpIs sue_WhiteL ist:
	226	try {
	227	retu rn validat or().getVa lidInput(" IsDmpIssue WhiteList" , input, " IsDmpIssue WhiteList" , Integer. MAX_VALUE, false, fa lse);
	228	} catch (Exception e) {
	229	thro w new Runt imeExcepti on("Invali d characte rs found i n IsDmpIss ue");
	230	}
	231	ca se DmpQirT ype_WhiteL ist:
	232	try {
	233	retu rn validat or().getVa lidInput(" DmpQirType WhiteList" , input, " DmpQirType WhiteList" , Integer. MAX_VALUE, false, fa lse);
	234	} catch (Exception e) {
	235	thro w new Runt imeExcepti on("Invali d characte rs found i n DmpQirTy peWhiteLis t");
	236	}
	237	ca se ReportT itle_White List:
	238	try {
	239	retu rn validat or().getVa lidInput(" ReportTitl eWhiteList ", input, "ReportTit leWhiteLis t", Intege r.MAX_VALU E, false, false);
	240	} catch (Exception e) {
	241	thro w new Runt imeExcepti on("Invali d characte rs found i n ReportTi tleWhiteLi st");
	242	}
	243	ca se Modalit yDescripti on_WhiteLi st:
	244	try {
	245	retu rn validat or().getVa lidInput(" ModalityDe scriptionW hiteList", input, "M odalityDes criptionWh iteList", Integer.MA X_VALUE, f alse, fals e);
	246	} catch (Exception e) {
	247	thro w new Runt imeExcepti on("Invali d characte rs found i n Modality Descriptio nWhiteList ");
	248	}
	249	ca se Facilit iesName_Wh iteList:
	250	try {
	251	retu rn validat or().getVa lidInput(" Facilities NameWhiteL ist", inpu t, "Facili tiesNameWh iteList", Integer.MA X_VALUE, f alse, fals e);
	252	} catch (Exception e) {
	253	thro w new Runt imeExcepti on("Invali d characte rs found i n Faciliti esNameWhit eList");
	254	}
	255	ca se Questio nShortText _WhiteList :
	256	try {
	257	retu rn validat or().getVa lidInput(" QuestionsS hortTextWh iteList", input, "Qu estionsSho rtTextWhit eList", In teger.MAX_ VALUE, fal se, false) ;
	258	} catch (Exception e) {
	259	thro w new Runt imeExcepti on("Invali d characte rs found i n Question sShortText WhiteList" );
	260	}
	261	ca se Standar dDateWithD ays_WhiteL ist:
	262	try {
	263	retu rn validat or().getVa lidInput(" StandardDa teWithDays ", input, "StandardD ateWithDay s", Intege r.MAX_VALU E, false, false);
	264	} catch (Exception e) {
	265	thro w new Runt imeExcepti on("Invali d characte rs found i n Standard DateWithDa ys");
	266	}
	267	ca se UpperAn dLowerCase _WhiteList :
	268	try {
	269	retu rn validat or().getVa lidInput(" UpperAndLo werCaseWhi teList", i nput, "Upp erAndLower CaseWhiteL ist", Inte ger.MAX_VA LUE, false , false);
	270	} catch (Exception e) {
	271	thro w new Runt imeExcepti on("Invali d characte rs found i n UpperAnd LowerCaseW hiteList") ;
	272	}
	273	ca se UpperAn dLowerCase WithNumber s_WhiteLis t:
	274	try {
	275	retu rn validat or().getVa lidInput(" UpperAndLo werCaseWit hNumbersWh iteList", input, "Up perAndLowe rCaseWithN umbersWhit eList", In teger.MAX_ VALUE, fal se, false) ;
	276	} catch (Exception e) {
	277	thro w new Runt imeExcepti on("Invali d characte rs found i n UpperAnd LowerCaseW ithNumbers WhiteList" );
	278	}
	279	ca se Numbers _WhiteList :
	280	try {
	281	retu rn validat or().getVa lidInput(" NumbersWhi teList", i nput, "Num bersWhiteL ist", Inte ger.MAX_VA LUE, false , false);
	282	} catch (Exception e) {
	283	thro w new Runt imeExcepti on("Invali d characte rs found i n NumbersW hiteList") ;
	284	}
	285	ca se HTML_SA FE_STRING:
	286	try {
	287	retu rn validat or().getVa lidSafeHTM L("safeHtm l", input, Integer.M AX_VALUE, true);
	288	} catch (Exception e) {
	289	thro w new Runt imeExcepti on("Invali d characte rs found i n input. Open Redir ect violat ion.");
	290	}
	291	de fault:
	292	return n ull;
	293	}
	294	}
	295
	296	/**
	297	* Val idate long method.
	298	*
	299	* @pa ram input
	300	* th e input st ring to va lidate
	301	* @re turn the l ong value if able to validate - -1 if un able.
	302	*/
	303	public static lo ng validat eLongInput (String in put) {
	304	tr y {
	305	return E SAPI.valid ator().get ValidNumbe r("validat eLong", in put, 0, Lo ng.MAX_VAL UE, false) .longValue ();
	306	} catch (Exc eption e) {
	307	throw ne w RuntimeE xception(" Invalid lo ng value f ound in in put.");
	308	}
	309	}
	310
	311	/**
	312	* Val idate doub le input m ethod.
	313	*
	314	* @pa ram input the input string to validate
	315	* @re turn the d ouble valu e if able to validat e
	316	*/
	317	public static do uble valid ateDoubleI nput(Strin g input) {
	318	tr y {
	319	return E SAPI.valid ator().get ValidDoubl e("validat eDouble", input, 0, Double.MAX _VALUE, fa lse).doubl eValue();
	320	} catch (Exc eption e) {
	321	throw ne w RuntimeE xception(" Invalid do uble value found in input.");
	322	}
	323	}
	324
	325	/**
	326	* Val idate file name meth od.
	327	*
	328	* @pa ram input
	329	* th e input fi le name st ring to va lidate
	330	* @pa ram allowe dExtension s
	331	* Li st of allo wable file extension s in strin g format
	332	* @re turn a can onicalized and valid ated file name as a String.
	333	*/
	334	public static St ring valid ateFileNam eInput(Str ing input, List<Stri ng> allowe dExtension s) {
	335	tr y {
	336	return E SAPI.valid ator().get ValidFileN ame("valid ateFileNam eInput", i nput, allo wedExtensi ons, false );
	337	} catch (Exc eption e) {
	338	throw ne w RuntimeE xception(" Invalid fi le name va lue found in input." );
	339	}
	340	}
	341
	342	public static by te[] valid ateFile(St ring fileC ontent, by te[] input ) {
	343
	344	tr y {
	345	retu rn ESAPI.v alidator() .getValidF ileContent (fileConte nt, input, 0, true);
	346	} catch(Exce ption e) {
	347	thro w new Runt imeExcepti on("Invali d file con tents foun d in input .");
	348	}
	349
	350	}
	351
	352	public static Da te validat eDateInput (Date inpu t, SimpleD ateFormat format) {
	353
	354	tr y {
	355	retu rn ESAPI.v alidator() .getValidD ate("", fo rmat.forma t(input), format, tr ue);
	356	} catch(Exce ption e) {
	357	thro w new Runt imeExcepti on("Invali d file con tents foun d in input .");
	358	}
	359	}
	360
	361	/**
	362	* Val idate file name meth od.
	363	*
	364	* @pa ram input
	365	* th e input fi le name st ring to va lidate
	366	* @pa ram allowe dExtension s
	367	* Li st of allo wable file extension s in strin g format
	368	* @re turn a can onicalized and valid ated file name as a String.
	369	*/
	370	public static St ring valid ateFileNam eInputWith Path(Strin g input, L ist<String > allowedE xtensions) {
	371	Pa th path = Paths.get( validateSt ringInput( input, ESA PIValidati onType.LOG _FORGING)) ;
	372	St ring fileN ame = path .getFileNa me().toStr ing();
	373	if (validate FileNameIn put(fileNa me, allowe dExtension s).equals( fileName)) {
	374	return v alidateStr ingInput(i nput, ESAP IValidatio nType.LOG_ FORGING);
	375	} else {
	376	throw ne w RuntimeE xception(" Invalid fi le name va lue found in input." );
	377	}
	378
	379	}
	380	}