Summary Table

Categories Total Count
PII 0
URL 0
DNS 0
EKL 0
IP 0
PORT 0
VsID 0
CF 0
AI 0
VPD 0
PL 0
Other 0

File Content

package gov.va.med.pbm.ampl.utility;

import static org.owasp.esapi.ESAPI.validator;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.errors.IntrusionException;
import org.owasp.esapi.errors.ValidationException;

import java.io.File;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.List;

/**
* ESAPI validation library wrapper class, used to perform validation or cleansing of String input to mitigate security
* vulnerabilities. The white list or black list of characters to be used for the different types of validation are placed
* within the “validation.properties” file located in src/main/resources.
*
* @author Asli Goncer
* @since 1.0
*/
public final class ESAPIValidator {

/**
* Private constructor.
*/
private ESAPIValidator() {
}

/**
* Validate/scrub input string to mitigate specified vulnerability.
*
* @param input the input string to validate
* @param type the type of validation to be performed
* @return the scrubbed output string if able to validate/scrub. Throws runtime exception or returns null when unable to
* validate/scrub.
*/
public static String validateStringInput(String input, ESAPIValidationType type) {

// Exit immediately if input is null
if (input == null) {
return null;
}

// Exit immediately if input is Empty
if (input.length() < 1) {
return new String();
}

switch (type) {

case COMMAND_INJECTION:
try {
return validator().getValidInput("commandInjection", input, "commandInjection", Integer.MAX_VALUE, false,
false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. Command Injection violation.");
}

case CROSS_SITE_SCRIPTING_PERSISTENT:
try {
return validator().getValidInput("crossSiteScriptingPersistent", input, "crossSiteScriptingPersistent",
Integer.MAX_VALUE, false, false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. Cross Site Scripting: Persistent violation.");
}

case CROSS_SITE_SCRIPTING_REFLECTED:
try {
return validator().getValidInput("crossSiteScriptingReflected", input, "crossSiteScriptingReflected",
Integer.MAX_VALUE, false, false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. Cross Site Scripting: Reflected violation.");
}

case DENIAL_OF_SERVICE_REG_EXP:
try {
return validator().getValidInput("denialOfServiceRegExp", input, "denialOfServiceRegExp", Integer.MAX_VALUE,
false, false);
} catch (Exception e) {
throw new RuntimeException(
"Invalid characters found in input. " + "Denial Of Service: Regular Expression violation.");
}

case JSON_INJECTION:
try {
return validator().getValidInput("jsonInjection", input, "jsonInjection", Integer.MAX_VALUE, false, false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. JSON Injection violation.");
}

case LOG_FORGING:
// scrub out cr/lf
input = input.replace('\n', ' ').replace('\r', ' ');
try {
return validator().getValidInput("logForging", input, "logForging", Integer.MAX_VALUE, false, false);
} catch (ValidationException | IntrusionException e) {
throw new RuntimeException("Invalid characters found in input. Log forging violation.");
}

case OPEN_REDIRECT:
try {
return validator().getValidInput("openRedirect", input, "openRedirect", Integer.MAX_VALUE, false, false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. Open Redirect violation.");
}

case PATH_MANIPULATION:
try {
return validator().getValidInput("pathManipulation", input, "pathManipulation", Integer.MAX_VALUE, false,
false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. Path Manipulation violation.");
}

case PORTABILITY_FLAW_FILE_SEPARATOR:
try {
input = input.replace('\\', File.separator.toCharArray()[0]).replace('/', File.separator.toCharArray()[0]);
return validator().getValidInput("portabilityFlawFileSeparator", input, "portabilityFlawFileSeparator",
Integer.MAX_VALUE, false, false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. Portability Flaw File Separator violation.");
}

case PORTABILITY_FLAW_LOCALE:
try {
return validator().getValidInput("portabilityFlawLocale", input, "portabilityFlawLocale", Integer.MAX_VALUE,
false, false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. Portability Flaw Locale violation.");
}

case PRIVACY_VIOLATION:
// scrub out cr/lf
input = input.replace('\n', ' ').replace('\r', ' ');
try {
return validator().getValidInput("privacyViolation", input, "privacyViolation", Integer.MAX_VALUE, false,
false);
} catch (ValidationException | IntrusionException e) {
throw new RuntimeException("Invalid characters found in input. Privacy violation.");
}

case SYSTEM_INFORMATION_LEAK_EXTERNAL:
try {
return validator().getValidInput("systemInformationLeakExternal", input, "systemInformationLeakExternal",
Integer.MAX_VALUE, false, false);
} catch (ValidationException | IntrusionException e) {
throw new RuntimeException("Invalid characters found in input. System Information Leak External violation.");
}

case XML_EXT_ENTITY_INJ:
try {
return validator().getValidInput("xmlExtEntityInj", input, "xmlExtEntityInj", Integer.MAX_VALUE, false, false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in input. Open Redirect violation.");
}

case URL:
try {
return validator().getValidInput("URL", input, "URL", Integer.MAX_VALUE, false, false);
} catch (Exception e) {
throw new RuntimeException("Invalid characters found in URL. Possible Path Manipulation error.");
}

default:
return null;
}
}

/**
* Validate long value.
*
* @param input the input string to validate
* @return the long value if able to validate. Throws runtime exception if unable to validate.
*/
public static long validateLongInput(String input) {
try {
return ESAPI.validator().getValidNumber("validateLong", input, 0, Long.MAX_VALUE, false).longValue();
} catch (Exception e) {
throw new RuntimeException("Invalid long value found in input.");
}
}

/**
* Validate double value.
*
* @param input the input string to validate
* @return the double value if able to validate. Throws runtime exception if unable to validate.
*/
public static double validateDoubleInput(String input) {
try {
return ESAPI.validator().getValidDouble("validateDouble", input, 0, Double.MAX_VALUE, false).doubleValue();
} catch (Exception e) {
throw new RuntimeException("Invalid double value found in input.");
}
}

/**
* Validate a string containing a file name.
*
* @param input the input file name string to validate
* @param allowedExtensions List of allowable file extensions in string format
* @return a canonicalized and validated file name as a String. Throws runtime exception if unable to validate.
*/
public static String validateFileNameInput(String input, List<String> allowedExtensions) {
try {
return ESAPI.validator().getValidFileName("validateFileNameInput", input, allowedExtensions, false);
} catch (Exception e) {
throw new RuntimeException("Invalid file name value found in input.");
}
}

/**
* Validate string containing file name with file path.
*
* @param input the input file name string to validate
* @param allowedExtensions List of allowable file extensions in string format
* @return a canonicalized and validated file name as a String. Throws runtime exception if unable to validate.
*/
public static String validateFileNameWithPath(String input, List<String> allowedExtensions) {
Path path = Paths.get(validateStringInput(input, ESAPIValidationType.LOG_FORGING));
String fileName = path.getFileName().toString();
if (validateFileNameInput(fileName, allowedExtensions).equals(fileName)) {
return validateStringInput(input, ESAPIValidationType.LOG_FORGING);
} else {
throw new RuntimeException("Invalid file name value found in input.");
}
}

/**
* Validate/scrub a string parameter to mitigate log forging vulberabilities.
*
* @param input the input string to validate
* @return validated/scrubbed string or null if unable to validate.
*/
public static String validateLogParam(String input) {
return ESAPIValidator.validateStringInput(input, ESAPIValidationType.LOG_FORGING);
}
}