• Home
• com.sap.cloud.yaas.service-sdk
• service-sdk-api-console
• 4.12.0
• source code
• StaticResourceUtils.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.sap.cloud.yaas.servicesdk.apiconsole.utils.StaticResourceUtils Maven / Gradle / Ivy

/*
 * © 2016 SAP SE or an SAP affiliate company.
 * All rights reserved.
 * Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and
 * notices.
 */
package com.sap.cloud.yaas.servicesdk.apiconsole.utils;

import com.sap.cloud.yaas.servicesdk.security.PathTraversalException;

import java.util.regex.Pattern;


/**
 * Utilities related to serving static web resources of the API Console.
 */
public final class StaticResourceUtils
{
	private static final Pattern PERMITTED_PATH_SEGMENT_PATTERN = Pattern.compile("[-_.a-zA-Z0-9]*");
	private static final Pattern FORBIDDEN_PATH_SEGMENT_PATTERN = Pattern.compile("[.]?[.]?");

	private StaticResourceUtils()
	{
		// avoid construction
	}

	/**
	 * Asserts that a given String represents a single path segment that can securely be used to access a file-system or
	 * classpath resource.
	 * 

	 * This assertion is performed in a platform independent but very conservative manner. In particular, the following
	 * conditions must be met:
	 * 

	 * * The pathSegment may only contain ASCII letters and digits, as well as the characters dash, underscore, and
	 * period characters.
	 * 

	 * * Consequently the pathSegment must not contain common separators like slash or backslash.
	 * 

	 * * Also, the pathSegment must not contain control characters or the percent character, which is used in
	 * URL-encoding.
	 * 

	 * * The pathSegment must not equal a single period or a sequence of two periods. (These represent the current
	 * directory and the parent directory respectively on many file-systems.)
	 * 

	 * * The pathSegment must not be empty.
	 * 
	 * @param pathSegment the path segment to check
	 * @throws PathTraversalException the pathSegment is not considered secure.
	 */
	public static void assertPathSegmentIsSecure(final String pathSegment) throws PathTraversalException
	{
		if (!PERMITTED_PATH_SEGMENT_PATTERN.matcher(pathSegment).matches())
		{
			throw new PathTraversalException("Path component " + pathSegment + " does not match the permitted pattern "
					+ PERMITTED_PATH_SEGMENT_PATTERN + ", which might constitute the attempt of a path traversal attack.");
		}
		if (FORBIDDEN_PATH_SEGMENT_PATTERN.matcher(pathSegment).matches())
		{
			throw new PathTraversalException("Path component " + pathSegment + " matches the forbidden pattern "
					+ FORBIDDEN_PATH_SEGMENT_PATTERN + ", which might constitute the attempt of a path traversal attack.");
		}
	}
}