All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.inugami.commons.security.SecurityTools Maven / Gradle / Ivy

There is a newer version: 3.3.5
Show newest version
/* --------------------------------------------------------------------
 *  Inugami
 * --------------------------------------------------------------------
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, version 3.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see .
 */
package io.inugami.commons.security;

import io.inugami.api.constants.JvmKeyValues;
import io.inugami.api.exceptions.Asserts;
import org.apache.commons.lang.StringEscapeUtils;

import java.util.Collection;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
 * SqlSecurityTools
 *
 * @author patrickguillerm
 * @since 11 sept. 2018
 */
public final class SecurityTools {

    // =========================================================================
    // ATTRIBUTES
    // =========================================================================
    private static final Pattern REGEX_INJECT = Pattern.compile(JvmKeyValues.SECURITY_SQL_INJECT_REGEX.or("([\'\\-;=\\?$/]+)|([<>])"));

    // =========================================================================
    // CONSTRUCTORS
    // =========================================================================
    private SecurityTools() {
    }

    // =========================================================================
    // METHODS
    // =========================================================================
    public static String checkInjection(final String value) {
        if (!Asserts.checkIsBlank(value)) {
            final Matcher matcher = REGEX_INJECT.matcher(value);
            if (matcher.matches() || value.contains("'") || value.contains("\\")) {
                throw new SecurityException("invalide query! (" + value + ")");
            }
        }
        return StringEscapeUtils.escapeSql(value);
    }

    public static String escapeSql(final String value) {
        return StringEscapeUtils.escapeSql(value);
    }

    public static String escapeJavaScriptAndHtml(final String value) {
        return escape(value, StringEscapeUtils::escapeJavaScript, StringEscapeUtils::escapeHtml);
    }

    public static String escape(final String value, final Function... processors) {
        String result = value;
        if (result != null) {
            for (final Function function : processors) {
                result = function.apply(result);
            }
        }
        return result;
    }

    // =========================================================================
    // ESCAPE ENTITY
    // =========================================================================
    public static void secureSql(final Supplier getter, final Consumer setter) {
        secureEntity(getter, setter, StringEscapeUtils::escapeSql);
    }

    public static void secureJavaScript(final Supplier getter, final Consumer setter) {
        secureEntity(getter, setter, StringEscapeUtils::escapeJavaScript);
    }

    public static void secureXml(final Supplier getter, final Consumer setter) {
        secureEntity(getter, setter, StringEscapeUtils::escapeXml);
    }

    public static void secureHtml(final Supplier getter, final Consumer setter) {
        secureEntity(getter, setter, StringEscapeUtils::escapeHtml);
    }

    public static void secureJavaScriptAndHtml(final Supplier getter, final Consumer setter) {
        secureEntity(getter, setter, StringEscapeUtils::escapeJavaScript, StringEscapeUtils::escapeHtml);
    }

    public static  void secureJavaScriptAndHtml(final Collection values,
                                                   final ItemProcessor... itemProcessors) {
        if ((values != null) && (itemProcessors != null)) {
            for (final T value : values) {
                for (final ItemProcessor processor : itemProcessors) {
                    final String content = processor.getExtractor().apply(value);
                    if (value != null) {
                        final String securedContent = escapeJavaScriptAndHtml(content);
                        processor.getSetter().accept(value, securedContent);
                    }
                }

            }
        }

    }

    public static void secureEntity(final Supplier getter, final Consumer setter,
                                    final Function... processors) {
        Asserts.assertNotNull("getter is mandatory!", getter);
        Asserts.assertNotNull("setter is mandatory!", setter);
        Asserts.assertNotNull("processor is mandatory!", processors);

        String value = getter.get();
        if (value != null) {

            for (final Function function : processors) {
                value = function.apply(value);
            }

            setter.accept(SecurityTools.escapeSql(value));
        }
    }

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy