io.inugami.commons.security.SecurityTools Maven / Gradle / Ivy
/* --------------------------------------------------------------------
* Inugami
* --------------------------------------------------------------------
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, version 3.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
package io.inugami.commons.security;
import io.inugami.api.constants.JvmKeyValues;
import io.inugami.api.exceptions.Asserts;
import org.apache.commons.lang.StringEscapeUtils;
import java.util.Collection;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* SqlSecurityTools
*
* @author patrickguillerm
* @since 11 sept. 2018
*/
public final class SecurityTools {
// =========================================================================
// ATTRIBUTES
// =========================================================================
private static final Pattern REGEX_INJECT = Pattern.compile(JvmKeyValues.SECURITY_SQL_INJECT_REGEX.or("([\'\\-;=\\?$/]+)|([<>])"));
// =========================================================================
// CONSTRUCTORS
// =========================================================================
private SecurityTools() {
}
// =========================================================================
// METHODS
// =========================================================================
public static String checkInjection(final String value) {
if (!Asserts.checkIsBlank(value)) {
final Matcher matcher = REGEX_INJECT.matcher(value);
if (matcher.matches() || value.contains("'") || value.contains("\\")) {
throw new SecurityException("invalide query! (" + value + ")");
}
}
return StringEscapeUtils.escapeSql(value);
}
public static String escapeSql(final String value) {
return StringEscapeUtils.escapeSql(value);
}
public static String escapeJavaScriptAndHtml(final String value) {
return escape(value, StringEscapeUtils::escapeJavaScript, StringEscapeUtils::escapeHtml);
}
public static String escape(final String value, final Function... processors) {
String result = value;
if (result != null) {
for (final Function function : processors) {
result = function.apply(result);
}
}
return result;
}
// =========================================================================
// ESCAPE ENTITY
// =========================================================================
public static void secureSql(final Supplier getter, final Consumer setter) {
secureEntity(getter, setter, StringEscapeUtils::escapeSql);
}
public static void secureJavaScript(final Supplier getter, final Consumer setter) {
secureEntity(getter, setter, StringEscapeUtils::escapeJavaScript);
}
public static void secureXml(final Supplier getter, final Consumer setter) {
secureEntity(getter, setter, StringEscapeUtils::escapeXml);
}
public static void secureHtml(final Supplier getter, final Consumer setter) {
secureEntity(getter, setter, StringEscapeUtils::escapeHtml);
}
public static void secureJavaScriptAndHtml(final Supplier getter, final Consumer setter) {
secureEntity(getter, setter, StringEscapeUtils::escapeJavaScript, StringEscapeUtils::escapeHtml);
}
public static void secureJavaScriptAndHtml(final Collection values,
final ItemProcessor... itemProcessors) {
if ((values != null) && (itemProcessors != null)) {
for (final T value : values) {
for (final ItemProcessor processor : itemProcessors) {
final String content = processor.getExtractor().apply(value);
if (value != null) {
final String securedContent = escapeJavaScriptAndHtml(content);
processor.getSetter().accept(value, securedContent);
}
}
}
}
}
public static void secureEntity(final Supplier getter, final Consumer setter,
final Function... processors) {
Asserts.assertNotNull("getter is mandatory!", getter);
Asserts.assertNotNull("setter is mandatory!", setter);
Asserts.assertNotNull("processor is mandatory!", processors);
String value = getter.get();
if (value != null) {
for (final Function function : processors) {
value = function.apply(value);
}
setter.accept(SecurityTools.escapeSql(value));
}
}
}