org.owasp.esapi.waf.rules.BeanShellRule Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of esapi Show documentation

The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP website. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.

There is a newer version: 2.5.5.0

Show newest version

/**
 * OWASP Enterprise Security API (ESAPI)
 * 
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project. For details, please see
 * http://www.owasp.org/index.php/ESAPI.
 *
 * Copyright (c) 2009 - The OWASP Foundation
 * 
 * The ESAPI is published by OWASP under the BSD license. You should read and accept the
 * LICENSE before you use, modify, and/or redistribute this software.
 * 
 * @author Arshan Dabirsiaghi Aspect Security
 * @created 2009
 */
package org.owasp.esapi.waf.rules;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.waf.actions.Action;
import org.owasp.esapi.waf.actions.DoNothingAction;
import org.owasp.esapi.waf.internal.InterceptingHTTPServletResponse;

import bsh.EvalError;
import bsh.Interpreter;

/**
 * This is the Rule subclass executed for <bean-shell-script> rules.
 *
 * @author Arshan Dabirsiaghi
 *
 */
public class BeanShellRule extends Rule {

	private Interpreter i;
	private String script;
	private Pattern path;

	public BeanShellRule(String fileLocation, String id, Pattern path) throws IOException, EvalError {
		i = new Interpreter();
		i.set("logger", logger);
		this.script = getFileContents(ESAPI.securityConfiguration().getResourceFile(fileLocation));
		this.id = id;
		this.path = path;
	}

	public Action check(HttpServletRequest request, InterceptingHTTPServletResponse response,
			HttpServletResponse httpResponse) {

		/*
		 * Early fail: if the URL doesn't match one we're interested in.
		 */

		if (path != null && !path.matcher(request.getRequestURI()).matches()) {
			return new DoNothingAction();
		}

		/*
		 * Run the beanshell that we've already parsed and pre-compiled.
		 * Populate the "request" and "response" objects so the script has
		 * access to the same variables we do here.
		 */

		try {

			Action a = null;

			i.set("action", a);
			i.set("request", request);

			if (response != null) {
				i.set("response", response);
			} else {
				i.set("response", httpResponse);
			}

			i.set("session", request.getSession());
			i.eval(script);

			a = (Action) i.get("action");

			if (a != null) {
				return a;
			}

		} catch (EvalError e) {
			log(request, "Error running custom beanshell rule (" + id + ") - " + e.getMessage());
		}

		return new DoNothingAction();
	}

	private String getFileContents(File f) throws IOException {
		StringBuffer sb = new StringBuffer();
		BufferedReader br = null;

		try {
			br = new BufferedReader(new FileReader(f));
			String line;
			while ((line = br.readLine()) != null) {
				sb.append(line + System.getProperty("line.separator"));
			}

		} finally {
			if (br != null) {
				br.close();
			}
		}
		return sb.toString();
	}
}