• Home
• org.owasp.esapi
• esapi
• 2.2.1.0-RC1
• source code
• BaseValidationRule.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.owasp.esapi.reference.validation.BaseValidationRule Maven / Gradle / Ivy

/**
 * OWASP Enterprise Security API (ESAPI)
 * 
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project. For details, please see
 * http://www.owasp.org/index.php/ESAPI.
 *
 * Copyright (c) 2007 - The OWASP Foundation
 * 
 * The ESAPI is published by OWASP under the BSD license. You should read and accept the
 * LICENSE before you use, modify, and/or redistribute this software.
 * 
 * @author Jeff Williams Aspect Security
 * @created 2007
 */
package org.owasp.esapi.reference.validation;


import java.util.HashSet;
import java.util.Set;

import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.ValidationErrorList;
import org.owasp.esapi.ValidationRule;
import org.owasp.esapi.errors.ValidationException;


/**
 * A ValidationRule performs syntax and possibly semantic validation of a single
 * piece of data from an untrusted source.
 * 
 * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
 * @since June 1, 2007
 * @see org.owasp.esapi.Validator
 */
public abstract class BaseValidationRule implements ValidationRule {

	private String typeName = null;
	protected boolean allowNull = false;
	protected Encoder encoder = null;
	
	private BaseValidationRule() {
		// prevent use of no-arg constructor
	}
	
	public BaseValidationRule( String typeName ) {
		this();
		setEncoder( ESAPI.encoder() );
		setTypeName( typeName );
	}
	
	public BaseValidationRule( String typeName, Encoder encoder ) {
		this();
		setEncoder( encoder );
		setTypeName( typeName );
	}
	
    /**
     * {@inheritDoc}
	 */
	public void setAllowNull( boolean flag ) {
		allowNull = flag;
	}

    /**
     * {@inheritDoc}
	 */
	public String getTypeName() {
		return typeName;
	}
	
    /**
     * {@inheritDoc}
	 */
	public final void setTypeName( String typeName ) {
		this.typeName = typeName;
	}
	
    /**
     * {@inheritDoc}
	 */
	public final void setEncoder( Encoder encoder ) {
		this.encoder = encoder;
	}
	
    /**
     * {@inheritDoc}
	 */
	public void assertValid( String context, String input ) throws ValidationException {
		getValid( context, input );
	}

    /**
     * {@inheritDoc}
	 */
	public Object getValid( String context, String input, ValidationErrorList errorList ) throws ValidationException {
		Object valid = null;
		try {
			valid = getValid( context, input );
		} catch (ValidationException e) {
			if( errorList == null) { 
				throw e;
			} else {
				errorList.addError(context, e);
			}
		}
		return valid;
	}
	
    /**
     * {@inheritDoc}
	 */
	public Object getSafe( String context, String input ) {
		Object valid = null;
		try {
			valid = getValid( context, input );
		} catch ( ValidationException e ) {
			return sanitize( context, input );
		}
		return valid;
	}

	/**
	 * The method is similar to ValidationRuile.getSafe except that it returns a
	 * harmless object that may or may not have any similarity to the original
	 * input (in some cases you may not care). In most cases this should be the
	 * same as the getSafe method only instead of throwing an exception, return
	 * some default value.
	 * 
	 * @param context
	 * @param input
	 * @return a parsed version of the input or a default value.
	 */
	protected abstract Object sanitize( String context, String input );
	
    /**
     * {@inheritDoc}
	 */
	public boolean isValid( String context, String input ) {
		boolean valid = false;
		try {
			getValid( context, input );
			valid = true;
		} catch( Exception e ) {
			valid = false;
		}
		
		return valid;
	}

    /**
     * {@inheritDoc}
	 */
	public String whitelist( String input, char[] whitelist) {
		return whitelist(input, charArrayToSet(whitelist));
	}
	
	/**
	 * Removes characters that aren't in the whitelist from the input String.  
	 * O(input.length) whitelist performance
	 * @param input String to be sanitized
	 * @param whitelist allowed characters
	 * @return input stripped of all chars that aren't in the whitelist 
	 */
	public String whitelist( String input, Set whitelist) {
		StringBuilder stripped = new StringBuilder();
		for (int i = 0; i < input.length(); i++) {
			char c = input.charAt(i);
			if (whitelist.contains(c)) {
				stripped.append(c);
			}
		}
		return stripped.toString();
	}
	
	// CHECKME should be moved to some utility class (Would potentially be used by new EncoderConstants class)
	// Is there a standard way to convert an array of primitives to a Collection
	/**
	 * Convert an array of characters to a {@code Set} (so duplicates
	 * are removed).
	 * @param array The character array.
	 * @return A {@code Set} of the unique characters from {@code array}
	 *         is returned.
	 */
	public static Set charArrayToSet(char[] array) {
		Set toReturn = new HashSet(array.length);
		for (char c : array) {
			toReturn.add(c);
		}
		return toReturn;
	}
	
	public boolean isAllowNull() {
		return allowNull;
	}

	public Encoder getEncoder() {
		return encoder;
	}
}