org.owasp.esapi.reference.validation.BaseValidationRule Maven / Gradle / Ivy
/**
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* http://www.owasp.org/index.php/ESAPI.
*
* Copyright (c) 2007 - The OWASP Foundation
*
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
*
* @author Jeff Williams Aspect Security
* @created 2007
*/
package org.owasp.esapi.reference.validation;
import java.util.HashSet;
import java.util.Set;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Encoder;
import org.owasp.esapi.ValidationErrorList;
import org.owasp.esapi.ValidationRule;
import org.owasp.esapi.errors.ValidationException;
/**
* A ValidationRule performs syntax and possibly semantic validation of a single
* piece of data from an untrusted source.
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security
* @since June 1, 2007
* @see org.owasp.esapi.Validator
*/
public abstract class BaseValidationRule implements ValidationRule {
private String typeName = null;
protected boolean allowNull = false;
protected Encoder encoder = null;
private BaseValidationRule() {
// prevent use of no-arg constructor
}
public BaseValidationRule( String typeName ) {
this();
setEncoder( ESAPI.encoder() );
setTypeName( typeName );
}
public BaseValidationRule( String typeName, Encoder encoder ) {
this();
setEncoder( encoder );
setTypeName( typeName );
}
/**
* {@inheritDoc}
*/
public void setAllowNull( boolean flag ) {
allowNull = flag;
}
/**
* {@inheritDoc}
*/
public String getTypeName() {
return typeName;
}
/**
* {@inheritDoc}
*/
public final void setTypeName( String typeName ) {
this.typeName = typeName;
}
/**
* {@inheritDoc}
*/
public final void setEncoder( Encoder encoder ) {
this.encoder = encoder;
}
/**
* {@inheritDoc}
*/
public void assertValid( String context, String input ) throws ValidationException {
getValid( context, input );
}
/**
* {@inheritDoc}
*/
public Object getValid( String context, String input, ValidationErrorList errorList ) throws ValidationException {
Object valid = null;
try {
valid = getValid( context, input );
} catch (ValidationException e) {
if( errorList == null) {
throw e;
} else {
errorList.addError(context, e);
}
}
return valid;
}
/**
* {@inheritDoc}
*/
public Object getSafe( String context, String input ) {
Object valid = null;
try {
valid = getValid( context, input );
} catch ( ValidationException e ) {
return sanitize( context, input );
}
return valid;
}
/**
* The method is similar to ValidationRuile.getSafe except that it returns a
* harmless object that may or may not have any similarity to the original
* input (in some cases you may not care). In most cases this should be the
* same as the getSafe method only instead of throwing an exception, return
* some default value.
*
* @param context
* @param input
* @return a parsed version of the input or a default value.
*/
protected abstract Object sanitize( String context, String input );
/**
* {@inheritDoc}
*/
public boolean isValid( String context, String input ) {
boolean valid = false;
try {
getValid( context, input );
valid = true;
} catch( Exception e ) {
valid = false;
}
return valid;
}
/**
* {@inheritDoc}
*/
public String whitelist( String input, char[] whitelist) {
return whitelist(input, charArrayToSet(whitelist));
}
/**
* Removes characters that aren't in the whitelist from the input String.
* O(input.length) whitelist performance
* @param input String to be sanitized
* @param whitelist allowed characters
* @return input stripped of all chars that aren't in the whitelist
*/
public String whitelist( String input, Set whitelist) {
StringBuilder stripped = new StringBuilder();
for (int i = 0; i < input.length(); i++) {
char c = input.charAt(i);
if (whitelist.contains(c)) {
stripped.append(c);
}
}
return stripped.toString();
}
// CHECKME should be moved to some utility class (Would potentially be used by new EncoderConstants class)
// Is there a standard way to convert an array of primitives to a Collection
/**
* Convert an array of characters to a {@code Set} (so duplicates
* are removed).
* @param array The character array.
* @return A {@code Set} of the unique characters from {@code array}
* is returned.
*/
public static Set charArrayToSet(char[] array) {
Set toReturn = new HashSet(array.length);
for (char c : array) {
toReturn.add(c);
}
return toReturn;
}
public boolean isAllowNull() {
return allowNull;
}
public Encoder getEncoder() {
return encoder;
}
}