• Home
• org.owasp.esapi
• esapi
• 2.2.1.0-RC1
• source code
• IPRule.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.owasp.esapi.waf.rules.IPRule Maven / Gradle / Ivy

/**
 * OWASP Enterprise Security API (ESAPI)
 * 
 * This file is part of the Open Web Application Security Project (OWASP)
 * Enterprise Security API (ESAPI) project. For details, please see
 * http://www.owasp.org/index.php/ESAPI.
 *
 * Copyright (c) 2009 - The OWASP Foundation
 * 
 * The ESAPI is published by OWASP under the BSD license. You should read and accept the
 * LICENSE before you use, modify, and/or redistribute this software.
 * 
 * @author Arshan Dabirsiaghi Aspect Security
 * @created 2009
 */
package org.owasp.esapi.waf.rules;

import java.util.regex.Pattern;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.owasp.esapi.waf.actions.Action;
import org.owasp.esapi.waf.actions.DefaultAction;
import org.owasp.esapi.waf.actions.DoNothingAction;
import org.owasp.esapi.waf.internal.InterceptingHTTPServletResponse;

/**
 * This is the Rule subclass executed for <detect-source-ip> rules.
 * @author Arshan Dabirsiaghi
 *
 */
public class IPRule extends Rule {

	private Pattern allowedIP;
	private String exactPath;
	private Pattern path;
	private boolean useExactPath = false;
	private String ipHeader;

	public IPRule(String id, Pattern allowedIP, Pattern path, String ipHeader) {
		this.allowedIP = allowedIP;
		this.path = path;
		this.useExactPath = false;
		this.ipHeader = ipHeader;
		setId(id);
	}

	public IPRule(String id, Pattern allowedIP, String exactPath) {
		this.path = null;
		this.exactPath = exactPath;
		this.useExactPath = true;
		setId(id);
	}

	public Action check(HttpServletRequest request,
			InterceptingHTTPServletResponse response, 
			HttpServletResponse httpResponse) {

		String uri = request.getRequestURI();

		if ( (!useExactPath && path.matcher(uri).matches()) ||
			 ( useExactPath && exactPath.equals(uri)) ) {
			
			String sourceIP = request.getRemoteAddr() + "";
			
			if ( ipHeader != null ) {
				sourceIP = request.getHeader(ipHeader);
			}
			
			if ( ! allowedIP.matcher(sourceIP).matches() ) {
				log(request, "IP not allowed to access URI '" + uri + "'");
				return new DefaultAction();
			}
		}

		return new DoNothingAction();
	}
}