Class DefaultValidator
- java.lang.Object
-
- org.owasp.esapi.reference.DefaultValidator
-
- All Implemented Interfaces:
Validator
public class DefaultValidator extends java.lang.Object implements Validator
Reference implementation of the Validator interface. This implementation relies on the ESAPI Encoder, Java Pattern (regex), Date, and several other classes to provide basic validation functions. This library has a heavy emphasis on whitelist validation and canonicalization.- Since:
- June 1, 2007
- Author:
- Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security, Jim Manico (jim@manico.net) Manico.net, Matt Seil (mseil .at. acm.org)
- See Also:
Validator
-
-
Constructor Summary
Constructors Constructor Description DefaultValidator()
Default constructor uses the ESAPI standard encoder for canonicalization.DefaultValidator(Encoder encoder)
Construct a new DefaultValidator that will use the specified Encoder for canonicalization.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
addRule(ValidationRule rule)
Add a validation rule to the registry using the "type name" of the rule as the key.void
assertValidFileUpload(java.lang.String context, java.lang.String directorypath, java.lang.String filename, java.io.File parent, byte[] content, int maxBytes, java.util.List<java.lang.String> allowedExtensions, boolean allowNull)
Validates the filepath, filename, and content of a file.void
assertValidFileUpload(java.lang.String context, java.lang.String filepath, java.lang.String filename, java.io.File parent, byte[] content, int maxBytes, java.util.List<java.lang.String> allowedExtensions, boolean allowNull, ValidationErrorList errors)
Calls getValidFileUpload with the supplied errorList to capture ValidationExceptionsvoid
assertValidHTTPRequestParameterSet(java.lang.String context, javax.servlet.http.HttpServletRequest request, java.util.Set<java.lang.String> required, java.util.Set<java.lang.String> optional)
Validates that the parameters in the current request contain all required parameters and only optional ones in addition.void
assertValidHTTPRequestParameterSet(java.lang.String context, javax.servlet.http.HttpServletRequest request, java.util.Set<java.lang.String> required, java.util.Set<java.lang.String> optional, ValidationErrorList errors)
ValidationErrorList variant of assertIsValidHTTPRequestParameterSet Uses current HTTPRequest saved in ESAPI Authenticatorstatic Validator
getInstance()
java.net.URI
getRfcCompliantURI(java.lang.String input)
Will return aURI
object that will represent a fully parsed and legal URI as specified in RFC-3986.ValidationRule
getRule(java.lang.String name)
Get a validation rule from the registry with the "type name" of the rule as the key.java.lang.String
getValidCreditCard(java.lang.String context, java.lang.String input, boolean allowNull)
Returns a canonicalized and validated credit card number as a String.java.lang.String
getValidCreditCard(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors)
Calls getValidCreditCard with the supplied errorList to capture ValidationExceptionsjava.util.Date
getValidDate(java.lang.String context, java.lang.String input, java.text.DateFormat format, boolean allowNull)
Returns a valid date as a Date.java.util.Date
getValidDate(java.lang.String context, java.lang.String input, java.text.DateFormat format, boolean allowNull, ValidationErrorList errors)
Calls getValidDate with the supplied errorList to capture ValidationExceptionsjava.lang.String
getValidDirectoryPath(java.lang.String context, java.lang.String input, java.io.File parent, boolean allowNull)
Returns a canonicalized and validated directory path as a String, provided that the input maps to an existing directory that is an existing subdirectory (at any level) of the specified parent.java.lang.String
getValidDirectoryPath(java.lang.String context, java.lang.String input, java.io.File parent, boolean allowNull, ValidationErrorList errors)
Calls getValidDirectoryPath with the supplied errorList to capture ValidationExceptionsjava.lang.Double
getValidDouble(java.lang.String context, java.lang.String input, double minValue, double maxValue, boolean allowNull)
Returns a validated real number as a double.java.lang.Double
getValidDouble(java.lang.String context, java.lang.String input, double minValue, double maxValue, boolean allowNull, ValidationErrorList errors)
Calls getValidDouble with the supplied errorList to capture ValidationExceptionsbyte[]
getValidFileContent(java.lang.String context, byte[] input, int maxBytes, boolean allowNull)
Returns validated file content as a byte array.byte[]
getValidFileContent(java.lang.String context, byte[] input, int maxBytes, boolean allowNull, ValidationErrorList errors)
Calls getValidFileContent with the supplied errorList to capture ValidationExceptionsjava.lang.String
getValidFileName(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> allowedExtensions, boolean allowNull)
Returns a canonicalized and validated file name as a String.java.lang.String
getValidFileName(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> allowedParameters, boolean allowNull, ValidationErrorList errors)
Calls getValidFileName with the supplied errorList to capture ValidationExceptionsjava.lang.String
getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull)
Validates data received from the browser and returns a safe version.java.lang.String
getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, boolean canonicalize)
Validates data received from the browser and returns a safe version.java.lang.String
getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errors)
Validates data received from the browser and returns a safe version.java.lang.String
getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, ValidationErrorList errors)
Validates data received from the browser and returns a safe version.java.lang.Integer
getValidInteger(java.lang.String context, java.lang.String input, int minValue, int maxValue, boolean allowNull)
Returns a validated integer.java.lang.Integer
getValidInteger(java.lang.String context, java.lang.String input, int minValue, int maxValue, boolean allowNull, ValidationErrorList errors)
Calls getValidInteger with the supplied errorList to capture ValidationExceptionsjava.lang.String
getValidListItem(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> list)
Returns the list item that exactly matches the canonicalized input.java.lang.String
getValidListItem(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> list, ValidationErrorList errors)
ValidationErrorList variant of getValidListItemjava.lang.Double
getValidNumber(java.lang.String context, java.lang.String input, long minValue, long maxValue, boolean allowNull)
Returns a validated number as a double within the range of minValue to maxValue.java.lang.Double
getValidNumber(java.lang.String context, java.lang.String input, long minValue, long maxValue, boolean allowNull, ValidationErrorList errors)
Calls getValidSafeHTML with the supplied errorList to capture ValidationExceptionschar[]
getValidPrintable(java.lang.String context, char[] input, int maxLength, boolean allowNull)
Returns canonicalized and validated printable characters as a byte array.char[]
getValidPrintable(java.lang.String context, char[] input, int maxLength, boolean allowNull, ValidationErrorList errors)
ValidationErrorList variant of getValidPrintablejava.lang.String
getValidPrintable(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull)
Returns canonicalized and validated printable characters as a String.java.lang.String
getValidPrintable(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull, ValidationErrorList errors)
ValidationErrorList variant of getValidPrintablejava.lang.String
getValidRedirectLocation(java.lang.String context, java.lang.String input, boolean allowNull)
Returns a canonicalized and validated redirect location as a String.java.lang.String
getValidRedirectLocation(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors)
ValidationErrorList variant of getValidRedirectLocationjava.lang.String
getValidSafeHTML(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull)
Returns canonicalized and validated "safe" HTML that does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else.java.lang.String
getValidSafeHTML(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull, ValidationErrorList errors)
Calls getValidSafeHTML with the supplied errorList to capture ValidationExceptionsboolean
isValidCreditCard(java.lang.String context, java.lang.String input, boolean allowNull)
Calls getValidCreditCard and returns true if no exceptions are thrown.boolean
isValidCreditCard(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors)
Calls getValidCreditCard and returns true if no exceptions are thrown.boolean
isValidDate(java.lang.String context, java.lang.String input, java.text.DateFormat format, boolean allowNull)
Calls isValidDate and returns true if no exceptions are thrown.boolean
isValidDate(java.lang.String context, java.lang.String input, java.text.DateFormat format, boolean allowNull, ValidationErrorList errors)
Calls isValidDate and returns true if no exceptions are thrown.boolean
isValidDirectoryPath(java.lang.String context, java.lang.String input, java.io.File parent, boolean allowNull)
Calls getValidDirectoryPath and returns true if no exceptions are thrown.boolean
isValidDirectoryPath(java.lang.String context, java.lang.String input, java.io.File parent, boolean allowNull, ValidationErrorList errors)
Calls getValidDirectoryPath and returns true if no exceptions are thrown.boolean
isValidDouble(java.lang.String context, java.lang.String input, double minValue, double maxValue, boolean allowNull)
Calls getValidDouble and returns true if no exceptions are thrown.boolean
isValidDouble(java.lang.String context, java.lang.String input, double minValue, double maxValue, boolean allowNull, ValidationErrorList errors)
Calls getValidDouble and returns true if no exceptions are thrown.boolean
isValidFileContent(java.lang.String context, byte[] input, int maxBytes, boolean allowNull)
Calls getValidFileContent and returns true if no exceptions are thrown.boolean
isValidFileContent(java.lang.String context, byte[] input, int maxBytes, boolean allowNull, ValidationErrorList errors)
Calls getValidFileContent and returns true if no exceptions are thrown.boolean
isValidFileName(java.lang.String context, java.lang.String input, boolean allowNull)
Calls getValidFileName with the default list of allowedExtensionsboolean
isValidFileName(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors)
Calls getValidFileName with the default list of allowedExtensionsboolean
isValidFileName(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> allowedExtensions, boolean allowNull)
Calls getValidFileName and returns true if no exceptions are thrown.boolean
isValidFileName(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> allowedExtensions, boolean allowNull, ValidationErrorList errors)
Calls getValidFileName and returns true if no exceptions are thrown.boolean
isValidFileUpload(java.lang.String context, java.lang.String directorypath, java.lang.String filename, java.io.File parent, byte[] content, int maxBytes, boolean allowNull)
Calls getValidFileUpload and returns true if no exceptions are thrown.boolean
isValidFileUpload(java.lang.String context, java.lang.String directorypath, java.lang.String filename, java.io.File parent, byte[] content, int maxBytes, boolean allowNull, ValidationErrorList errors)
Calls getValidFileUpload and returns true if no exceptions are thrown.boolean
isValidHTTPRequestParameterSet(java.lang.String context, javax.servlet.http.HttpServletRequest request, java.util.Set<java.lang.String> requiredNames, java.util.Set<java.lang.String> optionalNames)
Calls assertValidHTTPRequestParameterSet and returns true if no exceptions are thrown.boolean
isValidHTTPRequestParameterSet(java.lang.String context, javax.servlet.http.HttpServletRequest request, java.util.Set<java.lang.String> requiredNames, java.util.Set<java.lang.String> optionalNames, ValidationErrorList errors)
Calls assertValidHTTPRequestParameterSet and returns true if no exceptions are thrown.boolean
isValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull)
Returns true if data received from browser is valid.boolean
isValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, boolean canonicalize)
Calls isValidInput and returns true if no exceptions are thrown.boolean
isValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errors)
Calls isValidInput and returns true if no exceptions are thrown.boolean
isValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, ValidationErrorList errors)
Calls isValidInput and returns true if no exceptions are thrown.boolean
isValidInteger(java.lang.String context, java.lang.String input, int minValue, int maxValue, boolean allowNull)
Calls getValidInteger and returns true if no exceptions are thrown.boolean
isValidInteger(java.lang.String context, java.lang.String input, int minValue, int maxValue, boolean allowNull, ValidationErrorList errors)
Calls getValidInteger and returns true if no exceptions are thrown.boolean
isValidListItem(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> list)
Calls getValidListItem and returns true if no exceptions are thrown.boolean
isValidListItem(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> list, ValidationErrorList errors)
Calls getValidListItem and returns true if no exceptions are thrown.boolean
isValidNumber(java.lang.String context, java.lang.String input, long minValue, long maxValue, boolean allowNull)
Calls getValidNumber and returns true if no exceptions are thrown.boolean
isValidNumber(java.lang.String context, java.lang.String input, long minValue, long maxValue, boolean allowNull, ValidationErrorList errors)
Calls getValidNumber and returns true if no exceptions are thrown.boolean
isValidPrintable(java.lang.String context, char[] input, int maxLength, boolean allowNull)
Calls getValidPrintable and returns true if no exceptions are thrown.boolean
isValidPrintable(java.lang.String context, char[] input, int maxLength, boolean allowNull, ValidationErrorList errors)
Calls getValidPrintable and returns true if no exceptions are thrown.boolean
isValidPrintable(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull)
Calls getValidPrintable and returns true if no exceptions are thrown.boolean
isValidPrintable(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull, ValidationErrorList errors)
Calls getValidPrintable and returns true if no exceptions are thrown.boolean
isValidRedirectLocation(java.lang.String context, java.lang.String input, boolean allowNull)
Returns true if input is a valid redirect location.boolean
isValidRedirectLocation(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors)
Returns true if input is a valid redirect location.boolean
isValidSafeHTML(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull)
Calls getValidSafeHTML and returns true if no exceptions are thrown.boolean
isValidSafeHTML(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull, ValidationErrorList errors)
Calls getValidSafeHTML and returns true if no exceptions are thrown.boolean
isValidURI(java.lang.String context, java.lang.String input, boolean allowNull)
Parses and ensures that the URI in question is a valid RFC-3986 URI.java.lang.String
safeReadLine(java.io.InputStream in, int max)
Reads from an input stream until end-of-line or a maximum number of characters.
-
-
-
Constructor Detail
-
DefaultValidator
public DefaultValidator()
Default constructor uses the ESAPI standard encoder for canonicalization.
-
DefaultValidator
public DefaultValidator(Encoder encoder)
Construct a new DefaultValidator that will use the specified Encoder for canonicalization.- Parameters:
encoder
-
-
-
Method Detail
-
getInstance
public static Validator getInstance()
-
addRule
public void addRule(ValidationRule rule)
Add a validation rule to the registry using the "type name" of the rule as the key.
-
getRule
public ValidationRule getRule(java.lang.String name)
Get a validation rule from the registry with the "type name" of the rule as the key.
-
isValidInput
public boolean isValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull) throws IntrusionException
Returns true if data received from browser is valid. Double encoding is treated as an attack. The default encoder supports html encoding, URL encoding, and javascript escaping. Input is canonicalized by default before validation.- Specified by:
isValidInput
in interfaceValidator
- Parameters:
context
- A descriptive name for the field to validate. This is used for error facing validation messages and element identification.input
- The actual user input data to validate.type
- The regular expression name while maps to the actual regular expression from "ESAPI.properties".maxLength
- The maximum post-canonicalized String length allowed.allowNull
- If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- The canonicalized user input.
- Throws:
IntrusionException
-
isValidInput
public boolean isValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Description copied from interface:Validator
Calls isValidInput and returns true if no exceptions are thrown.- Specified by:
isValidInput
in interfaceValidator
- Throws:
IntrusionException
-
isValidInput
public boolean isValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, boolean canonicalize) throws IntrusionException
Description copied from interface:Validator
Calls isValidInput and returns true if no exceptions are thrown.- Specified by:
isValidInput
in interfaceValidator
- Throws:
IntrusionException
-
isValidInput
public boolean isValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errors) throws IntrusionException
Description copied from interface:Validator
Calls isValidInput and returns true if no exceptions are thrown.- Specified by:
isValidInput
in interfaceValidator
- Throws:
IntrusionException
-
getValidInput
public java.lang.String getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull) throws ValidationException
Validates data received from the browser and returns a safe version. Double encoding is treated as an attack. The default encoder supports html encoding, URL encoding, and javascript escaping. Input is canonicalized by default before validation.- Specified by:
getValidInput
in interfaceValidator
- Parameters:
context
- A descriptive name for the field to validate. This is used for error facing validation messages and element identification.input
- The actual user input data to validate.type
- The regular expression name which maps to the actual regular expression from "ESAPI.properties".maxLength
- The maximum post-canonicalized String length allowed.allowNull
- If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- The canonicalized user input.
- Throws:
ValidationException
IntrusionException
-
getValidInput
public java.lang.String getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, boolean canonicalize) throws ValidationException
Validates data received from the browser and returns a safe version. Only URL encoding is supported. Double encoding is treated as an attack.- Specified by:
getValidInput
in interfaceValidator
- Parameters:
context
- A descriptive name for the field to validate. This is used for error facing validation messages and element identification.input
- The actual user input data to validate.type
- The regular expression name which maps to the actual regular expression in the ESAPI validation configuration filemaxLength
- The maximum String length allowed. If input is canonicalized per the canonicalize argument, then maxLength must be verified after canonicalizationallowNull
- If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.canonicalize
- If canonicalize is true then input will be canonicalized before validation- Returns:
- The user input, may be canonicalized if canonicalize argument is true
- Throws:
ValidationException
IntrusionException
-
getValidInput
public java.lang.String getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Validates data received from the browser and returns a safe version. Only URL encoding is supported. Double encoding is treated as an attack. Input is canonicalized by default before validation.- Specified by:
getValidInput
in interfaceValidator
- Parameters:
context
- A descriptive name for the field to validate. This is used for error facing validation messages and element identification.input
- The actual user input data to validate.type
- The regular expression name while maps to the actual regular expression from "ESAPI.properties".maxLength
- The maximum String length allowed. If input is canonicalized per the canonicalize argument, then maxLength must be verified after canonicalizationallowNull
- If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.errors
- If ValidationException is thrown, then add to error list instead of throwing out to caller- Returns:
- The canonicalized user input.
- Throws:
IntrusionException
-
getValidInput
public java.lang.String getValidInput(java.lang.String context, java.lang.String input, java.lang.String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errors) throws IntrusionException
Validates data received from the browser and returns a safe version. Only URL encoding is supported. Double encoding is treated as an attack.- Specified by:
getValidInput
in interfaceValidator
- Parameters:
context
- A descriptive name for the field to validate. This is used for error facing validation messages and element identification.input
- The actual user input data to validate.type
- The regular expression name while maps to the actual regular expression from "ESAPI.properties".maxLength
- The maximum post-canonicalized String length allowedallowNull
- If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.canonicalize
- If canonicalize is true then input will be canonicalized before validationerrors
- If ValidationException is thrown, then add to error list instead of throwing out to caller- Returns:
- The user input, may be canonicalized if canonicalize argument is true
- Throws:
IntrusionException
-
isValidDate
public boolean isValidDate(java.lang.String context, java.lang.String input, java.text.DateFormat format, boolean allowNull) throws IntrusionException
Calls isValidDate and returns true if no exceptions are thrown.- Specified by:
isValidDate
in interfaceValidator
- Throws:
IntrusionException
-
isValidDate
public boolean isValidDate(java.lang.String context, java.lang.String input, java.text.DateFormat format, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls isValidDate and returns true if no exceptions are thrown.- Specified by:
isValidDate
in interfaceValidator
- Throws:
IntrusionException
-
getValidDate
public java.util.Date getValidDate(java.lang.String context, java.lang.String input, java.text.DateFormat format, boolean allowNull) throws ValidationException, IntrusionException
Returns a valid date as a Date. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidDate
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual user input data to validate.format
- Required formatting of date inputted.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A valid date as a Date
- Throws:
ValidationException
IntrusionException
-
getValidDate
public java.util.Date getValidDate(java.lang.String context, java.lang.String input, java.text.DateFormat format, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidDate with the supplied errorList to capture ValidationExceptions- Specified by:
getValidDate
in interfaceValidator
- Throws:
IntrusionException
-
isValidSafeHTML
public boolean isValidSafeHTML(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull) throws IntrusionException
Calls getValidSafeHTML and returns true if no exceptions are thrown.- Specified by:
isValidSafeHTML
in interfaceValidator
- Throws:
IntrusionException
-
isValidSafeHTML
public boolean isValidSafeHTML(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidSafeHTML and returns true if no exceptions are thrown.- Specified by:
isValidSafeHTML
in interfaceValidator
- Throws:
IntrusionException
-
getValidSafeHTML
public java.lang.String getValidSafeHTML(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException
Returns canonicalized and validated "safe" HTML that does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else. Implementors should reference the OWASP AntiSamy project for ideas on how to do HTML validation in a whitelist way, as this is an extremely difficult problem. This implementation relies on the OWASP AntiSamy project.- Specified by:
getValidSafeHTML
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual user input data to validate.maxLength
- The maximum String length allowed.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- Valid safe HTML
- Throws:
ValidationException
IntrusionException
-
getValidSafeHTML
public java.lang.String getValidSafeHTML(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidSafeHTML with the supplied errorList to capture ValidationExceptions- Specified by:
getValidSafeHTML
in interfaceValidator
- Throws:
IntrusionException
-
isValidCreditCard
public boolean isValidCreditCard(java.lang.String context, java.lang.String input, boolean allowNull) throws IntrusionException
Calls getValidCreditCard and returns true if no exceptions are thrown.- Specified by:
isValidCreditCard
in interfaceValidator
- Throws:
IntrusionException
-
isValidCreditCard
public boolean isValidCreditCard(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidCreditCard and returns true if no exceptions are thrown.- Specified by:
isValidCreditCard
in interfaceValidator
- Throws:
IntrusionException
-
getValidCreditCard
public java.lang.String getValidCreditCard(java.lang.String context, java.lang.String input, boolean allowNull) throws ValidationException, IntrusionException
Returns a canonicalized and validated credit card number as a String. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidCreditCard
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual user input data to validate.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A valid credit card number
- Throws:
ValidationException
IntrusionException
-
getValidCreditCard
public java.lang.String getValidCreditCard(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidCreditCard with the supplied errorList to capture ValidationExceptions- Specified by:
getValidCreditCard
in interfaceValidator
- Throws:
IntrusionException
-
isValidDirectoryPath
public boolean isValidDirectoryPath(java.lang.String context, java.lang.String input, java.io.File parent, boolean allowNull) throws IntrusionException
Calls getValidDirectoryPath and returns true if no exceptions are thrown.Note: On platforms that support symlinks, this function will fail canonicalization if directorypath is a symlink. For example, on MacOS X, /etc is actually /private/etc. If you mean to use /etc, use its real path (/private/etc), not the symlink (/etc).
- Specified by:
isValidDirectoryPath
in interfaceValidator
- Throws:
IntrusionException
-
isValidDirectoryPath
public boolean isValidDirectoryPath(java.lang.String context, java.lang.String input, java.io.File parent, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidDirectoryPath and returns true if no exceptions are thrown.Note: On platforms that support symlinks, this function will fail canonicalization if directorypath is a symlink. For example, on MacOS X, /etc is actually /private/etc. If you mean to use /etc, use its real path (/private/etc), not the symlink (/etc).
- Specified by:
isValidDirectoryPath
in interfaceValidator
- Throws:
IntrusionException
-
getValidDirectoryPath
public java.lang.String getValidDirectoryPath(java.lang.String context, java.lang.String input, java.io.File parent, boolean allowNull) throws ValidationException, IntrusionException
Returns a canonicalized and validated directory path as a String, provided that the input maps to an existing directory that is an existing subdirectory (at any level) of the specified parent. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException. Instead of throwing a ValidationException on error, this variant will store the exception inside of the ValidationErrorList.- Specified by:
getValidDirectoryPath
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A valid directory path
- Throws:
ValidationException
IntrusionException
-
getValidDirectoryPath
public java.lang.String getValidDirectoryPath(java.lang.String context, java.lang.String input, java.io.File parent, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidDirectoryPath with the supplied errorList to capture ValidationExceptions- Specified by:
getValidDirectoryPath
in interfaceValidator
- Throws:
IntrusionException
-
isValidFileName
public boolean isValidFileName(java.lang.String context, java.lang.String input, boolean allowNull) throws IntrusionException
Calls getValidFileName with the default list of allowedExtensions- Specified by:
isValidFileName
in interfaceValidator
- Throws:
IntrusionException
-
isValidFileName
public boolean isValidFileName(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidFileName with the default list of allowedExtensions- Specified by:
isValidFileName
in interfaceValidator
- Throws:
IntrusionException
-
isValidFileName
public boolean isValidFileName(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> allowedExtensions, boolean allowNull) throws IntrusionException
Calls getValidFileName and returns true if no exceptions are thrown.- Specified by:
isValidFileName
in interfaceValidator
- Throws:
IntrusionException
-
isValidFileName
public boolean isValidFileName(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> allowedExtensions, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidFileName and returns true if no exceptions are thrown.- Specified by:
isValidFileName
in interfaceValidator
- Throws:
IntrusionException
-
getValidFileName
public java.lang.String getValidFileName(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> allowedExtensions, boolean allowNull) throws ValidationException, IntrusionException
Returns a canonicalized and validated file name as a String. Implementors should check for allowed file extensions here, as well as allowed file name characters, as declared in "ESAPI.properties". Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidFileName
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A valid file name
- Throws:
ValidationException
IntrusionException
-
getValidFileName
public java.lang.String getValidFileName(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> allowedParameters, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidFileName with the supplied errorList to capture ValidationExceptions- Specified by:
getValidFileName
in interfaceValidator
- Throws:
IntrusionException
-
isValidNumber
public boolean isValidNumber(java.lang.String context, java.lang.String input, long minValue, long maxValue, boolean allowNull) throws IntrusionException
Calls getValidNumber and returns true if no exceptions are thrown.- Specified by:
isValidNumber
in interfaceValidator
- Throws:
IntrusionException
-
isValidNumber
public boolean isValidNumber(java.lang.String context, java.lang.String input, long minValue, long maxValue, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidNumber and returns true if no exceptions are thrown.- Specified by:
isValidNumber
in interfaceValidator
- Throws:
IntrusionException
-
getValidNumber
public java.lang.Double getValidNumber(java.lang.String context, java.lang.String input, long minValue, long maxValue, boolean allowNull) throws ValidationException, IntrusionException
Returns a validated number as a double within the range of minValue to maxValue. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidNumber
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.minValue
- Lowest legal value for input.maxValue
- Highest legal value for input.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A validated number as a double.
- Throws:
ValidationException
IntrusionException
-
getValidNumber
public java.lang.Double getValidNumber(java.lang.String context, java.lang.String input, long minValue, long maxValue, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidSafeHTML with the supplied errorList to capture ValidationExceptions- Specified by:
getValidNumber
in interfaceValidator
- Throws:
IntrusionException
-
isValidDouble
public boolean isValidDouble(java.lang.String context, java.lang.String input, double minValue, double maxValue, boolean allowNull) throws IntrusionException
Calls getValidDouble and returns true if no exceptions are thrown.- Specified by:
isValidDouble
in interfaceValidator
- Throws:
IntrusionException
-
isValidDouble
public boolean isValidDouble(java.lang.String context, java.lang.String input, double minValue, double maxValue, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidDouble and returns true if no exceptions are thrown.- Specified by:
isValidDouble
in interfaceValidator
- Throws:
IntrusionException
-
getValidDouble
public java.lang.Double getValidDouble(java.lang.String context, java.lang.String input, double minValue, double maxValue, boolean allowNull) throws ValidationException, IntrusionException
Returns a validated real number as a double. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidDouble
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.minValue
- Lowest legal value for input.maxValue
- Highest legal value for input.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A validated real number as a double.
- Throws:
ValidationException
IntrusionException
-
getValidDouble
public java.lang.Double getValidDouble(java.lang.String context, java.lang.String input, double minValue, double maxValue, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidDouble with the supplied errorList to capture ValidationExceptions- Specified by:
getValidDouble
in interfaceValidator
- Throws:
IntrusionException
-
isValidInteger
public boolean isValidInteger(java.lang.String context, java.lang.String input, int minValue, int maxValue, boolean allowNull) throws IntrusionException
Calls getValidInteger and returns true if no exceptions are thrown.- Specified by:
isValidInteger
in interfaceValidator
- Throws:
IntrusionException
-
isValidInteger
public boolean isValidInteger(java.lang.String context, java.lang.String input, int minValue, int maxValue, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidInteger and returns true if no exceptions are thrown.- Specified by:
isValidInteger
in interfaceValidator
- Throws:
IntrusionException
-
getValidInteger
public java.lang.Integer getValidInteger(java.lang.String context, java.lang.String input, int minValue, int maxValue, boolean allowNull) throws ValidationException, IntrusionException
Returns a validated integer. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidInteger
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.minValue
- Lowest legal value for input.maxValue
- Highest legal value for input.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A validated number as an integer.
- Throws:
ValidationException
IntrusionException
-
getValidInteger
public java.lang.Integer getValidInteger(java.lang.String context, java.lang.String input, int minValue, int maxValue, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidInteger with the supplied errorList to capture ValidationExceptions- Specified by:
getValidInteger
in interfaceValidator
- Throws:
IntrusionException
-
isValidFileContent
public boolean isValidFileContent(java.lang.String context, byte[] input, int maxBytes, boolean allowNull) throws IntrusionException
Calls getValidFileContent and returns true if no exceptions are thrown.- Specified by:
isValidFileContent
in interfaceValidator
- Throws:
IntrusionException
-
isValidFileContent
public boolean isValidFileContent(java.lang.String context, byte[] input, int maxBytes, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidFileContent and returns true if no exceptions are thrown.- Specified by:
isValidFileContent
in interfaceValidator
- Throws:
IntrusionException
-
getValidFileContent
public byte[] getValidFileContent(java.lang.String context, byte[] input, int maxBytes, boolean allowNull) throws ValidationException, IntrusionException
Returns validated file content as a byte array. This is a good place to check for max file size, allowed character sets, and do virus scans. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidFileContent
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.maxBytes
- The maximum number of bytes allowed in a legal file.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A byte array containing valid file content.
- Throws:
ValidationException
IntrusionException
-
getValidFileContent
public byte[] getValidFileContent(java.lang.String context, byte[] input, int maxBytes, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidFileContent with the supplied errorList to capture ValidationExceptions- Specified by:
getValidFileContent
in interfaceValidator
- Throws:
IntrusionException
-
isValidFileUpload
public boolean isValidFileUpload(java.lang.String context, java.lang.String directorypath, java.lang.String filename, java.io.File parent, byte[] content, int maxBytes, boolean allowNull) throws IntrusionException
Calls getValidFileUpload and returns true if no exceptions are thrown.Note: On platforms that support symlinks, this function will fail canonicalization if directorypath is a symlink. For example, on MacOS X, /etc is actually /private/etc. If you mean to use /etc, use its real path (/private/etc), not the symlink (/etc).
- Specified by:
isValidFileUpload
in interfaceValidator
- Throws:
IntrusionException
-
isValidFileUpload
public boolean isValidFileUpload(java.lang.String context, java.lang.String directorypath, java.lang.String filename, java.io.File parent, byte[] content, int maxBytes, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidFileUpload and returns true if no exceptions are thrown.Note: On platforms that support symlinks, this function will fail canonicalization if directorypath is a symlink. For example, on MacOS X, /etc is actually /private/etc. If you mean to use /etc, use its real path (/private/etc), not the symlink (/etc).
- Specified by:
isValidFileUpload
in interfaceValidator
- Throws:
IntrusionException
-
assertValidFileUpload
public void assertValidFileUpload(java.lang.String context, java.lang.String directorypath, java.lang.String filename, java.io.File parent, byte[] content, int maxBytes, java.util.List<java.lang.String> allowedExtensions, boolean allowNull) throws ValidationException, IntrusionException
Validates the filepath, filename, and content of a file. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
assertValidFileUpload
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.directorypath
- The file path of the uploaded file.filename
- The filename of the uploaded filecontent
- A byte array containing the content of the uploaded file.maxBytes
- The max number of bytes allowed for a legal file upload.allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Throws:
ValidationException
IntrusionException
-
assertValidFileUpload
public void assertValidFileUpload(java.lang.String context, java.lang.String filepath, java.lang.String filename, java.io.File parent, byte[] content, int maxBytes, java.util.List<java.lang.String> allowedExtensions, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidFileUpload with the supplied errorList to capture ValidationExceptions- Specified by:
assertValidFileUpload
in interfaceValidator
- Throws:
IntrusionException
-
isValidListItem
public boolean isValidListItem(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> list)
Calls getValidListItem and returns true if no exceptions are thrown. Returns true if input is a valid list item.- Specified by:
isValidListItem
in interfaceValidator
-
isValidListItem
public boolean isValidListItem(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> list, ValidationErrorList errors)
Calls getValidListItem and returns true if no exceptions are thrown. Returns true if input is a valid list item.- Specified by:
isValidListItem
in interfaceValidator
-
getValidListItem
public java.lang.String getValidListItem(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> list) throws ValidationException, IntrusionException
Returns the list item that exactly matches the canonicalized input. Invalid or non-matching input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidListItem
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The value to search 'list' for.list
- The list to search for 'input'.- Returns:
- The list item that exactly matches the canonicalized input.
- Throws:
ValidationException
IntrusionException
-
getValidListItem
public java.lang.String getValidListItem(java.lang.String context, java.lang.String input, java.util.List<java.lang.String> list, ValidationErrorList errors) throws IntrusionException
ValidationErrorList variant of getValidListItem- Specified by:
getValidListItem
in interfaceValidator
- Parameters:
errors
-- Throws:
IntrusionException
-
isValidHTTPRequestParameterSet
public boolean isValidHTTPRequestParameterSet(java.lang.String context, javax.servlet.http.HttpServletRequest request, java.util.Set<java.lang.String> requiredNames, java.util.Set<java.lang.String> optionalNames)
Calls assertValidHTTPRequestParameterSet and returns true if no exceptions are thrown.- Specified by:
isValidHTTPRequestParameterSet
in interfaceValidator
-
isValidHTTPRequestParameterSet
public boolean isValidHTTPRequestParameterSet(java.lang.String context, javax.servlet.http.HttpServletRequest request, java.util.Set<java.lang.String> requiredNames, java.util.Set<java.lang.String> optionalNames, ValidationErrorList errors)
Calls assertValidHTTPRequestParameterSet and returns true if no exceptions are thrown.- Specified by:
isValidHTTPRequestParameterSet
in interfaceValidator
-
assertValidHTTPRequestParameterSet
public void assertValidHTTPRequestParameterSet(java.lang.String context, javax.servlet.http.HttpServletRequest request, java.util.Set<java.lang.String> required, java.util.Set<java.lang.String> optional) throws ValidationException, IntrusionException
Validates that the parameters in the current request contain all required parameters and only optional ones in addition. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException. Uses current HTTPRequest- Specified by:
assertValidHTTPRequestParameterSet
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.required
- parameters that are required to be in HTTP requestoptional
- additional parameters that may be in HTTP request- Throws:
ValidationException
IntrusionException
-
assertValidHTTPRequestParameterSet
public void assertValidHTTPRequestParameterSet(java.lang.String context, javax.servlet.http.HttpServletRequest request, java.util.Set<java.lang.String> required, java.util.Set<java.lang.String> optional, ValidationErrorList errors) throws IntrusionException
ValidationErrorList variant of assertIsValidHTTPRequestParameterSet Uses current HTTPRequest saved in ESAPI Authenticator- Specified by:
assertValidHTTPRequestParameterSet
in interfaceValidator
- Parameters:
errors
-- Throws:
IntrusionException
-
isValidPrintable
public boolean isValidPrintable(java.lang.String context, char[] input, int maxLength, boolean allowNull) throws IntrusionException
Calls getValidPrintable and returns true if no exceptions are thrown. Checks that all bytes are valid ASCII characters (between 33 and 126 inclusive). This implementation does no decoding. http://en.wikipedia.org/wiki/ASCII.- Specified by:
isValidPrintable
in interfaceValidator
- Throws:
IntrusionException
-
isValidPrintable
public boolean isValidPrintable(java.lang.String context, char[] input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidPrintable and returns true if no exceptions are thrown. Checks that all bytes are valid ASCII characters (between 33 and 126 inclusive). This implementation does no decoding. http://en.wikipedia.org/wiki/ASCII.- Specified by:
isValidPrintable
in interfaceValidator
- Throws:
IntrusionException
-
getValidPrintable
public char[] getValidPrintable(java.lang.String context, char[] input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException
Returns canonicalized and validated printable characters as a byte array. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidPrintable
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- data to be returned as valid and printablemaxLength
- Maximum number of bytes stored in 'input'allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- a byte array containing only printable characters, made up of data from 'input'
- Throws:
IntrusionException
ValidationException
-
getValidPrintable
public char[] getValidPrintable(java.lang.String context, char[] input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException
ValidationErrorList variant of getValidPrintable- Specified by:
getValidPrintable
in interfaceValidator
- Parameters:
errors
-- Throws:
IntrusionException
-
isValidPrintable
public boolean isValidPrintable(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull) throws IntrusionException
Calls getValidPrintable and returns true if no exceptions are thrown. Returns true if input is valid printable ASCII characters (32-126).- Specified by:
isValidPrintable
in interfaceValidator
- Throws:
IntrusionException
-
isValidPrintable
public boolean isValidPrintable(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Calls getValidPrintable and returns true if no exceptions are thrown. Returns true if input is valid printable ASCII characters (32-126).- Specified by:
isValidPrintable
in interfaceValidator
- Throws:
IntrusionException
-
getValidPrintable
public java.lang.String getValidPrintable(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException
Returns canonicalized and validated printable characters as a String. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidPrintable
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- data to be returned as valid and printablemaxLength
- Maximum number of bytes stored in 'input' after canonicalizationallowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- a String containing only printable characters, made up of data from 'input'
- Throws:
IntrusionException
ValidationException
-
getValidPrintable
public java.lang.String getValidPrintable(java.lang.String context, java.lang.String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException
ValidationErrorList variant of getValidPrintable- Specified by:
getValidPrintable
in interfaceValidator
- Parameters:
errors
-- Throws:
IntrusionException
-
isValidRedirectLocation
public boolean isValidRedirectLocation(java.lang.String context, java.lang.String input, boolean allowNull) throws IntrusionException
Returns true if input is a valid redirect location.- Specified by:
isValidRedirectLocation
in interfaceValidator
- Throws:
IntrusionException
-
isValidRedirectLocation
public boolean isValidRedirectLocation(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors) throws IntrusionException
Returns true if input is a valid redirect location.- Specified by:
isValidRedirectLocation
in interfaceValidator
- Throws:
IntrusionException
-
getValidRedirectLocation
public java.lang.String getValidRedirectLocation(java.lang.String context, java.lang.String input, boolean allowNull) throws ValidationException, IntrusionException
Returns a canonicalized and validated redirect location as a String. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.- Specified by:
getValidRedirectLocation
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- redirect location to be returned as valid, according to encoding rules set in "ESAPI.properties"allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- A canonicalized and validated redirect location, as defined in "ESAPI.properties"
- Throws:
ValidationException
IntrusionException
-
getValidRedirectLocation
public java.lang.String getValidRedirectLocation(java.lang.String context, java.lang.String input, boolean allowNull, ValidationErrorList errors) throws IntrusionException
ValidationErrorList variant of getValidRedirectLocation- Specified by:
getValidRedirectLocation
in interfaceValidator
- Parameters:
errors
-- Throws:
IntrusionException
-
safeReadLine
public java.lang.String safeReadLine(java.io.InputStream in, int max) throws ValidationException
Reads from an input stream until end-of-line or a maximum number of characters. This method protects against the inherent denial of service attack in reading until the end of a line. If an attacker doesn't ever send a newline character, then a normal input stream reader will read until all memory is exhausted and the platform throws an OutOfMemoryError and probably terminates. This implementation reads until a newline or the specified number of characters.- Specified by:
safeReadLine
in interfaceValidator
- Parameters:
in
-max
-- Returns:
- a String containing the current line of inputStream
- Throws:
ValidationException
-
isValidURI
public boolean isValidURI(java.lang.String context, java.lang.String input, boolean allowNull)
Parses and ensures that the URI in question is a valid RFC-3986 URI. This simplifies the kind of regex required for subsequent validation to mitigate regex-based DoS attacks.- Specified by:
isValidURI
in interfaceValidator
- Parameters:
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- redirect location to be returned as valid, according to encoding rules set in "ESAPI.properties"allowNull
- If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.- Returns:
- True if the URI is valid
- See Also:
- RFC-3986.
-
getRfcCompliantURI
public java.net.URI getRfcCompliantURI(java.lang.String input)
Will return aURI
object that will represent a fully parsed and legal URI as specified in RFC-3986.- Specified by:
getRfcCompliantURI
in interfaceValidator
- Parameters:
input
- String- Returns:
- URI object representing a parsed URI, or
null
if the URI was non-compliant in some way.
-
-