PageRenderTime 45ms CodeModel.GetById 15ms RepoModel.GetById 1ms app.codeStats 0ms

/src/main/java/org/owasp/esapi/reference/DefaultEncoder.java

http://owasp-esapi-java.googlecode.com/
Java | 448 lines | 306 code | 43 blank | 99 comment | 78 complexity | 2c33c67acbc8ff23c6f1851d59763033 MD5 | raw file
Possible License(s): BSD-3-Clause, CC-BY-SA-3.0 
    

  1. /**

    2. 

  2.  * OWASP Enterprise Security API (ESAPI)

    3. 

  3.  * 

    4. 

  4.  * This file is part of the Open Web Application Security Project (OWASP)

    5. 

  5.  * Enterprise Security API (ESAPI) project. For details, please see

    6. 

  6.  * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.

    7. 

  7.  *

    8. 

  8.  * Copyright (c) 2007 - The OWASP Foundation

    9. 

  9.  * 

    10. 

  10.  * The ESAPI is published by OWASP under the BSD license. You should read and accept the

    11. 

  11.  * LICENSE before you use, modify, and/or redistribute this software.

    12. 

  12.  * 

    13. 

  13.  * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>

    14. 

  14.  * @created 2007

    15. 

  15.  */

    16. 

  16. package org.owasp.esapi.reference;

    17. 

  17. 

    18. 

  18. import java.io.IOException;

    19. 

  19. import java.io.UnsupportedEncodingException;

    20. 

  20. import java.net.URLDecoder;

    21. 

  21. import java.net.URLEncoder;

    22. 

  22. import java.util.ArrayList;

    23. 

  23. import java.util.Iterator;

    24. 

  24. import java.util.List;

    25. 

  25. 

    26. 

  26. import org.owasp.esapi.ESAPI;

    27. 

  27. import org.owasp.esapi.Encoder;

    28. 

  28. import org.owasp.esapi.Logger;

    29. 

  29. import org.owasp.esapi.codecs.Base64;

    30. 

  30. import org.owasp.esapi.codecs.CSSCodec;

    31. 

  31. import org.owasp.esapi.codecs.Codec;

    32. 

  32. import org.owasp.esapi.codecs.HTMLEntityCodec;

    33. 

  33. import org.owasp.esapi.codecs.JavaScriptCodec;

    34. 

  34. import org.owasp.esapi.codecs.PercentCodec;

    35. 

  35. import org.owasp.esapi.codecs.VBScriptCodec;

    36. 

  36. import org.owasp.esapi.codecs.XMLEntityCodec;

    37. 

  37. import org.owasp.esapi.errors.EncodingException;

    38. 

  38. import org.owasp.esapi.errors.IntrusionException;

    39. 

  39. 

    40. 

  40. 

    41. 

  41. /**

    42. 

  42.  * Reference implementation of the Encoder interface. This implementation takes

    43. 

  43.  * a whitelist approach to encoding, meaning that everything not specifically identified in a

    44. 

  44.  * list of "immune" characters is encoded.

    45. 

  45.  * 

    46. 

  46.  * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a

    47. 

  47.  *         href="http://www.aspectsecurity.com">Aspect Security</a>

    48. 

  48.  * @since June 1, 2007

    49. 

  49.  * @see org.owasp.esapi.Encoder

    50. 

  50.  */

    51. 

  51. public class DefaultEncoder implements Encoder {

    52. 

  52. 

    53. 

  53.     private static volatile Encoder singletonInstance;

    54. 

  54. 

    55. 

  55.     public static Encoder getInstance() {

    56. 

  56.         if ( singletonInstance == null ) {

    57. 

  57.             synchronized ( DefaultEncoder.class ) {

    58. 

  58.                 if ( singletonInstance == null ) {

    59. 

  59.                     singletonInstance = new DefaultEncoder();

    60. 

  60.                 }

    61. 

  61.             }

    62. 

  62.         }

    63. 

  63.         return singletonInstance;

    64. 

  64.     }

    65. 

  65. 

    66. 

  66. 	// Codecs

    67. 

  67. 	private List codecs = new ArrayList();

    68. 

  68. 	private HTMLEntityCodec htmlCodec = new HTMLEntityCodec();

    69. 

  69. 	private XMLEntityCodec xmlCodec = new XMLEntityCodec();

    70. 

  70. 	private PercentCodec percentCodec = new PercentCodec();

    71. 

  71. 	private JavaScriptCodec javaScriptCodec = new JavaScriptCodec();

    72. 

  72. 	private VBScriptCodec vbScriptCodec = new VBScriptCodec();

    73. 

  73. 	private CSSCodec cssCodec = new CSSCodec();

    74. 

  74. 

    75. 

  75. 	private final Logger logger = ESAPI.getLogger("Encoder");

    76. 

  76. 	

    77. 

  77. 	/**

    78. 

  78. 	 *  Character sets that define characters (in addition to alphanumerics) that are

    79. 

  79. 	 * immune from encoding in various formats

    80. 

  80. 	 */

    81. 

  81. 	private final static char[]     IMMUNE_HTML = { ',', '.', '-', '_', ' ' };

    82. 

  82. 	private final static char[] IMMUNE_HTMLATTR = { ',', '.', '-', '_' };

    83. 

  83. 	private final static char[] IMMUNE_CSS = {};

    84. 

  84. 	private final static char[] IMMUNE_JAVASCRIPT = { ',', '.', '_' };

    85. 

  85. 	private final static char[] IMMUNE_VBSCRIPT = { ',', '.', '_' };

    86. 

  86. 	private final static char[] IMMUNE_XML = { ',', '.', '-', '_', ' ' };

    87. 

  87. 	private final static char[] IMMUNE_SQL = { ' ' };

    88. 

  88. 	private final static char[] IMMUNE_OS = { '-' };

    89. 

  89. 	private final static char[] IMMUNE_XMLATTR = { ',', '.', '-', '_' };

    90. 

  90. 	private final static char[] IMMUNE_XPATH = { ',', '.', '-', '_', ' ' };

    91. 

  91. 	

    92. 

  92. 	

    93. 

  93. 	/**

    94. 

  94. 	 * Instantiates a new DefaultEncoder

    95. 

  95. 	 */

    96. 

  96. 	private DefaultEncoder() {

    97. 

  97. 		codecs.add( htmlCodec );

    98. 

  98. 		codecs.add( percentCodec );

    99. 

  99. 		codecs.add( javaScriptCodec );

    100. 

  100. 	}

    101. 

  101. 	

    102. 

  102. 	public DefaultEncoder( List<String> codecNames ) {

    103. 

  103. 		for ( String clazz : codecNames ) {

    104. 

  104. 			try {

    105. 

  105. 				if ( clazz.indexOf( '.' ) == -1 ) clazz = "org.owasp.esapi.codecs." + clazz;

    106. 

  106. 				codecs.add( Class.forName( clazz ).newInstance() );

    107. 

  107. 			} catch ( Exception e ) {

    108. 

  108. 				logger.warning( Logger.EVENT_FAILURE, "Codec " + clazz + " listed in ESAPI.properties not on classpath" );

    109. 

  109. 			}

    110. 

  110. 		}

    111. 

  111. 	}

    112. 

  112. 	

    113. 

  113. 	/**

    114. 

  114. 	 * {@inheritDoc}

    115. 

  115. 	 */

    116. 

  116. 	public String canonicalize( String input ) {

    117. 

  117. 		if ( input == null ) {

    118. 

  118. 			return null;

    119. 

  119. 		}

    120. 

  120. 

    121. 

  121.         // Issue 231 - These are reverse boolean logic in the Encoder interface, so we need to invert these values - CS

    122. 

  122. 		return canonicalize(input, 

    123. 

  123. 							!ESAPI.securityConfiguration().getAllowMultipleEncoding(),

    124. 

  124. 							!ESAPI.securityConfiguration().getAllowMixedEncoding() );

    125. 

  125. 	}

    126. 

  126. 

    127. 

  127. 	

    128. 

  128. 	/**

    129. 

  129. 	 * {@inheritDoc}

    130. 

  130. 	 */

    131. 

  131. 	public String canonicalize( String input, boolean strict) {

    132. 

  132. 		return canonicalize(input, strict, strict);

    133. 

  133. 	}

    134. 

  134. 

    135. 

  135. 

    136. 

  136. 	/**

    137. 

  137. 	 * {@inheritDoc}

    138. 

  138. 	 */

    139. 

  139. 	public String canonicalize( String input, boolean restrictMultiple, boolean restrictMixed ) {

    140. 

  140. 		if ( input == null ) {

    141. 

  141. 			return null;

    142. 

  142. 		}

    143. 

  143. 		

    144. 

  144.         String working = input;

    145. 

  145.         Codec codecFound = null;

    146. 

  146.         int mixedCount = 1;

    147. 

  147.         int foundCount = 0;

    148. 

  148.         boolean clean = false;

    149. 

  149.         while( !clean ) {

    150. 

  150.             clean = true;

    151. 

  151.             

    152. 

  152.             // try each codec and keep track of which ones work

    153. 

  153.             Iterator i = codecs.iterator();

    154. 

  154.             while ( i.hasNext() ) {

    155. 

  155.                 Codec codec = (Codec)i.next();

    156. 

  156.                 String old = working;

    157. 

  157.                 working = codec.decode( working );

    158. 

  158.                 if ( !old.equals( working ) ) {

    159. 

  159.                     if ( codecFound != null && codecFound != codec ) {

    160. 

  160.                         mixedCount++;

    161. 

  161.                     }

    162. 

  162.                     codecFound = codec;

    163. 

  163.                     if ( clean ) {

    164. 

  164.                         foundCount++;

    165. 

  165.                     }

    166. 

  166.                     clean = false;

    167. 

  167.                 }

    168. 

  168.             }

    169. 

  169.         }

    170. 

  170.         

    171. 

  171.         // do strict tests and handle if any mixed, multiple, nested encoding were found

    172. 

  172.         if ( foundCount >= 2 && mixedCount > 1 ) {

    173. 

  173.             if ( restrictMultiple || restrictMixed ) {

    174. 

  174.                 throw new IntrusionException( "Input validation failure", "Multiple ("+ foundCount +"x) and mixed encoding ("+ mixedCount +"x) detected in " + input );

    175. 

  175.             } else {

    176. 

  176.                 logger.warning( Logger.SECURITY_FAILURE, "Multiple ("+ foundCount +"x) and mixed encoding ("+ mixedCount +"x) detected in " + input );

    177. 

  177.             }

    178. 

  178.         }

    179. 

  179.         else if ( foundCount >= 2 ) {

    180. 

  180.             if ( restrictMultiple ) {

    181. 

  181.                 throw new IntrusionException( "Input validation failure", "Multiple ("+ foundCount +"x) encoding detected in " + input );

    182. 

  182.             } else {

    183. 

  183.                 logger.warning( Logger.SECURITY_FAILURE, "Multiple ("+ foundCount +"x) encoding detected in " + input );

    184. 

  184.             }

    185. 

  185.         }

    186. 

  186.         else if ( mixedCount > 1 ) {

    187. 

  187.             if ( restrictMixed ) {

    188. 

  188.                 throw new IntrusionException( "Input validation failure", "Mixed encoding ("+ mixedCount +"x) detected in " + input );

    189. 

  189.             } else {

    190. 

  190.                 logger.warning( Logger.SECURITY_FAILURE, "Mixed encoding ("+ mixedCount +"x) detected in " + input );

    191. 

  191.             }

    192. 

  192.         }

    193. 

  193.         return working;

    194. 

  194. 	}

    195. 

  195. 

    196. 

  196. 	/**

    197. 

  197. 	 * {@inheritDoc}

    198. 

  198. 	 */

    199. 

  199. 	public String encodeForHTML(String input) {

    200. 

  200. 	    if( input == null ) {

    201. 

  201. 	    	return null;

    202. 

  202. 	    }

    203. 

  203. 	    return htmlCodec.encode( IMMUNE_HTML, input);	    

    204. 

  204. 	 }

    205. 

  205. 	

    206. 

  206. 	/**

    207. 

  207. 	 * {@inheritDoc}

    208. 

  208. 	 */

    209. 

  209. 	public String decodeForHTML(String input) {

    210. 

  210. 		

    211. 

  211. 		if( input == null ) {

    212. 

  212. 	    	return null;

    213. 

  213. 	    }

    214. 

  214. 	    return htmlCodec.decode( input);	 

    215. 

  215.     }

    216. 

  216. 	 

    217. 

  217. 	/**

    218. 

  218. 	 * {@inheritDoc}

    219. 

  219. 	 */

    220. 

  220. 	public String encodeForHTMLAttribute(String input) {

    221. 

  221. 	    if( input == null ) {

    222. 

  222. 	    	return null;

    223. 

  223. 	    }

    224. 

  224. 	    return htmlCodec.encode( IMMUNE_HTMLATTR, input);

    225. 

  225. 	}

    226. 

  226. 

    227. 

  227. 	

    228. 

  228. 	/**

    229. 

  229. 	 * {@inheritDoc}

    230. 

  230. 	 */

    231. 

  231. 	public String encodeForCSS(String input) {

    232. 

  232. 	    if( input == null ) {

    233. 

  233. 	    	return null;

    234. 

  234. 	    }

    235. 

  235. 	    return cssCodec.encode( IMMUNE_CSS, input);

    236. 

  236. 	}

    237. 

  237. 

    238. 

  238. 	

    239. 

  239. 	/**

    240. 

  240. 	 * {@inheritDoc}

    241. 

  241. 	 */

    242. 

  242. 	public String encodeForJavaScript(String input) {

    243. 

  243. 	    if( input == null ) {

    244. 

  244. 	    	return null;

    245. 

  245. 	    }

    246. 

  246. 	    return javaScriptCodec.encode(IMMUNE_JAVASCRIPT, input);

    247. 

  247. 	}

    248. 

  248. 

    249. 

  249. 	/**

    250. 

  250. 	 * {@inheritDoc}

    251. 

  251. 	 */

    252. 

  252. 	public String encodeForVBScript(String input) {

    253. 

  253. 	    if( input == null ) {

    254. 

  254. 	    	return null;

    255. 

  255. 	    }

    256. 

  256. 	    return vbScriptCodec.encode(IMMUNE_VBSCRIPT, input);	    

    257. 

  257. 	}

    258. 

  258. 

    259. 

  259. 	

    260. 

  260. 	/**

    261. 

  261. 	 * {@inheritDoc}

    262. 

  262. 	 */

    263. 

  263. 	public String encodeForSQL(Codec codec, String input) {

    264. 

  264. 	    if( input == null ) {

    265. 

  265. 	    	return null;

    266. 

  266. 	    }

    267. 

  267. 	    return codec.encode(IMMUNE_SQL, input);

    268. 

  268. 	}

    269. 

  269. 

    270. 

  270. 	/**

    271. 

  271. 	 * {@inheritDoc}

    272. 

  272. 	 */

    273. 

  273. 	public String encodeForOS(Codec codec, String input) {

    274. 

  274. 	    if( input == null ) {

    275. 

  275. 	    	return null;	

    276. 

  276. 	    }

    277. 

  277. 	    return codec.encode( IMMUNE_OS, input);

    278. 

  278. 	}

    279. 

  279. 

    280. 

  280. 	/**

    281. 

  281. 	 * {@inheritDoc}

    282. 

  282. 	 */

    283. 

  283. 	public String encodeForLDAP(String input) {

    284. 

  284. 	    if( input == null ) {

    285. 

  285. 	    	return null;	

    286. 

  286. 	    }

    287. 

  287. 		// TODO: replace with LDAP codec

    288. 

  288. 	    StringBuilder sb = new StringBuilder();

    289. 

  289. 		for (int i = 0; i < input.length(); i++) {

    290. 

  290. 			char c = input.charAt(i);

    291. 

  291. 			switch (c) {

    292. 

  292. 			case '\\':

    293. 

  293. 				sb.append("\\5c");

    294. 

  294. 				break;

    295. 

  295. 			case '*':

    296. 

  296. 				sb.append("\\2a");

    297. 

  297. 				break;

    298. 

  298. 			case '(':

    299. 

  299. 				sb.append("\\28");

    300. 

  300. 				break;

    301. 

  301. 			case ')':

    302. 

  302. 				sb.append("\\29");

    303. 

  303. 				break;

    304. 

  304. 			case '\0':

    305. 

  305. 				sb.append("\\00");

    306. 

  306. 				break;

    307. 

  307. 			default:

    308. 

  308. 				sb.append(c);

    309. 

  309. 			}

    310. 

  310. 		}

    311. 

  311. 		return sb.toString();

    312. 

  312. 	}

    313. 

  313. 

    314. 

  314. 	/**

    315. 

  315. 	 * {@inheritDoc}

    316. 

  316. 	 */

    317. 

  317. 	public String encodeForDN(String input) {

    318. 

  318. 	    if( input == null ) {

    319. 

  319. 	    	return null;	

    320. 

  320. 	    }

    321. 

  321. 		// TODO: replace with DN codec

    322. 

  322. 	    StringBuilder sb = new StringBuilder();

    323. 

  323. 		if ((input.length() > 0) && ((input.charAt(0) == ' ') || (input.charAt(0) == '#'))) {

    324. 

  324. 			sb.append('\\'); // add the leading backslash if needed

    325. 

  325. 		}

    326. 

  326. 		for (int i = 0; i < input.length(); i++) {

    327. 

  327. 			char c = input.charAt(i);

    328. 

  328. 			switch (c) {

    329. 

  329. 			case '\\':

    330. 

  330. 				sb.append("\\\\");

    331. 

  331. 				break;

    332. 

  332. 			case ',':

    333. 

  333. 				sb.append("\\,");

    334. 

  334. 				break;

    335. 

  335. 			case '+':

    336. 

  336. 				sb.append("\\+");

    337. 

  337. 				break;

    338. 

  338. 			case '"':

    339. 

  339. 				sb.append("\\\"");

    340. 

  340. 				break;

    341. 

  341. 			case '<':

    342. 

  342. 				sb.append("\\<");

    343. 

  343. 				break;

    344. 

  344. 			case '>':

    345. 

  345. 				sb.append("\\>");

    346. 

  346. 				break;

    347. 

  347. 			case ';':

    348. 

  348. 				sb.append("\\;");

    349. 

  349. 				break;

    350. 

  350. 			default:

    351. 

  351. 				sb.append(c);

    352. 

  352. 			}

    353. 

  353. 		}

    354. 

  354. 		// add the trailing backslash if needed

    355. 

  355. 		if ((input.length() > 1) && (input.charAt(input.length() - 1) == ' ')) {

    356. 

  356. 			sb.insert(sb.length() - 1, '\\');

    357. 

  357. 		}

    358. 

  358. 		return sb.toString();

    359. 

  359. 	}

    360. 

  360. 

    361. 

  361. 

    362. 

  362. 	/**

    363. 

  363. 	 * {@inheritDoc}

    364. 

  364. 	 */

    365. 

  365. 	public String encodeForXPath(String input) {

    366. 

  366. 	    if( input == null ) {

    367. 

  367. 	    	return null;	

    368. 

  368. 	    }

    369. 

  369. 	    return htmlCodec.encode( IMMUNE_XPATH, input);

    370. 

  370. 	}

    371. 

  371. 

    372. 

  372. 	/**

    373. 

  373. 	 * {@inheritDoc}

    374. 

  374. 	 */

    375. 

  375. 	public String encodeForXML(String input) {

    376. 

  376. 	    if( input == null ) {

    377. 

  377. 	    	return null;	

    378. 

  378. 	    }

    379. 

  379. 	    return xmlCodec.encode( IMMUNE_XML, input);

    380. 

  380. 	}

    381. 

  381. 

    382. 

  382. 	/**

    383. 

  383. 	 * {@inheritDoc}

    384. 

  384. 	 */

    385. 

  385. 	public String encodeForXMLAttribute(String input) {

    386. 

  386. 	    if( input == null ) {

    387. 

  387. 	    	return null;	

    388. 

  388. 	    }

    389. 

  389. 	    return xmlCodec.encode( IMMUNE_XMLATTR, input);

    390. 

  390. 	}

    391. 

  391. 

    392. 

  392. 	/**

    393. 

  393. 	 * {@inheritDoc}

    394. 

  394. 	 */

    395. 

  395. 	public String encodeForURL(String input) throws EncodingException {

    396. 

  396. 		if ( input == null ) {

    397. 

  397. 			return null;

    398. 

  398. 		}

    399. 

  399. 		try {

    400. 

  400. 			return URLEncoder.encode(input, ESAPI.securityConfiguration().getCharacterEncoding());

    401. 

  401. 		} catch (UnsupportedEncodingException ex) {

    402. 

  402. 			throw new EncodingException("Encoding failure", "Character encoding not supported", ex);

    403. 

  403. 		} catch (Exception e) {

    404. 

  404. 			throw new EncodingException("Encoding failure", "Problem URL encoding input", e);

    405. 

  405. 		}

    406. 

  406. 	}

    407. 

  407. 

    408. 

  408. 	/**

    409. 

  409. 	 * {@inheritDoc}

    410. 

  410. 	 */

    411. 

  411. 	public String decodeFromURL(String input) throws EncodingException {

    412. 

  412. 		if ( input == null ) {

    413. 

  413. 			return null;

    414. 

  414. 		}

    415. 

  415. 		String canonical = canonicalize(input);

    416. 

  416. 		try {

    417. 

  417. 			return URLDecoder.decode(canonical, ESAPI.securityConfiguration().getCharacterEncoding());

    418. 

  418. 		} catch (UnsupportedEncodingException ex) {

    419. 

  419. 			throw new EncodingException("Decoding failed", "Character encoding not supported", ex);

    420. 

  420. 		} catch (Exception e) {

    421. 

  421. 			throw new EncodingException("Decoding failed", "Problem URL decoding input", e);

    422. 

  422. 		}

    423. 

  423. 	}

    424. 

  424. 

    425. 

  425. 	/**

    426. 

  426. 	 * {@inheritDoc}

    427. 

  427. 	 */

    428. 

  428. 	public String encodeForBase64(byte[] input, boolean wrap) {

    429. 

  429. 		if ( input == null ) {

    430. 

  430. 			return null;

    431. 

  431. 		}

    432. 

  432. 		int options = 0;

    433. 

  433. 		if ( !wrap ) {

    434. 

  434. 			options |= Base64.DONT_BREAK_LINES;

    435. 

  435. 		}

    436. 

  436. 		return Base64.encodeBytes(input, options);

    437. 

  437. 	}

    438. 

  438. 

    439. 

  439. 	/**

    440. 

  440. 	 * {@inheritDoc}

    441. 

  441. 	 */

    442. 

  442. 	public byte[] decodeFromBase64(String input) throws IOException {

    443. 

  443. 		if ( input == null ) {

    444. 

  444. 			return null;

    445. 

  445. 		}

    446. 

  446. 		return Base64.decode( input );

    447. 

  447. 	}

    448. 

  448. }

    449. 

  449.