PageRenderTime 37ms CodeModel.GetById 11ms RepoModel.GetById 0ms app.codeStats 0ms

/src/ESAPI.php

http://owasp-esapi-php.googlecode.com/
PHP | 444 lines | 182 code | 41 blank | 221 comment | 13 complexity | 9c8cb5056c1f9e2d9ff25e61068b4507 MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0
  1. <?php
  2. /**
  3. * OWASP Enterprise Security API (ESAPI)
  4. *
  5. * This file is part of the Open Web Application Security Project (OWASP)
  6. * Enterprise Security API (ESAPI) project.
  7. *
  8. * PHP version 5.2
  9. *
  10. * LICENSE: This source file is subject to the New BSD license. You should read
  11. * and accept the LICENSE before you use, modify, and/or redistribute this
  12. * software.
  13. *
  14. * @category OWASP
  15. * @package ESAPI
  16. * @author Andrew van der Stock <vanderaj@owasp.org>
  17. * @author Bipin Upadhyay <bipin.code@gmail.com>
  18. * @author Mike Boberski <boberski_michael@bah.com>
  19. * @copyright 2009-2010 The OWASP Foundation
  20. * @license http://www.opensource.org/licenses/bsd-license.php New BSD license
  21. * @version SVN: $Id$
  22. * @link http://www.owasp.org/index.php/ESAPI
  23. */
  24. /**
  25. * Use this class to get and set ESAPI security controls.
  26. *
  27. * This class is also known as the "ESAPI locator class". Before you
  28. * can use an ESAPI security control, you must first use this class to
  29. * get an instance of the security control. You can use the set functions
  30. * to override default security control implementations.
  31. *
  32. * @category OWASP
  33. * @package ESAPI
  34. * @author Andrew van der Stock <vanderaj@owasp.org>
  35. * @author Bipin Upadhyay <bipin.code@gmail.com>
  36. * @author Mike Boberski <boberski_michael@bah.com>
  37. * @copyright 2009-2010 The OWASP Foundation
  38. * @license http://www.opensource.org/licenses/bsd-license.php New BSD license
  39. * @version Release: @package_version@
  40. * @link http://www.owasp.org/index.php/ESAPI
  41. */
  42. class ESAPI
  43. {
  44. private static $_accessController = null;
  45. private static $_encoder = null;
  46. private static $_encryptor = null;
  47. private static $_executor = null;
  48. private static $_httpUtilities = null;
  49. private static $_intrusionDetector = null;
  50. private static $_defaultAuditor = null;
  51. private static $_auditorFactory= null;
  52. private static $_randomizer = null;
  53. private static $_securityConfiguration = null;
  54. private static $_validator = null;
  55. private static $_sanitizer = null;
  56. /**
  57. * This is the locator class' constructor, which prevents instantiation of this
  58. * class.
  59. *
  60. * @param string $path the path of the ESAPI.xml configuration file.
  61. */
  62. public function __construct($path = '')
  63. {
  64. self::getSecurityConfiguration($path);
  65. self::getAuditor("ESAPI Startup");
  66. self::getIntrusionDetector();
  67. }
  68. /**
  69. * Get the current HTTP Servlet Request being processed.
  70. *
  71. * @return the current HTTP Servlet Request.
  72. */
  73. public static function currentRequest()
  74. {
  75. return self::getHttpUtilities()->getCurrentRequest();
  76. }
  77. /**
  78. * Get the current HTTP Servlet Response being generated.
  79. *
  80. * @return the current HTTP Servlet Response.
  81. */
  82. public static function currentResponse()
  83. {
  84. return self::getHttpUtilities()->getCurrentResponse();
  85. }
  86. /**
  87. * Get the current ESAPI AccessController object being used to maintain the
  88. * access control rules for this application.
  89. *
  90. * @return the current ESAPI AccessController.
  91. */
  92. public static function getAccessController()
  93. {
  94. if ( is_null(self::$_accessController) ) {
  95. include_once dirname(__FILE__).
  96. '/reference/FileBasedAccessController.php';
  97. self::$_accessController = new FileBasedAccessController();
  98. }
  99. return self::$_accessController;
  100. }
  101. /**
  102. * Set the current ESAPI AccessController object being used to maintain the
  103. * access control rules for this application.
  104. *
  105. * @param AccessController $accessController the new ESAPI AccessController.
  106. *
  107. * @return does not return a value.
  108. */
  109. public static function setAccessController($accessController)
  110. {
  111. self::$_accessController = $accessController;
  112. }
  113. /**
  114. * Get the current ESAPI Encoder object being used to encode and decode data for
  115. * this application
  116. *
  117. * @return the current ESAPI Encoder.
  118. */
  119. public static function getEncoder()
  120. {
  121. if ( is_null(self::$_encoder) ) {
  122. include_once dirname(__FILE__).
  123. '/reference/DefaultEncoder.php';
  124. self::$_encoder = new DefaultEncoder();
  125. }
  126. return self::$_encoder;
  127. }
  128. /**
  129. * Set the current ESAPI Encoder object being used to encode and decode data
  130. * for this application.
  131. *
  132. * @param Encoder $encoder the new ESAPI AccessController.
  133. *
  134. * @return does not return a value.
  135. */
  136. public static function setEncoder($encoder)
  137. {
  138. self::$_encoder = $encoder;
  139. }
  140. /**
  141. * Get the current ESAPI Encryptor object being used to encrypt and decrypt data
  142. * for this application.
  143. *
  144. * @return the current ESAPI Encryptor.
  145. */
  146. public static function getEncryptor()
  147. {
  148. throw new EnterpriseSecurityException(
  149. 'Method Not implemented',
  150. 'Encryptor not implemented'
  151. );
  152. }
  153. /**
  154. * Set the current ESAPI Encryptor object being used to encrypt and decrypt
  155. * data for this application.
  156. *
  157. * @param Encryptor $encryptor the new ESAPI Encryptor.
  158. *
  159. * @return does not return a value.
  160. */
  161. public static function setEncryptor($encryptor)
  162. {
  163. throw new EnterpriseSecurityException(
  164. 'Method Not implemented',
  165. 'Encryptor not implemented'
  166. );
  167. }
  168. /**
  169. * Get the current ESAPI Executor object being used to safely execute OS
  170. * commands for this application.
  171. *
  172. * @return the current ESAPI Executor.
  173. */
  174. public static function getExecutor()
  175. {
  176. if ( is_null(self::$_executor) ) {
  177. include_once dirname(__FILE__).
  178. '/reference/DefaultExecutor.php';
  179. self::$_executor = new DefaultExecutor();
  180. }
  181. return self::$_executor;
  182. }
  183. /**
  184. * Set the current ESAPI Executor object being used to safely execute OS
  185. * commands for this application.
  186. *
  187. * @param Executor $executor the new ESAPI Executor.
  188. *
  189. * @return does not return a value.
  190. */
  191. public static function setExecutor($executor)
  192. {
  193. self::$_executor = $executor;
  194. }
  195. /**
  196. * Get the current ESAPI HTTPUtilities object being used to safely access HTTP
  197. * requests and responses for this application.
  198. *
  199. * @return the current ESAPI HTTPUtilities.
  200. */
  201. public static function getHttpUtilities()
  202. {
  203. if ( is_null(self::$_httpUtilities) ) {
  204. include_once dirname(__FILE__).
  205. '/reference/DefaultHTTPUtilities.php';
  206. self::$_httpUtilities = new DefaultHTTPUtilities();
  207. }
  208. return self::$_httpUtilities;
  209. }
  210. /**
  211. * Set the current ESAPI HttpUtilities object being used to safely access HTTP
  212. * requests and responses for this application.
  213. *
  214. * @param HttpUtilities $httpUtilities the new ESAPI HttpUtilities.
  215. *
  216. * @return does not return a value.
  217. */
  218. public static function setHttpUtilities($httpUtilities)
  219. {
  220. self::$_httpUtilities = $httpUtilities;
  221. }
  222. /**
  223. * Get the current ESAPI IntrusionDetector object being used to monitor for
  224. * intrusions in this application.
  225. *
  226. * @return the current ESAPI IntrusionDetector.
  227. */
  228. public static function getIntrusionDetector()
  229. {
  230. if ( is_null(self::$_intrusionDetector) ) {
  231. include_once dirname(__FILE__).
  232. '/reference/DefaultIntrusionDetector.php';
  233. self::$_intrusionDetector = new DefaultIntrusionDetector();
  234. }
  235. return self::$_intrusionDetector;
  236. }
  237. /**
  238. * Set the current ESAPI AccessController object being used to to monitor for
  239. * intrusions in this application.
  240. *
  241. * @param IntrusionDetector $intrusionDetector the new ESAPI IntrusionDetector.
  242. *
  243. * @return does not return a value.
  244. */
  245. public static function setIntrusionDetector($intrusionDetector)
  246. {
  247. self::$_intrusionDetector = $intrusionDetector;
  248. }
  249. /**
  250. * Set then get the current ESAPI Logger factory object being used to create
  251. * the ESAPI Logger for this application.
  252. *
  253. * @param string $logger the new ESAPI Auditor factory name.
  254. *
  255. * @return the current ESAPI Logger.
  256. */
  257. public static function getAuditor($logger)
  258. {
  259. if (self::$_auditorFactory == null) {
  260. include_once dirname(__FILE__).
  261. '/reference/DefaultAuditorFactory.php';
  262. self::setAuditorFactory(new DefaultAuditorFactory());
  263. }
  264. return self::$_auditorFactory->getLogger($logger);
  265. }
  266. /**
  267. * Get the current ESAPI Auditor object being used to to audit security-relevant
  268. * events for this application.
  269. *
  270. * @return the current ESAPI Logger.
  271. */
  272. public static function log()
  273. {
  274. if (self::$_defaultAuditor == null) {
  275. self::$_defaultAuditor = self::$_auditorFactory->getLogger("DefaultLogger");
  276. }
  277. return self::$_defaultAuditor;
  278. }
  279. /**
  280. * Set the current ESAPI Logger factory object being used to create
  281. * the ESAPI Logger for this application.
  282. *
  283. * @param string $factory the new ESAPI Logger factory.
  284. *
  285. * @return does not return a value.
  286. */
  287. public static function setAuditorFactory($factory)
  288. {
  289. self::$_auditorFactory = $factory;
  290. }
  291. /**
  292. * Get the current ESAPI Randomizer object being used to generate random numbers
  293. * for this application.
  294. *
  295. * @return the current ESAPI Randomizer.
  296. */
  297. public static function getRandomizer()
  298. {
  299. if ( is_null(self::$_randomizer) ) {
  300. include_once dirname(__FILE__).
  301. '/reference/DefaultRandomizer.php';
  302. self::$_randomizer = new DefaultRandomizer();
  303. }
  304. return self::$_randomizer;
  305. }
  306. /**
  307. * Set the current ESAPI Randomizer object being used to generate random numbers
  308. * for this application.
  309. *
  310. * @param Randomizer $randomizer the new ESAPI Randomizer.
  311. *
  312. * @return does not return a value.
  313. */
  314. public static function setRandomizer($randomizer)
  315. {
  316. self::$_randomizer = $randomizer;
  317. }
  318. /**
  319. * Get the current ESAPI SecurityConfiguration object being used to manage the
  320. * security configuration for this application.
  321. *
  322. * @param string $path the path of the ESAPI.xml configuration file.
  323. *
  324. * @return the current ESAPI SecurityConfiguration.
  325. */
  326. public static function getSecurityConfiguration($path = '')
  327. {
  328. if ( is_null(self::$_securityConfiguration) ) {
  329. include_once dirname(__FILE__).
  330. '/reference/DefaultSecurityConfiguration.php';
  331. self::$_securityConfiguration = new DefaultSecurityConfiguration($path);
  332. }
  333. return self::$_securityConfiguration;
  334. }
  335. /**
  336. * Set the current ESAPI SecurityConfiguration object being used to manage the
  337. * security configuration for this application.
  338. *
  339. * @param SecurityConfiguration $securityConfiguration the new ESAPI
  340. * SecurityConfiguration.
  341. *
  342. * @return does not return a value.
  343. */
  344. public static function setSecurityConfiguration($securityConfiguration)
  345. {
  346. self::$_securityConfiguration = $securityConfiguration;
  347. }
  348. /**
  349. * Get the current ESAPI Validator object being used to validate data for this
  350. * application.
  351. *
  352. * @return the current ESAPI Validator.
  353. */
  354. public static function getValidator()
  355. {
  356. if ( is_null(self::$_validator) ) {
  357. include_once dirname(__FILE__).
  358. '/reference/DefaultValidator.php';
  359. self::$_validator = new DefaultValidator();
  360. }
  361. return self::$_validator;
  362. }
  363. /**
  364. * Set the current ESAPI Validator object being used to validate data for
  365. * this application.
  366. *
  367. * @param Validator $validator the new ESAPI Validator.
  368. *
  369. * @return does not return a value.
  370. */
  371. public static function setValidator($validator)
  372. {
  373. self::$_validator = $validator;
  374. }
  375. /**
  376. * Get the current ESAPI Sanitizer object being used to sanitize data for
  377. * this application.
  378. *
  379. * @return the current ESAPI Sanitizer.
  380. */
  381. public static function getSanitizer()
  382. {
  383. if ( is_null(self::$_sanitizer) ) {
  384. include_once dirname(__FILE__).
  385. '/reference/DefaultSanitizer.php';
  386. self::$_sanitizer = new DefaultSanitizer();
  387. }
  388. return self::$_sanitizer;
  389. }
  390. /**
  391. * Set the current ESAPI Sanitizer object being used to sanitize data for
  392. * this application.
  393. *
  394. * @param Sanitizer $sanitizer the new ESAPI Sanitizer.
  395. *
  396. * @return does not return a value.
  397. */
  398. public static function setSanitizer($sanitizer)
  399. {
  400. self::$_sanitizer = $sanitizer;
  401. }
  402. }
  403. ?>