forked from ESAPI/esapi-java-legacy
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAccessReferenceMap.java
More file actions
132 lines (121 loc) · 4.81 KB
/
Copy pathAccessReferenceMap.java
File metadata and controls
132 lines (121 loc) · 4.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/**
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
*
* Copyright (c) 2007 - The OWASP Foundation
*
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created 2007
*/
package org.owasp.esapi;
import java.util.Iterator;
import java.util.Set;
import org.owasp.esapi.errors.AccessControlException;
/**
* The AccessReferenceMap interface is used to map from a set of internal
* direct object references to a set of indirect references that are safe to
* disclose publicly. This can be used to help protect database keys,
* filenames, and other types of direct object references. As a rule, developers
* should not expose their direct object references as it enables attackers to
* attempt to manipulate them.
* <P>
* <img src="doc-files/AccessReferenceMap.jpg" height="600">
* <P>
* <P>
* Indirect references are handled as strings, to facilitate their use in HTML.
* Implementations can generate simple integers or more complicated random
* character strings as indirect references. Implementations should probably add
* a constructor that takes a list of direct references.
* <P>
* Note that in addition to defeating all forms of parameter tampering attacks,
* there is a side benefit of the AccessReferenceMap. Using random strings as indirect object
* references, as opposed to simple integers makes it impossible for an attacker to
* guess valid identifiers. So if per-user AccessReferenceMaps are used, then request
* forgery (CSRF) attacks will also be prevented.
*
* <pre>
* Set fileSet = new HashSet();
* fileSet.addAll(...); // add direct references (e.g. File objects)
* AccessReferenceMap map = new AccessReferenceMap( fileSet );
* // store the map somewhere safe - like the session!
* String indRef = map.getIndirectReference( file1 );
* String href = "http://www.aspectsecurity.com/esapi?file=" + indRef );
* ...
* // if the indirect reference doesn't exist, it's likely an attack
* // getDirectReference throws an AccessControlException
* // you should handle as appropriate
* String indref = request.getParameter( "file" );
* File file = (File)map.getDirectReference( indref );
* </pre>
*
* <P>
*
* @author Jeff Williams (jeff.williams@aspectsecurity.com)
*/
public interface AccessReferenceMap {
/**
* Get an iterator through the direct object references. No guarantee is made as
* to the order of items returned.
*
* @return the iterator
*/
Iterator iterator();
/**
* Get a safe indirect reference to use in place of a potentially sensitive
* direct object reference. Developers should use this call when building
* URL's, form fields, hidden fields, etc... to help protect their private
* implementation information.
*
* @param directReference
* the direct reference
*
* @return the indirect reference
*/
String getIndirectReference(Object directReference);
/**
* Get the original direct object reference from an indirect reference.
* Developers should use this when they get an indirect reference from a
* request to translate it back into the real direct reference. If an
* invalid indirectReference is requested, then an AccessControlException is
* thrown.
*
* @param indirectReference
* the indirect reference
*
* @return the direct reference
*
* @throws AccessControlException if no direct reference exists for the
* specified indirect reference
*/
Object getDirectReference(String indirectReference) throws AccessControlException;
/**
* Adds a direct reference to the AccessReferenceMap and generates an associated indirect reference.
* @param direct
* the direct reference
*
* @return the corresponding indirect reference
*/
String addDirectReference(Object direct);
/**
* Removes a direct reference and its associated indirect reference from the AccessReferenceMap.
* @param direct
* the direct reference to remove
*
* @return the corresponding indirect reference
*
* @throws AccessControlException
*/
String removeDirectReference(Object direct) throws AccessControlException;
/**
* Updates the access reference map with a new set of directReferences, maintaining
* any existing indirectReferences associated with items that are in the new list.
* @param directReferences
*/
void update(Set directReferences);
}