forked from ESAPI/esapi-java-legacy
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathEncoder.java
More file actions
434 lines (406 loc) · 18.1 KB
/
Copy pathEncoder.java
File metadata and controls
434 lines (406 loc) · 18.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
/**
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
*
* Copyright (c) 2007 - The OWASP Foundation
*
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
*
* @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
* @created 2007
*/
package org.owasp.esapi;
import java.io.IOException;
import org.owasp.esapi.codecs.Codec;
import org.owasp.esapi.errors.EncodingException;
/**
* The Encoder interface contains a number of methods for decoding input and encoding output
* so that it will be safe for a variety of interpreters. To prevent
* double-encoding, all encoding methods should first check to see that the
* input does not already contain encoded characters. There are a few methods
* related to decoding that are used for canonicalization purposes. See the
* Validator class for more information as the Validators rely heavily on these decoders for
* canonicalizing data before validating it.
* <P>
* <img src="doc-files/Encoder.jpg">
* <P>
* All of the methods must use a "whitelist" or "positive" security model.
* For the encoding methods, this means that all characters should be encoded, except for a specific list of
* "immune" characters that are known to be safe. For the decoding methods, all encoded characters should be
* decoded and if any doubly encoded characters (using the same encoding scheme or two different encoding schemes)
* should be rejected.
*
* @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
* href="http://www.aspectsecurity.com">Aspect Security</a>
* @since June 1, 2007
*/
public interface Encoder {
/** Standard character sets */
public final static char[] CHAR_LOWERS = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' };
public final static char[] CHAR_UPPERS = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' };
public final static char[] CHAR_DIGITS = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9' };
public final static char[] CHAR_SPECIALS = { '.', '-', '_', '!', '@', '$', '^', '*', '=', '~', '|', '+', '?' };
public final static char[] CHAR_LETTERS = StringUtilities.union(CHAR_LOWERS, CHAR_UPPERS);
public final static char[] CHAR_ALPHANUMERICS = StringUtilities.union(CHAR_LETTERS, CHAR_DIGITS);
/**
* Password character set, is alphanumerics (without l, i, I, o, O, and 0)
* selected specials like + (bad for URL encoding, | is like i and 1,
* etc...)
*/
public final static char[] CHAR_PASSWORD_LOWERS = { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'j', 'k', 'm', 'n', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z' };
public final static char[] CHAR_PASSWORD_UPPERS = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'J', 'K', 'L', 'M', 'N', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z' };
public final static char[] CHAR_PASSWORD_DIGITS = { '2', '3', '4', '5', '6', '7', '8', '9' };
public final static char[] CHAR_PASSWORD_SPECIALS = { '_', '.', '!', '@', '$', '*', '=', '-', '?' };
public final static char[] CHAR_PASSWORD_LETTERS = StringUtilities.union( CHAR_PASSWORD_LOWERS, CHAR_PASSWORD_UPPERS );
/**
* This method performs canonicalization on data received to ensure that it
* has been reduced to its most basic form before validation. For example,
* URL-encoded data received from ordinary "application/x-www-url-encoded"
* forms so that it may be validated properly.
* <p>
* Canonicalization is simply the operation of reducing a possibly encoded
* string down to its simplest form. This is important, because attackers
* frequently use encoding to change their input in a way that will bypass
* validation filters, but still be interpreted properly by the target of
* the attack. Note that data encoded more than once is not something that a
* normal user would generate and should be regarded as an attack.
* <P>
* For input that comes from an HTTP servlet request, there are generally
* two types of encoding to be concerned with. The first is
* "applicaton/x-www-url-encoded" which is what is typically used in most
* forms and URI's where characters are encoded in a %xy format. The other
* type of common character encoding is HTML entity encoding, which uses
* several formats:
* <P>
* <PRE><</PRE>,
* <PRE>u</PRE>, and
* <PRE>:</PRE>.
* <P>
* Note that all of these formats may possibly render properly in a
* browser without the trailing semicolon.
* <P>
* Double-encoding is a particularly thorny problem, as applying ordinary decoders
* may introduce encoded characters, even characters encoded with a different
* encoding scheme. For example %26lt; is a < character which has been entity encoded
* and then the first character has been url-encoded. Implementations should
* throw an IntrusionException when double-encoded characters are detected.
* <P>
* Note that there is also "multipart/form" encoding, which allows files and
* other binary data to be transmitted. Each part of a multipart form can
* itself be encoded according to a "Content-Transfer-Encoding" header. See
* the HTTPUtilties.getSafeFileUploads() method.
* <P>
* For more information on form encoding, please refer to the <a
* href="http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4">W3C
* specifications</a>.
* <p>
* This method is equivalent to calling <pre>Encoder.canonicalize(input, true);</pre>
*
* @see <a href="http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4">W3C specifications</a>
*
* @param input the text to canonicalize
* @return a String containing the canonicalized text
* @throws EncodingException if canonicalization fails
*/
String canonicalize(String input) throws EncodingException;
/**
* This method performs canonicalization on data received to ensure that it
* has been reduced to its most basic form before validation. For example,
* URL-encoded data received from ordinary "application/x-www-url-encoded"
* forms so that it may be validated properly.
* <p>
* Canonicalization is simply the operation of reducing a possibly encoded
* string down to its simplest form. This is important, because attackers
* frequently use encoding to change their input in a way that will bypass
* validation filters, but still be interpreted properly by the target of
* the attack. Note that data encoded more than once is not something that a
* normal user would generate and should be regarded as an attack.
* <P>
* For input that comes from an HTTP servlet request, there are generally
* two types of encoding to be concerned with. The first is
* "applicaton/x-www-url-encoded" which is what is typically used in most
* forms and URI's where characters are encoded in a %xy format. The other
* type of common character encoding is HTML entity encoding, which uses
* several formats:
* <P>
* <PRE><</PRE>,
* <PRE>u</PRE>, and
* <PRE>:</PRE>.
* <P>
* Note that all of these formats may possibly render properly in a
* browser without the trailing semicolon.
* <P>
* Double-encoding is a particularly thorny problem, as applying ordinary decoders
* may introduce encoded characters, even characters encoded with a different
* encoding scheme. For example %26lt; is a < character which has been entity encoded
* and then the first character has been url-encoded. Implementations should
* throw an IntrusionException when double-encoded characters are detected.
* <P>
* Note that there is also "multipart/form" encoding, which allows files and
* other binary data to be transmitted. Each part of a multipart form can
* itself be encoded according to a "Content-Transfer-Encoding" header. See
* the HTTPUtilties.getSafeFileUploads() method.
* <P>
* For more information on form encoding, please refer to the
* <a href="http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4">W3C specifications</a>.
*
* @see <a href="http://www.w3.org/TR/html4/interact/forms.html#h-17.13.4">W3C specifications</a>
*
* @param input
* the text to canonicalize
* @param strict
* true if checking for double encoding is desired, false otherwise
*
* @return a String containing the canonicalized text
*
* @throws EncodingException
* if canonicalization fails
*/
String canonicalize(String input, boolean strict) throws EncodingException;
/**
* Encode data for use in Cascading Style Sheets (CSS) content.
*
* @see <a href="http://www.w3.org/TR/CSS21/syndata.html#escaped-characters">CSS Syntax [w3.org]</a>
*
* @param input
* the text to encode for CSS
*
* @return input encoded for CSS
*/
String encodeForCSS(String input);
/**
* Encode data for use in HTML using HTML entity encoding
* <p>
* Note that the following characters:
* 00�08, 0B�0C, 0E�1F, and 7F�9F
* <p>cannot be used in HTML.
*
* @see <a href="http://en.wikipedia.org/wiki/Character_encodings_in_HTML">HTML Encodings [wikipedia.org]</a>
* @see <a href="http://www.w3.org/TR/html4/sgml/sgmldecl.html">SGML Specification [w3.org]</a>
* @see <a href="http://www.w3.org/TR/REC-xml/#charsets">XML Specification [w3.org]</a>
*
* @param input
* the text to encode for HTML
*
* @return input encoded for HTML
*/
String encodeForHTML(String input);
/**
* Encode data for use in HTML attributes.
*
* @param input
* the text to encode for an HTML attribute
*
* @return input encoded for use as an HTML attribute
*/
String encodeForHTMLAttribute(String input);
/**
* Encode data for insertion inside a data value in JavaScript. Putting user data directly
* inside a script is quite dangerous. Great care must be taken to prevent putting user data
* directly into script code itself, as no amount of encoding will prevent attacks there.
*
* @param input
* the text to encode for JavaScript
*
* @return input encoded for use in JavaScript
*/
String encodeForJavaScript(String input);
/**
* Encode data for insertion inside a data value in a Visual Basic script. Putting user data directly
* inside a script is quite dangerous. Great care must be taken to prevent putting user data
* directly into script code itself, as no amount of encoding will prevent attacks there.
*
* This method is not recommended as VBScript is only supported by Internet Explorer
*
* @param input
* the text to encode for VBScript
*
* @return input encoded for use in VBScript
*/
String encodeForVBScript(String input);
/**
* Encode input for use in a SQL query, according to the selected codec
* (appropriate codecs include the MySQLCodec and OracleCodec).
*
* This method is not recommended. The use of the PreparedStatement
* interface is the preferred approach. However, if for some reason
* this is impossible, then this method is provided as a weaker
* alternative.
*
* The best approach is to make sure any single-quotes are double-quoted.
* Another possible approach is to use the {escape} syntax described in the
* JDBC specification in section 1.5.6.
*
* However, this syntax does not work with all drivers, and requires
* modification of all queries.
*
* @see <a href="http://java.sun.com/j2se/1.4.2/docs/guide/jdbc/getstart/statement.html">JDBC Specification</a>
*
* @param codec
* a Codec that declares which database 'input' is being encoded for (ie. MySQL, Oracle, etc.)
* @param input
* the text to encode for SQL
*
* @return input encoded for use in SQL
*/
String encodeForSQL(Codec codec, String input);
/**
* Encode for an operating system command shell according to the selected codec (appropriate codecs include the WindowsCodec and UnixCodec).
*
* Please note the following recommendations before choosing to use this method:
*
* 1) It is strongly recommended that applications avoid making direct OS system calls if possible as such calls are not portable, and they are potentially unsafe. Please use language provided features if at all possible, rather than native OS calls to implement the desired feature.
* 2) If an OS call cannot be avoided, then it is recommended that the program to be invoked be invoked directly (e.g., System.exec("nameofcommand" + "parameterstocommand");) as this avoids the use of the command shell. The "parameterstocommand" should of course be validated before passing them to the OS command.
* 3) If you must use this method, then we recommend validating all user supplied input passed to the command shell as well, in addition to using this method in order to make the command shell invocation safe.
*
* An example use of this method would be: System.exec("dir " + ESAPI.encodeForOS(WindowsCodec, "parameter(s)tocommandwithuserinput");
*
* @param codec
* a Codec that declares which operating system 'input' is being encoded for (ie. Windows, Unix, etc.)
* @param input
* the text to encode for the command shell
*
* @return input encoded for use in command shell
*/
String encodeForOS(Codec codec, String input);
/**
* Encode data for use in LDAP queries.
*
* @param input
* the text to encode for LDAP
*
* @return input encoded for use in LDAP
*/
String encodeForLDAP(String input);
/**
* Encode data for use in an LDAP distinguished name.
*
* @param input
* the text to encode for an LDAP distinguished name
*
* @return input encoded for use in an LDAP distinguished name
*/
String encodeForDN(String input);
/**
* Encode data for use in an XPath query.
*
* NB: The reference implementation encodes almost everything and may over-encode.
*
* The difficulty with XPath encoding is that XPath has no built in mechanism for escaping
* characters. It is possible to use XQuery in a parameterized way to
* prevent injection.
*
* For more information, refer to <a
* href="http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html">this
* article</a> which specifies the following list of characters as the most
* dangerous: ^&"*';<>(). <a
* href="http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf">This
* paper</a> suggests disallowing ' and " in queries.
*
* @see <a href="http://www.ibm.com/developerworks/xml/library/x-xpathinjection.html">XPath Injection [ibm.com]</a>
* @see <a href="http://www.packetstormsecurity.org/papers/bypass/Blind_XPath_Injection_20040518.pdf">Blind XPath Injection [packetstormsecurity.org]</a>
*
* @param input
* the text to encode for XPath
* @return
* input encoded for use in XPath
*/
String encodeForXPath(String input);
/**
* Encode data for use in an XML element. The implementation should follow the <a
* href="http://www.w3schools.com/xml/xml_encoding.asp">XML Encoding
* Standard</a> from the W3C.
* <p>
* The use of a real XML parser is strongly encouraged. However, in the
* hopefully rare case that you need to make sure that data is safe for
* inclusion in an XML document and cannot use a parse, this method provides
* a safe mechanism to do so.
*
* @see <a href="http://www.w3schools.com/xml/xml_encoding.asp">XML Encoding Standard</a>
*
* @param input
* the text to encode for XML
*
* @return
* input encoded for use in XML
*/
String encodeForXML(String input);
/**
* Encode data for use in an XML attribute. The implementation should follow
* the <a href="http://www.w3schools.com/xml/xml_encoding.asp">XML Encoding
* Standard</a> from the W3C.
* <p>
* The use of a real XML parser is highly encouraged. However, in the
* hopefully rare case that you need to make sure that data is safe for
* inclusion in an XML document and cannot use a parse, this method provides
* a safe mechanism to do so.
*
* @see <a href="http://www.w3schools.com/xml/xml_encoding.asp">XML Encoding Standard</a>
*
* @param input
* the text to encode for use as an XML attribute
*
* @return
* input encoded for use in an XML attribute
*/
String encodeForXMLAttribute(String input);
/**
* Encode for use in a URL. This method performs <a
* href="http://en.wikipedia.org/wiki/Percent-encoding">URL encoding</a>
* on the entire string.
*
* @see <a href="http://en.wikipedia.org/wiki/Percent-encoding">URL encoding</a>
*
* @param input
* the text to encode for use in a URL
*
* @return input
* encoded for use in a URL
*
* @throws EncodingException
* if encoding fails
*/
String encodeForURL(String input) throws EncodingException;
/**
* Decode from URL. Implementations should first canonicalize and
* detect any double-encoding. If this check passes, then the data is decoded using URL
* decoding.
*
* @param input
* the text to decode from an encoded URL
*
* @return
* the decoded URL value
*
* @throws EncodingException
* if decoding fails
*/
String decodeFromURL(String input) throws EncodingException;
/**
* Encode for Base64.
*
* @param input
* the text to encode for Base64
* @param wrap
* the encoder will wrap lines every 64 characters of output
*
* @return input encoded for Base64
*/
String encodeForBase64(byte[] input, boolean wrap);
/**
* Decode data encoded with BASE-64 encoding.
*
* @param input
* the Base64 text to decode
*
* @return input
* decoded from Base64
*
* @throws IOException
*/
byte[] decodeFromBase64(String input) throws IOException;
}