added canonicalize validation option

manico.james · manico.james · commit b1eb84df1e7c · 2010-09-03T23:15:54.000Z
diff --git a/src/main/java/org/owasp/esapi/Validator.java b/src/main/java/org/owasp/esapi/Validator.java
@@ -57,6 +57,11 @@ public interface Validator {
 	 * Calls isValidInput and returns true if no exceptions are thrown. 
 	 */
 	boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull) throws IntrusionException;
+	
+	/**
+	 * Calls isValidInput and returns true if no exceptions are thrown. 
+	 */
+	boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize) throws IntrusionException;
 
 	/**
 	 * Returns canonicalized and validated input as a String. Invalid input will generate a descriptive ValidationException, 
@@ -80,11 +85,40 @@ public interface Validator {
 	 */
 	String getValidInput(String context, String input, String type, int maxLength, boolean allowNull) throws ValidationException, IntrusionException;
 	
+	/**
+	 * Returns validated input as a String with optional canonicalization. Invalid input will generate a descriptive ValidationException, 
+	 * and input that is clearly an attack will generate a descriptive IntrusionException. 
+	 * 
+	 * @param context 
+	 * 		A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.
+	 * @param input 
+	 * 		The actual user input data to validate.
+	 * @param type 
+	 * 		The regular expression name that maps to the actual regular expression from "ESAPI.properties".
+	 * @param maxLength 
+	 * 		The maximum post-canonicalized String length allowed.
+	 * @param allowNull 
+	 * 		If allowNull is true then an input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.
+	 * @param canonicalize 
+	 *      If canonicalize is true then input will be canonicalized before validation
+	 * 
+	 * @return The canonicalized user input.
+	 * 
+	 * @throws ValidationException
+	 * @throws IntrusionException
+	 */
+	String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize) throws ValidationException, IntrusionException;
+	
 	/**
 	 * Calls getValidInput with the supplied errorList to capture ValidationExceptions
 	 */
 	String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException;
 	
+	/**
+	 * Calls getValidInput with the supplied errorList to capture ValidationExceptions
+	 */
+	String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errorList) throws IntrusionException;
+	
 	/**
 	 * Calls isValidDate and returns true if no exceptions are thrown. 
 	 */
diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java
@@ -146,10 +146,20 @@ public boolean isValidInput(String context, String input, String type, int maxLe
 			return false;
 		}
 	}
+	
+	public boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize) throws IntrusionException  {
+		try {
+			getValidInput( context, input, type, maxLength, allowNull, canonicalize);
+			return true;
+		} catch( Exception e ) {
+			return false;
+		}
+	}
 
 	/**
 	 * Validates data received from the browser and returns a safe version. Only
-	 * URL encoding is supported. Double encoding is treated as an attack.
+	 * URL encoding is supported. Double encoding is treated as an attack. Input
+	 * is canonicalized by default before validation.
 	 * 
 	 * @param context A descriptive name for the field to validate. This is used for error facing validation messages and element identification.
 	 * @param input The actual user input data to validate.
@@ -161,6 +171,24 @@ public boolean isValidInput(String context, String input, String type, int maxLe
 	 * @throws IntrusionException
 	 */
 	public String getValidInput(String context, String input, String type, int maxLength, boolean allowNull) throws ValidationException {
+		return getValidInput(context, input, type, maxLength, allowNull, true);
+	}
+	
+	/**
+	 * Validates data received from the browser and returns a safe version. Only
+	 * URL encoding is supported. Double encoding is treated as an attack.
+	 * 
+	 * @param context A descriptive name for the field to validate. This is used for error facing validation messages and element identification.
+	 * @param input The actual user input data to validate.
+	 * @param type The regular expression name which maps to the actual regular expression from "ESAPI.properties".
+	 * @param maxLength The maximum String length allowed. If input is canonicalized per the canonicalize argument, then maxLength must be verified after canonicalization
+     * @param allowNull If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.
+	 * @param canonicalize If canonicalize is true then input will be canonicalized before validation
+	 * @return The user input, may be canonicalized if canonicalize argument is true
+	 * @throws ValidationException
+	 * @throws IntrusionException
+	 */
+	public String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize) throws ValidationException {
 		StringValidationRule rvr = new StringValidationRule( type, encoder );
 		Pattern p = ESAPI.securityConfiguration().getValidationPattern( type );
 		if ( p != null ) {
@@ -170,25 +198,45 @@ public String getValidInput(String context, String input, String type, int maxLe
 		}
 		rvr.setMaximumLength(maxLength);
 		rvr.setAllowNull(allowNull);
+		rvr.setValidateInputAndCanonical(canonicalize);
 		return rvr.getValid(context, input);
 	}
 	
 	/**
 	 * Validates data received from the browser and returns a safe version. Only
-	 * URL encoding is supported. Double encoding is treated as an attack.
+	 * URL encoding is supported. Double encoding is treated as an attack. Input
+	 * is canonicalized by default before validation.
 	 * 
 	 * @param context A descriptive name for the field to validate. This is used for error facing validation messages and element identification.
 	 * @param input The actual user input data to validate.
 	 * @param type The regular expression name while maps to the actual regular expression from "ESAPI.properties".
-	 * @param maxLength The maximum post-canonicalized String length allowed.
+	 * @param maxLength The maximum String length allowed. If input is canonicalized per the canonicalize argument, then maxLength must be verified after canonicalization
 	 * @param allowNull If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.
 	 * @param errors If ValidationException is thrown, then add to error list instead of throwing out to caller
 	 * @return The canonicalized user input.
 	 * @throws IntrusionException
 	 */
 	public String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException {
+		return getValidInput(context, input, type, maxLength, allowNull, true, errors);
+	}
+	
+	/**
+	 * Validates data received from the browser and returns a safe version. Only
+	 * URL encoding is supported. Double encoding is treated as an attack.
+	 * 
+	 * @param context A descriptive name for the field to validate. This is used for error facing validation messages and element identification.
+	 * @param input The actual user input data to validate.
+	 * @param type The regular expression name while maps to the actual regular expression from "ESAPI.properties".
+	 * @param maxLength The maximum post-canonicalized String length allowed
+	 * @param allowNull If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.
+	 * @param canonicalize If canonicalize is true then input will be canonicalized before validation
+	 * @param errors If ValidationException is thrown, then add to error list instead of throwing out to caller
+	 * @return The user input, may be canonicalized if canonicalize argument is true
+	 * @throws IntrusionException
+	 */
+	public String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errors) throws IntrusionException {
 		try {
-			return getValidInput(context,  input,  type,  maxLength,  allowNull);
+			return getValidInput(context,  input,  type,  maxLength,  allowNull, canonicalize);
 		} catch (ValidationException e) {
 			errors.addError(context, e);
 		}
diff --git a/src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/StringValidationRule.java
@@ -23,7 +23,6 @@
 import org.owasp.esapi.Encoder;
 import org.owasp.esapi.EncoderConstants;
 import org.owasp.esapi.StringUtilities;
-import org.owasp.esapi.errors.EncodingException;
 import org.owasp.esapi.errors.ValidationException;
 import org.owasp.esapi.util.NullSafe;
 
@@ -266,16 +265,18 @@ private String checkEmpty(String context, String input) throws ValidationExcepti
 	 */
 	public String getValid( String context, String input ) throws ValidationException
 	{
-		String canonical = null;
+		String data = null;
 
 		// checks on input itself
 
 		// check for empty/null
 		if(checkEmpty(context, input) == null)
 			return null;
 
-		if(validateInputAndCanonical)
+		if (validateInputAndCanonical)
 		{
+			//first validate pre-canonicalized data
+			
 			// check length
 			checkLength(context, input);
 
@@ -284,26 +285,31 @@ public String getValid( String context, String input ) throws ValidationExceptio
 
 			// check blacklist patterns
 			checkBlacklist(context, input);
+			
+			// canonicalize
+			data = encoder.canonicalize( input );
+			
+		} else {
+			
+			//skip canonicalization
+			data = input;			
 		}
 
-		// canonicalize
-		canonical = encoder.canonicalize( input );
-
 		// check for empty/null
-		if(checkEmpty(context, canonical, input) == null)
+		if(checkEmpty(context, data, input) == null)
 			return null;
 
 		// check length
-		checkLength(context, canonical, input);
+		checkLength(context, data, input);
 
 		// check whitelist patterns
-		checkWhitelist(context, canonical, input);
+		checkWhitelist(context, data, input);
 
 		// check blacklist patterns
-		checkBlacklist(context, canonical, input);
+		checkBlacklist(context, data, input);
 
 		// validation passed
-		return canonical;
+		return data;
 	}
 
 	/**
