org.owasp.esapi
Class Validator

java.lang.Object
  org.owasp.esapi.Validator

All Implemented Interfaces:

IValidator

public class Validator

extends java.lang.Object

implements IValidator

Reference implementation of the IValidator interface. This implementation relies on the ESAPI Encoder, Java Pattern (regex), Date, and several other classes to provide basic validation functions. This library has a heavy emphasis on whitelist validation and canonicalization. All double-encoded characters, even in multiple encoding schemes, such as

<

or

%26lt;
 or even 
%25%26lt;
 are disallowed.




Since:
  
June 1, 2007
Author:
  
Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security, Jim Manico (jim.manico .at. aspectsecurity.com) Aspect Security
See Also:
IValidator












Constructor Summary
Validator()



           
 



Method Summary




 void
assertIsValidHTTPRequest()



          Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed
 characters.



 void
assertIsValidHTTPRequest(javax.servlet.http.HttpServletRequest request)



          Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed
 characters.



 void
assertIsValidHTTPRequestParameterSet(java.lang.String context,
                                     java.util.Set required,
                                     java.util.Set optional)



          Validates that the parameters in the current request contain all required parameters and only optional ones in
 addition.



 void
assertValidFileUpload(java.lang.String context,
                      java.lang.String directorypath,
                      java.lang.String filename,
                      byte[] content,
                      int maxBytes,
                      boolean allowNull)



          Validates the filepath, filename, and content of a file.



 java.lang.String
getValidCreditCard(java.lang.String context,
                   java.lang.String input,
                   boolean allowNull)



          Returns a canonicalized and validated credit card number as a String.



 java.util.Date
getValidDate(java.lang.String context,
             java.lang.String input,
             java.text.DateFormat format,
             boolean allowNull)



          Returns a valid date as a Date.



 java.lang.String
getValidDirectoryPath(java.lang.String context,
                      java.lang.String input,
                      boolean allowNull)



          Returns a canonicalized and validated directory path as a String.



 java.lang.Double
getValidDouble(java.lang.String context,
               java.lang.String input,
               double minValue,
               double maxValue,
               boolean allowNull)



          Returns a validated number as a double.



 byte[]
getValidFileContent(java.lang.String context,
                    byte[] input,
                    int maxBytes,
                    boolean allowNull)



          Returns validated file content as a byte array.



 java.lang.String
getValidFileName(java.lang.String context,
                 java.lang.String input,
                 boolean allowNull)



          Returns a canonicalized and validated file name as a String.



 java.lang.String
getValidInput(java.lang.String context,
              java.lang.String input,
              java.lang.String type,
              int maxLength,
              boolean allowNull)



          Validates data received from the browser and returns a safe version.



 java.lang.Integer
getValidInteger(java.lang.String context,
                java.lang.String input,
                int minValue,
                int maxValue,
                boolean allowNull)



          Returns a validated number as a double.



 java.lang.String
getValidListItem(java.lang.String context,
                 java.lang.String input,
                 java.util.List list)



          Returns the list item that exactly matches the canonicalized input.



 java.lang.Double
getValidNumber(java.lang.String context,
               java.lang.String input,
               long minValue,
               long maxValue,
               boolean allowNull)



          Returns a validated number as a double.



 byte[]
getValidPrintable(java.lang.String context,
                  byte[] input,
                  int maxLength,
                  boolean allowNull)



          Returns canonicalized and validated printable characters as a byte array.



 java.lang.String
getValidPrintable(java.lang.String context,
                  java.lang.String input,
                  int maxLength,
                  boolean allowNull)



          Returns canonicalized and validated printable characters as a String.



 java.lang.String
getValidRedirectLocation(java.lang.String context,
                         java.lang.String input,
                         boolean allowNull)



          Returns a canonicalized and validated redirect location as a String.



 java.lang.String
getValidSafeHTML(java.lang.String context,
                 java.lang.String input,
                 int maxLength,
                 boolean allowNull)



          Returns canonicalized and validated "safe" HTML.



 boolean
isValidCreditCard(java.lang.String context,
                  java.lang.String input,
                  boolean allowNull)



          Returns true if input is a valid credit card.



 boolean
isValidDate(java.lang.String context,
            java.lang.String input,
            java.text.DateFormat format,
            boolean allowNull)



          Returns true if input is a valid date according to the specified date format.



 boolean
isValidDirectoryPath(java.lang.String context,
                     java.lang.String input,
                     boolean allowNull)



          Returns true if the directory path (not including a filename) is valid.



 boolean
isValidDouble(java.lang.String context,
              java.lang.String input,
              double minValue,
              double maxValue,
              boolean allowNull)



          Returns true if input is a valid double.



 boolean
isValidFileContent(java.lang.String context,
                   byte[] input,
                   int maxBytes,
                   boolean allowNull)



          Returns true if input is valid file content.



 boolean
isValidFileName(java.lang.String context,
                java.lang.String input,
                boolean allowNull)



          Returns true if input is a valid file name.



 boolean
isValidFileUpload(java.lang.String context,
                  java.lang.String directorypath,
                  java.lang.String filename,
                  byte[] content,
                  int maxBytes,
                  boolean allowNull)



          Returns true if a file upload has a valid name, path, and content.



 boolean
isValidHTTPRequest()



          Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed
 characters.



 boolean
isValidHTTPRequest(javax.servlet.http.HttpServletRequest request)



          Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed
 characters.



 boolean
isValidHTTPRequestParameterSet(java.lang.String context,
                               java.util.Set requiredNames,
                               java.util.Set optionalNames)



          Returns true if the parameters in the current request contain all required parameters and only optional ones in addition.



 boolean
isValidInput(java.lang.String context,
             java.lang.String input,
             java.lang.String type,
             int maxLength,
             boolean allowNull)



          Returns true if data received from browser is valid.



 boolean
isValidInteger(java.lang.String context,
               java.lang.String input,
               int minValue,
               int maxValue,
               boolean allowNull)



          Returns true if input is a valid integer.



 boolean
isValidListItem(java.lang.String context,
                java.lang.String input,
                java.util.List list)



          Returns true if input is a valid list item.



 boolean
isValidNumber(java.lang.String context,
              java.lang.String input,
              long minValue,
              long maxValue,
              boolean allowNull)



          Returns true if input is a valid number.



 boolean
isValidPrintable(java.lang.String context,
                 byte[] input,
                 int maxLength,
                 boolean allowNull)



          Checks that all bytes are valid ASCII characters (between 33 and 126
 inclusive).



 boolean
isValidPrintable(java.lang.String context,
                 java.lang.String input,
                 int maxLength,
                 boolean allowNull)



          Returns true if input is valid printable ASCII characters (32-126).



 boolean
isValidRedirectLocation(java.lang.String context,
                        java.lang.String input,
                        boolean allowNull)



          Returns true if input is a valid redirect location.



 boolean
isValidSafeHTML(java.lang.String context,
                java.lang.String input,
                int maxLength,
                boolean allowNull)



          Returns true if input is "safe" HTML.



 java.lang.String
safeReadLine(java.io.InputStream in,
             int max)



          This implementation reads until a newline or the specified number of
 characters.


 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 








Constructor Detail



Validator
public Validator()






Method Detail



isValidInput
public boolean isValidInput(java.lang.String context,
                            java.lang.String input,
                            java.lang.String type,
                            int maxLength,
                            boolean allowNull)
                     throws IntrusionException

Returns true if data received from browser is valid. Only URL encoding is
 supported. Double encoding is treated as an attack.


Specified by:
isValidInput in interface IValidator


Parameters:
context - A descriptive name for the field to validate. This is used for error facing validation messages and element identification.
input - The actual user input data to validate.
type - The regular expression name while maps to the actual regular expression from "ESAPI.properties".
maxLength - The maximum post-canonicalized String length allowed.
allowNull - If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.
Returns:
The canonicalized user input.
Throws:
IntrusionException





getValidInput
public java.lang.String getValidInput(java.lang.String context,
                                      java.lang.String input,
                                      java.lang.String type,
                                      int maxLength,
                                      boolean allowNull)
                               throws ValidationException,
                                      IntrusionException

Validates data received from the browser and returns a safe version. Only
 URL encoding is supported. Double encoding is treated as an attack.


Specified by:
getValidInput in interface IValidator


Parameters:
context - A descriptive name for the field to validate. This is used for error facing validation messages and element identification.
input - The actual user input data to validate.
type - The regular expression name while maps to the actual regular expression from "ESAPI.properties".
maxLength - The maximum post-canonicalized String length allowed.
allowNull - If allowNull is true then a input that is NULL or an empty string will be legal. If allowNull is false then NULL or an empty String will throw a ValidationException.
Returns:
The canonicalized user input.
Throws:
ValidationException
IntrusionException





isValidDate
public boolean isValidDate(java.lang.String context,
                           java.lang.String input,
                           java.text.DateFormat format,
                           boolean allowNull)
                    throws IntrusionException

Returns true if input is a valid date according to the specified date format.


Specified by:
isValidDate in interface IValidator



Throws:
IntrusionException





getValidDate
public java.util.Date getValidDate(java.lang.String context,
                                   java.lang.String input,
                                   java.text.DateFormat format,
                                   boolean allowNull)
                            throws ValidationException,
                                   IntrusionException

Description copied from interface: IValidator
Returns a valid date as a Date. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidDate in interface IValidator



Throws:
ValidationException
IntrusionException





isValidSafeHTML
public boolean isValidSafeHTML(java.lang.String context,
                               java.lang.String input,
                               int maxLength,
                               boolean allowNull)
                        throws IntrusionException

Description copied from interface: IValidator
Returns true if input is "safe" HTML. Implementors should reference the OWASP AntiSamy project for ideas
 on how to do HTML validation in a whitelist way, as this is an extremely difficult problem.


Specified by:
isValidSafeHTML in interface IValidator



Throws:
IntrusionException





getValidSafeHTML
public java.lang.String getValidSafeHTML(java.lang.String context,
                                         java.lang.String input,
                                         int maxLength,
                                         boolean allowNull)
                                  throws ValidationException,
                                         IntrusionException

Description copied from interface: IValidator
Returns canonicalized and validated "safe" HTML. Implementors should reference the OWASP AntiSamy project for ideas
 on how to do HTML validation in a whitelist way, as this is an extremely difficult problem.


Specified by:
getValidSafeHTML in interface IValidator



Throws:
ValidationException
IntrusionException





isValidCreditCard
public boolean isValidCreditCard(java.lang.String context,
                                 java.lang.String input,
                                 boolean allowNull)
                          throws IntrusionException

Description copied from interface: IValidator
Returns true if input is a valid credit card. Maxlength is mandated by valid credit card type.


Specified by:
isValidCreditCard in interface IValidator



Throws:
IntrusionException





getValidCreditCard
public java.lang.String getValidCreditCard(java.lang.String context,
                                           java.lang.String input,
                                           boolean allowNull)
                                    throws ValidationException,
                                           IntrusionException

Returns a canonicalized and validated credit card number as a String. Invalid input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidCreditCard in interface IValidator



Throws:
ValidationException
IntrusionException





isValidDirectoryPath
public boolean isValidDirectoryPath(java.lang.String context,
                                    java.lang.String input,
                                    boolean allowNull)
                             throws IntrusionException

Returns true if the directory path (not including a filename) is valid.


Specified by:
isValidDirectoryPath in interface IValidator



Throws:
IntrusionException
See Also:
org.owasp.esapi.interfaces.IValidator#isValidDirectoryPath(java.lang.String)





getValidDirectoryPath
public java.lang.String getValidDirectoryPath(java.lang.String context,
                                              java.lang.String input,
                                              boolean allowNull)
                                       throws ValidationException,
                                              IntrusionException

Returns a canonicalized and validated directory path as a String. Invalid input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidDirectoryPath in interface IValidator



Throws:
ValidationException
IntrusionException





isValidFileName
public boolean isValidFileName(java.lang.String context,
                               java.lang.String input,
                               boolean allowNull)
                        throws IntrusionException

Returns true if input is a valid file name.


Specified by:
isValidFileName in interface IValidator



Throws:
IntrusionException





getValidFileName
public java.lang.String getValidFileName(java.lang.String context,
                                         java.lang.String input,
                                         boolean allowNull)
                                  throws ValidationException,
                                         IntrusionException

Returns a canonicalized and validated file name as a String. Invalid input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidFileName in interface IValidator



Throws:
ValidationException
IntrusionException





isValidNumber
public boolean isValidNumber(java.lang.String context,
                             java.lang.String input,
                             long minValue,
                             long maxValue,
                             boolean allowNull)
                      throws IntrusionException

Description copied from interface: IValidator
Returns true if input is a valid number.


Specified by:
isValidNumber in interface IValidator



Throws:
IntrusionException





getValidNumber
public java.lang.Double getValidNumber(java.lang.String context,
                                       java.lang.String input,
                                       long minValue,
                                       long maxValue,
                                       boolean allowNull)
                                throws ValidationException,
                                       IntrusionException

Returns a validated number as a double. Invalid input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidNumber in interface IValidator



Throws:
ValidationException
IntrusionException





isValidDouble
public boolean isValidDouble(java.lang.String context,
                             java.lang.String input,
                             double minValue,
                             double maxValue,
                             boolean allowNull)
                      throws IntrusionException

Description copied from interface: IValidator
Returns true if input is a valid double.


Specified by:
isValidDouble in interface IValidator



Throws:
IntrusionException





getValidDouble
public java.lang.Double getValidDouble(java.lang.String context,
                                       java.lang.String input,
                                       double minValue,
                                       double maxValue,
                                       boolean allowNull)
                                throws ValidationException,
                                       IntrusionException

Returns a validated number as a double. Invalid input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidDouble in interface IValidator



Throws:
ValidationException
IntrusionException





isValidInteger
public boolean isValidInteger(java.lang.String context,
                              java.lang.String input,
                              int minValue,
                              int maxValue,
                              boolean allowNull)
                       throws IntrusionException

Description copied from interface: IValidator
Returns true if input is a valid integer.


Specified by:
isValidInteger in interface IValidator



Throws:
IntrusionException





getValidInteger
public java.lang.Integer getValidInteger(java.lang.String context,
                                         java.lang.String input,
                                         int minValue,
                                         int maxValue,
                                         boolean allowNull)
                                  throws ValidationException,
                                         IntrusionException

Returns a validated number as a double. Invalid input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidInteger in interface IValidator



Throws:
ValidationException
IntrusionException





isValidFileContent
public boolean isValidFileContent(java.lang.String context,
                                  byte[] input,
                                  int maxBytes,
                                  boolean allowNull)
                           throws IntrusionException

Returns true if input is valid file content.


Specified by:
isValidFileContent in interface IValidator



Throws:
IntrusionException





getValidFileContent
public byte[] getValidFileContent(java.lang.String context,
                                  byte[] input,
                                  int maxBytes,
                                  boolean allowNull)
                           throws ValidationException,
                                  IntrusionException

Returns validated file content as a byte array. Invalid input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidFileContent in interface IValidator



Throws:
ValidationException
IntrusionException





isValidFileUpload
public boolean isValidFileUpload(java.lang.String context,
                                 java.lang.String directorypath,
                                 java.lang.String filename,
                                 byte[] content,
                                 int maxBytes,
                                 boolean allowNull)
                          throws IntrusionException

Returns true if a file upload has a valid name, path, and content.


Specified by:
isValidFileUpload in interface IValidator



Throws:
IntrusionException





assertValidFileUpload
public void assertValidFileUpload(java.lang.String context,
                                  java.lang.String directorypath,
                                  java.lang.String filename,
                                  byte[] content,
                                  int maxBytes,
                                  boolean allowNull)
                           throws ValidationException,
                                  IntrusionException

Validates the filepath, filename, and content of a file. Invalid input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
assertValidFileUpload in interface IValidator



Throws:
ValidationException
IntrusionException





isValidHTTPRequest
public boolean isValidHTTPRequest()
                           throws IntrusionException

Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed
 characters. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException. 
 
 Uses current HTTPRequest saved in EASPI Authenticator


Specified by:
isValidHTTPRequest in interface IValidator



Throws:
IntrusionException





isValidHTTPRequest
public boolean isValidHTTPRequest(javax.servlet.http.HttpServletRequest request)
                           throws IntrusionException

Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed
 characters. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.






Throws:
IntrusionException





assertIsValidHTTPRequest
public void assertIsValidHTTPRequest()
                              throws ValidationException,
                                     IntrusionException

Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed
 characters. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException. 
 
 Uses current HTTPRequest saved in EASPI Authenticator


Specified by:
assertIsValidHTTPRequest in interface IValidator



Throws:
ValidationException
IntrusionException





assertIsValidHTTPRequest
public void assertIsValidHTTPRequest(javax.servlet.http.HttpServletRequest request)
                              throws ValidationException,
                                     IntrusionException

Validates the current HTTP request by comparing parameters, headers, and cookies to a predefined whitelist of allowed
 characters. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.






Throws:
ValidationException
IntrusionException





isValidListItem
public boolean isValidListItem(java.lang.String context,
                               java.lang.String input,
                               java.util.List list)

Description copied from interface: IValidator
Returns true if input is a valid list item.


Specified by:
isValidListItem in interface IValidator








getValidListItem
public java.lang.String getValidListItem(java.lang.String context,
                                         java.lang.String input,
                                         java.util.List list)
                                  throws ValidationException,
                                         IntrusionException

Returns the list item that exactly matches the canonicalized input. Invalid or non-matching input
 will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidListItem in interface IValidator



Throws:
ValidationException
IntrusionException





isValidHTTPRequestParameterSet
public boolean isValidHTTPRequestParameterSet(java.lang.String context,
                                              java.util.Set requiredNames,
                                              java.util.Set optionalNames)

Description copied from interface: IValidator
Returns true if the parameters in the current request contain all required parameters and only optional ones in addition.


Specified by:
isValidHTTPRequestParameterSet in interface IValidator








assertIsValidHTTPRequestParameterSet
public void assertIsValidHTTPRequestParameterSet(java.lang.String context,
                                                 java.util.Set required,
                                                 java.util.Set optional)
                                          throws ValidationException,
                                                 IntrusionException

Validates that the parameters in the current request contain all required parameters and only optional ones in
 addition. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
assertIsValidHTTPRequestParameterSet in interface IValidator



Throws:
ValidationException
IntrusionException





isValidPrintable
public boolean isValidPrintable(java.lang.String context,
                                byte[] input,
                                int maxLength,
                                boolean allowNull)
                         throws IntrusionException

Checks that all bytes are valid ASCII characters (between 33 and 126
 inclusive). This implementation does no decoding. http://en.wikipedia.org/wiki/ASCII. (non-Javadoc)


Specified by:
isValidPrintable in interface IValidator



Throws:
IntrusionException
See Also:
org.owasp.esapi.interfaces.IValidator#isValidASCIIFileContent(byte[])





getValidPrintable
public byte[] getValidPrintable(java.lang.String context,
                                byte[] input,
                                int maxLength,
                                boolean allowNull)
                         throws ValidationException,
                                IntrusionException

Returns canonicalized and validated printable characters as a byte array. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidPrintable in interface IValidator



Throws:
ValidationException
IntrusionException





isValidPrintable
public boolean isValidPrintable(java.lang.String context,
                                java.lang.String input,
                                int maxLength,
                                boolean allowNull)
                         throws IntrusionException

Description copied from interface: IValidator
Returns true if input is valid printable ASCII characters (32-126).


Specified by:
isValidPrintable in interface IValidator



Throws:
IntrusionException





getValidPrintable
public java.lang.String getValidPrintable(java.lang.String context,
                                          java.lang.String input,
                                          int maxLength,
                                          boolean allowNull)
                                   throws ValidationException,
                                          IntrusionException

Returns canonicalized and validated printable characters as a String. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidPrintable in interface IValidator



Throws:
ValidationException
IntrusionException





isValidRedirectLocation
public boolean isValidRedirectLocation(java.lang.String context,
                                       java.lang.String input,
                                       boolean allowNull)
                                throws IntrusionException

Returns true if input is a valid redirect location.


Specified by:
isValidRedirectLocation in interface IValidator



Throws:
IntrusionException





getValidRedirectLocation
public java.lang.String getValidRedirectLocation(java.lang.String context,
                                                 java.lang.String input,
                                                 boolean allowNull)
                                          throws ValidationException,
                                                 IntrusionException

Returns a canonicalized and validated redirect location as a String. Invalid input will generate a descriptive ValidationException, and input that is clearly an attack
 will generate a descriptive IntrusionException.


Specified by:
getValidRedirectLocation in interface IValidator



Throws:
ValidationException
IntrusionException





safeReadLine
public java.lang.String safeReadLine(java.io.InputStream in,
                                     int max)
                              throws ValidationException

This implementation reads until a newline or the specified number of
 characters.


Specified by:
safeReadLine in interface IValidator


Parameters:
in - the in
max - the max
Returns:
the string
Throws:
ValidationException - the validation exception
See Also:
IValidator.safeReadLine(java.io.InputStream,
      int)