public interface Validator
Implementations must adopt a "whitelist" approach to validation where a specific pattern or character set is matched. "Blacklist" approaches that attempt to identify the invalid or disallowed characters are much more likely to allow a bypass with encoding or other tricks.
Modifier and Type | Method and Description |
---|---|
void |
addRule(ValidationRule rule)
Add a validation rule to the registry using the "type name" of the rule as the key.
|
void |
assertValidFileUpload(String context,
String filepath,
String filename,
File parent,
byte[] content,
int maxBytes,
List<String> allowedExtensions,
boolean allowNull)
Validates the
filepath , filename , and content of a file. |
void |
assertValidFileUpload(String context,
String filepath,
String filename,
File parent,
byte[] content,
int maxBytes,
List<String> allowedExtensions,
boolean allowNull,
ValidationErrorList errorList)
Validates the
filepath , filename , and content of a file,
any validation exceptions are added to the supplied errorList . |
void |
assertValidHTTPRequestParameterSet(String context,
javax.servlet.http.HttpServletRequest request,
Set<String> required,
Set<String> optional)
Validates that the parameters in the current request contain all required parameters
and only optional ones in addition.
|
void |
assertValidHTTPRequestParameterSet(String context,
javax.servlet.http.HttpServletRequest request,
Set<String> required,
Set<String> optional,
ValidationErrorList errorList)
Validates that the parameters in the current request contain all required parameters
and only optional ones in addition,
any validation exceptions are added to the supplied
errorList . |
URI |
getRfcCompliantURI(String input)
Will return a
URI object that will represent a fully parsed and legal URI
as specified in RFC-3986. |
ValidationRule |
getRule(String name)
Get a validation rule from the registry with the "type name" of the rule as the key.
|
String |
getValidCreditCard(String context,
String input,
boolean allowNull)
Returns a canonicalized and validated credit card number as a String.
|
String |
getValidCreditCard(String context,
String input,
boolean allowNull,
ValidationErrorList errorList)
Returns a canonicalized and validated credit card number as a String,
any validation exceptions are added to the supplied
errorList . |
Date |
getValidDate(String context,
String input,
DateFormat format,
boolean allowNull)
Returns a valid date as a
Date . |
Date |
getValidDate(String context,
String input,
DateFormat format,
boolean allowNull,
ValidationErrorList errorList)
Returns a valid date as a
Date ,
any validation exceptions are added to the supplied errorList . |
String |
getValidDirectoryPath(String context,
String input,
File parent,
boolean allowNull)
Returns a canonicalized and validated directory path as a String, provided that the input
maps to an existing directory that is an existing subdirectory (at any level) of the specified parent.
|
String |
getValidDirectoryPath(String context,
String input,
File parent,
boolean allowNull,
ValidationErrorList errorList)
Returns a canonicalized and validated directory path as a String, provided that the input
maps to an existing directory that is an existing subdirectory (at any level) of the specified parent;
any validation exceptions are added to the supplied
errorList . |
Double |
getValidDouble(String context,
String input,
double minValue,
double maxValue,
boolean allowNull)
Returns a validated real number as a double.
|
Double |
getValidDouble(String context,
String input,
double minValue,
double maxValue,
boolean allowNull,
ValidationErrorList errorList)
Returns a validated real number as a double,
any validation exceptions are added to the supplied
errorList . |
byte[] |
getValidFileContent(String context,
byte[] input,
int maxBytes,
boolean allowNull)
Returns validated file content as a byte array.
|
byte[] |
getValidFileContent(String context,
byte[] input,
int maxBytes,
boolean allowNull,
ValidationErrorList errorList)
Returns validated file content as a byte array,
any validation exceptions are added to the supplied
errorList . |
String |
getValidFileName(String context,
String input,
List<String> allowedExtensions,
boolean allowNull)
Returns a canonicalized and validated file name as a String.
|
String |
getValidFileName(String context,
String input,
List<String> allowedExtensions,
boolean allowNull,
ValidationErrorList errorList)
Returns a canonicalized and validated file name as a String,
any validation exceptions are added to the supplied
errorList . |
String |
getValidInput(String context,
String input,
String type,
int maxLength,
boolean allowNull)
Returns validated canonicalized
input as a String. |
String |
getValidInput(String context,
String input,
String type,
int maxLength,
boolean allowNull,
boolean canonicalize)
Returns validated
input as a String with optional canonicalization. |
String |
getValidInput(String context,
String input,
String type,
int maxLength,
boolean allowNull,
boolean canonicalize,
ValidationErrorList errorList)
Returns validated
input as a String with optional canonicalization,
and adds validation exceptions to the supplied errorList . |
String |
getValidInput(String context,
String input,
String type,
int maxLength,
boolean allowNull,
ValidationErrorList errorList)
Returns canonicalized validated
input as a String,
and adds validation exceptions to the supplied errorList . |
Integer |
getValidInteger(String context,
String input,
int minValue,
int maxValue,
boolean allowNull)
Returns a validated integer,
input is a valid integer if it is between minValue and maxValue inclusive. |
Integer |
getValidInteger(String context,
String input,
int minValue,
int maxValue,
boolean allowNull,
ValidationErrorList errorList)
Returns a validated integer,
any validation exceptions are added to the supplied
errorList . |
String |
getValidListItem(String context,
String input,
List<String> list)
Returns the list item that exactly matches the canonicalized input.
|
String |
getValidListItem(String context,
String input,
List<String> list,
ValidationErrorList errorList)
Returns the list item that exactly matches the canonicalized input,
any validation exceptions are added to the supplied
errorList . |
Double |
getValidNumber(String context,
String input,
long minValue,
long maxValue,
boolean allowNull)
Returns a validated number as a double within the range of minValue to maxValue.
|
Double |
getValidNumber(String context,
String input,
long minValue,
long maxValue,
boolean allowNull,
ValidationErrorList errorList)
Returns a validated number as a double within the range of minValue to maxValue,
any validation exceptions are added to the supplied
errorList . |
char[] |
getValidPrintable(String context,
char[] input,
int maxLength,
boolean allowNull)
Returns canonicalized and validated printable characters as a byte array.
|
char[] |
getValidPrintable(String context,
char[] input,
int maxLength,
boolean allowNull,
ValidationErrorList errorList)
Returns canonicalized and validated printable characters as a byte array,
any validation exceptions are added to the supplied
errorList . |
String |
getValidPrintable(String context,
String input,
int maxLength,
boolean allowNull)
Returns canonicalized and validated printable characters as a String.
|
String |
getValidPrintable(String context,
String input,
int maxLength,
boolean allowNull,
ValidationErrorList errorList)
Returns canonicalized and validated printable characters as a String,
any validation exceptions are added to the supplied
errorList . |
String |
getValidRedirectLocation(String context,
String input,
boolean allowNull)
Returns a canonicalized and validated redirect location as a String.
|
String |
getValidRedirectLocation(String context,
String input,
boolean allowNull,
ValidationErrorList errorList)
Returns a canonicalized and validated redirect location as a String,
any validation exceptions are added to the supplied
errorList . |
String |
getValidSafeHTML(String context,
String input,
int maxLength,
boolean allowNull)
Returns canonicalized and validated "safe" HTML that does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else.
|
String |
getValidSafeHTML(String context,
String input,
int maxLength,
boolean allowNull,
ValidationErrorList errorList)
Returns canonicalized and validated "safe" HTML that does not contain unwanted scripts in the body, attributes, CSS, URLs, or anywhere else,
any validation exceptions are added to the supplied
errorList . |
boolean |
isValidCreditCard(String context,
String input,
boolean allowNull)
Returns true if
input matches the pattern for a valid credit card number. |
boolean |
isValidCreditCard(String context,
String input,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input matches the pattern for a valid credit card number,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidDate(String context,
String input,
DateFormat format,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidDate(String context,
String input,
DateFormat format,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidDirectoryPath(String context,
String input,
File parent,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidDirectoryPath(String context,
String input,
File parent,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidDouble(String context,
String input,
double minValue,
double maxValue,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidDouble(String context,
String input,
double minValue,
double maxValue,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidFileContent(String context,
byte[] input,
int maxBytes,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidFileContent(String context,
byte[] input,
int maxBytes,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidFileName(String context,
String input,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidFileName(String context,
String input,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidFileName(String context,
String input,
List<String> allowedExtensions,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidFileName(String context,
String input,
List<String> allowedExtensions,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidFileUpload(String context,
String filepath,
String filename,
File parent,
byte[] content,
int maxBytes,
boolean allowNull)
Returns true if
filepath , filename , and content of a file are valid. |
boolean |
isValidFileUpload(String context,
String filepath,
String filename,
File parent,
byte[] content,
int maxBytes,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
filepath , filename , and content of a file are valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidHTTPRequestParameterSet(String context,
javax.servlet.http.HttpServletRequest request,
Set<String> required,
Set<String> optional)
Returns true if only required and optional parameters are in the request.
|
boolean |
isValidHTTPRequestParameterSet(String context,
javax.servlet.http.HttpServletRequest request,
Set<String> required,
Set<String> optional,
ValidationErrorList errorList)
Returns true if only required and optional parameters are in the request,
any validation exceptions are added to the supplied
errorList . |
boolean |
isValidInput(String context,
String input,
String type,
int maxLength,
boolean allowNull)
Returns true if canonicalized input is valid.
|
boolean |
isValidInput(String context,
String input,
String type,
int maxLength,
boolean allowNull,
boolean canonicalize)
Returns true if
input is valid. |
boolean |
isValidInput(String context,
String input,
String type,
int maxLength,
boolean allowNull,
boolean canonicalize,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidInput(String context,
String input,
String type,
int maxLength,
boolean allowNull,
ValidationErrorList errorList)
Returns true if canonicalized input is valid,
any validation exceptions are added to the supplied
errorList . |
boolean |
isValidInteger(String context,
String input,
int minValue,
int maxValue,
boolean allowNull)
Returns true if
input is a valid integer between minValue and maxValue inclusive. |
boolean |
isValidInteger(String context,
String input,
int minValue,
int maxValue,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is a valid integer between minValue and maxValue inclusive,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidListItem(String context,
String input,
List<String> list)
Returns true if
input is valid. |
boolean |
isValidListItem(String context,
String input,
List<String> list,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidNumber(String context,
String input,
long minValue,
long maxValue,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidNumber(String context,
String input,
long minValue,
long maxValue,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidPrintable(String context,
char[] input,
int maxLength,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidPrintable(String context,
char[] input,
int maxLength,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidPrintable(String context,
String input,
int maxLength,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidPrintable(String context,
String input,
int maxLength,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidRedirectLocation(String context,
String input,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidRedirectLocation(String context,
String input,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidSafeHTML(String context,
String input,
int maxLength,
boolean allowNull)
Returns true if
input is valid. |
boolean |
isValidSafeHTML(String context,
String input,
int maxLength,
boolean allowNull,
ValidationErrorList errorList)
Returns true if
input is valid,
any validation exceptions are added to the supplied errorList . |
boolean |
isValidURI(String context,
String input,
boolean allowNull)
Parses and ensures that the URI in question is a valid RFC-3986 URI.
|
String |
safeReadLine(InputStream inputStream,
int maxLength)
Reads from an input stream until end-of-line or a maximum number of
characters.
|
void addRule(ValidationRule rule)
ValidationRule getRule(String name)
boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull) throws IntrusionException
Calls getValidInput(String, String, String, int, boolean, boolean)
with canonicalize=true
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
Calls getValidInput(String, String, String, int, boolean, boolean)
with canonicalize=true
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize) throws IntrusionException
input
is valid.
Calls getValidInput(String, String, String, int, boolean, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidInput(String, String, String, int, boolean, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.String getValidInput(String context, String input, String type, int maxLength, boolean allowNull) throws ValidationException, IntrusionException
input
as a String.
Calls getValidInput(String, String, String, int, boolean, boolean)
with canonicalize=true
.
ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize) throws ValidationException, IntrusionException
input
as a String with optional canonicalization.
Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual user input data to validate.type
- The regular expression name which maps to the actual regular expression from "ESAPI.properties".maxLength
- The maximum post-canonicalized String length allowed.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.canonicalize
- If canonicalize is true then input will be canonicalized before validation.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
as a String,
and adds validation exceptions to the supplied errorList
.
Calls getValidInput(String, String, String, int, boolean, boolean)
.
IntrusionException
- Input likely indicates an attack.String getValidInput(String context, String input, String type, int maxLength, boolean allowNull, boolean canonicalize, ValidationErrorList errorList) throws IntrusionException
input
as a String with optional canonicalization,
and adds validation exceptions to the supplied errorList
.
Returns the result of calling getValidInput(String, String, String, int, boolean, boolean)
with canonicalize=true
.
IntrusionException
- Input likely indicates an attack.boolean isValidDate(String context, String input, DateFormat format, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidDate(String, String, DateFormat, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidDate(String context, String input, DateFormat format, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidDate(String, String, DateFormat, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.Date getValidDate(String context, String input, DateFormat format, boolean allowNull) throws ValidationException, IntrusionException
Date
.
Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual user input data to validate.format
- Required formatting of date inputted.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.Date
ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.Date getValidDate(String context, String input, DateFormat format, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
Date
,
any validation exceptions are added to the supplied errorList
.
IntrusionException
- Input likely indicates an attack.boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidSafeHTML(String, String, int, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidSafeHTML(String, String, int, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws ValidationException, IntrusionException
The default behavior of this check depends on the antisamy-esapi.xml
configuration.
Implementors should reference the OWASP AntiSamy project for ideas
on how to do HTML validation in a whitelist way, as this is an extremely difficult problem.
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual user input data to validate.maxLength
- The maximum String length allowed.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
The default behavior of this check depends on the antisamy-esapi.xml
configuration.
Implementors should reference the OWASP AntiSamy project for ideas
on how to do HTML validation in a whitelist way, as this is an extremely difficult problem.
IntrusionException
- Input likely indicates an attack.boolean isValidCreditCard(String context, String input, boolean allowNull) throws IntrusionException
input
matches the pattern for a valid credit card number.
Calls getValidCreditCard(String, String, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidCreditCard(String context, String input, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
matches the pattern for a valid credit card number,
any validation exceptions are added to the supplied errorList
.
Calls getValidCreditCard(String, String, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.String getValidCreditCard(String context, String input, boolean allowNull) throws ValidationException, IntrusionException
Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual user input data to validate.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.String getValidCreditCard(String context, String input, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
IntrusionException
- Input likely indicates an attack.boolean isValidDirectoryPath(String context, String input, File parent, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidDirectoryPath(String, String, File, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidDirectoryPath(String context, String input, File parent, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidDirectoryPath(String, String, File, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.String getValidDirectoryPath(String context, String input, File parent, boolean allowNull) throws ValidationException, IntrusionException
Invalid input will generate a descriptive ValidationException, and input that is clearly an attack will generate a descriptive IntrusionException.
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.String getValidDirectoryPath(String context, String input, File parent, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
IntrusionException
- Input likely indicates an attack.boolean isValidFileName(String context, String input, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidFileName(String, String, List, boolean)
with allowedExtensions set to the configured ESAPI.securityConfiguration().getAllowedFileExtensions()
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.ESAPI.securityConfiguration()
,
SecurityConfiguration.getAllowedFileExtensions()
boolean isValidFileName(String context, String input, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidFileName(String, String, List, boolean)
with allowedExtensions set to the configured ESAPI.securityConfiguration().getAllowedFileExtensions()
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.ESAPI.securityConfiguration()
,
SecurityConfiguration.getAllowedFileExtensions()
boolean isValidFileName(String context, String input, List<String> allowedExtensions, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidFileName(String, String, List, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.ESAPI.securityConfiguration()
,
SecurityConfiguration.getAllowedFileExtensions()
boolean isValidFileName(String context, String input, List<String> allowedExtensions, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidFileName(String, String, List, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.ESAPI.securityConfiguration()
,
SecurityConfiguration.getAllowedFileExtensions()
String getValidFileName(String context, String input, List<String> allowedExtensions, boolean allowNull) throws ValidationException, IntrusionException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.allowedExtensions
- List of file extensions which will be accepted.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.String getValidFileName(String context, String input, List<String> allowedExtensions, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
Calls getValidFileName(String, String, List, boolean)
,
the supplied errorList
is used to capture ValidationExceptions.
IntrusionException
- Input likely indicates an attack.boolean isValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidNumber(String, String, long, long, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidNumber(String, String, long, long, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.Double getValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull) throws ValidationException, IntrusionException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.minValue
- Lowest legal value for input.maxValue
- Highest legal value for input.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.Double getValidNumber(String context, String input, long minValue, long maxValue, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
IntrusionException
- Input likely indicates an attack.boolean isValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull) throws IntrusionException
input
is a valid integer between minValue
and maxValue
inclusive.
Calls getValidInteger(String, String, int, int, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is a valid integer between minValue
and maxValue
inclusive,
any validation exceptions are added to the supplied errorList
.
Calls getValidInteger(String, String, int, int, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.Integer getValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull) throws ValidationException, IntrusionException
input
is a valid integer if it is between minValue
and maxValue
inclusive.
Invalid input will generate a descriptive ValidationException,
and input that is clearly an attack will generate a descriptive IntrusionException.context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.minValue
- Lowest legal value for input.maxValue
- Highest legal value for input.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.Integer getValidInteger(String context, String input, int minValue, int maxValue, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
IntrusionException
- Input likely indicates an attack.boolean isValidDouble(String context, String input, double minValue, double maxValue, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidDouble(String, String, double, double, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidDouble(String context, String input, double minValue, double maxValue, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidDouble(String, String, double, double, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.Double getValidDouble(String context, String input, double minValue, double maxValue, boolean allowNull) throws ValidationException, IntrusionException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.minValue
- Lowest legal value for input.maxValue
- Highest legal value for input.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.Double getValidDouble(String context, String input, double minValue, double maxValue, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
Calls getValidDouble(String, String, double, double, boolean)
,
the supplied errorList
is used to capture ValidationExceptions.
IntrusionException
- Input likely indicates an attack.boolean isValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidFileContent(String, byte[], int, boolean)
,
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidFileContent(String, byte[], int, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.byte[] getValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull) throws ValidationException, IntrusionException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- The actual input data to validate.maxBytes
- The maximum number of bytes allowed in a legal file.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.byte[] getValidFileContent(String context, byte[] input, int maxBytes, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
Calls getValidFileContent(String, byte[], int, boolean)
,
the supplied errorList
is used to capture ValidationExceptions.
IntrusionException
- Input likely indicates an attack.boolean isValidFileUpload(String context, String filepath, String filename, File parent, byte[] content, int maxBytes, boolean allowNull) throws IntrusionException
filepath
, filename
, and content
of a file are valid.
Calls isValidFileName(String, String, boolean)
,
isValidDirectoryPath(String, String, File, boolean)
,
and isValidFileContent(String, byte[], int, boolean)
,
and returns true if all three checks pass.
IntrusionException
- Input likely indicates an attack.boolean isValidFileUpload(String context, String filepath, String filename, File parent, byte[] content, int maxBytes, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
filepath
, filename
, and content
of a file are valid,
any validation exceptions are added to the supplied errorList
.
Calls isValidFileName(String, String, boolean, ValidationErrorList)
isValidDirectoryPath(String, String, File, boolean, ValidationErrorList)
and isValidFileContent(String, byte[], int, boolean, ValidationErrorList)
,
and returns true if all three checks pass.
IntrusionException
- Input likely indicates an attack.void assertValidFileUpload(String context, String filepath, String filename, File parent, byte[] content, int maxBytes, List<String> allowedExtensions, boolean allowNull) throws ValidationException, IntrusionException
filepath
, filename
, and content
of a file.
Invalid input will generate a descriptive ValidationException,
and input that is clearly an attack will generate a descriptive IntrusionException.context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.filepath
- The file path of the uploaded file.filename
- The filename of the uploaded filecontent
- A byte array containing the content of the uploaded file.maxBytes
- The max number of bytes allowed for a legal file upload.allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.void assertValidFileUpload(String context, String filepath, String filename, File parent, byte[] content, int maxBytes, List<String> allowedExtensions, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
filepath
, filename
, and content
of a file,
any validation exceptions are added to the supplied errorList
.
Calls assertValidFileUpload(String, String, String, File, byte[], int, List, boolean)
,
the supplied errorList
is used to capture ValidationExceptions.
IntrusionException
- Input likely indicates an attack.boolean isValidListItem(String context, String input, List<String> list) throws IntrusionException
input
is valid.
Calls getValidListItem(String, String, List)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidListItem(String context, String input, List<String> list, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidListItem(String, String, List)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.String getValidListItem(String context, String input, List<String> list) throws ValidationException, IntrusionException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.input
- The value to search 'list' for.list
- The list to search for 'input'.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.String getValidListItem(String context, String input, List<String> list, ValidationErrorList errorList) throws IntrusionException
errorList
.
IntrusionException
- Input likely indicates an attack.boolean isValidHTTPRequestParameterSet(String context, javax.servlet.http.HttpServletRequest request, Set<String> required, Set<String> optional) throws IntrusionException
Calls assertValidHTTPRequestParameterSet(String, HttpServletRequest, Set, Set)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidHTTPRequestParameterSet(String context, javax.servlet.http.HttpServletRequest request, Set<String> required, Set<String> optional, ValidationErrorList errorList) throws IntrusionException
errorList
.
Calls assertValidHTTPRequestParameterSet(String, HttpServletRequest, Set, Set)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.void assertValidHTTPRequestParameterSet(String context, javax.servlet.http.HttpServletRequest request, Set<String> required, Set<String> optional) throws ValidationException, IntrusionException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField). This value is used by any logging or error handling that is done with respect to the value passed in.required
- parameters that are required to be in HTTP requestoptional
- additional parameters that may be in HTTP requestValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.void assertValidHTTPRequestParameterSet(String context, javax.servlet.http.HttpServletRequest request, Set<String> required, Set<String> optional, ValidationErrorList errorList) throws IntrusionException
errorList
.
Calls assertValidHTTPRequestParameterSet(String, HttpServletRequest, Set, Set)
.
IntrusionException
- Input likely indicates an attack.boolean isValidPrintable(String context, char[] input, int maxLength, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidPrintable(String, char[], int, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidPrintable(String context, char[] input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidPrintable(String, char[], int, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.char[] getValidPrintable(String context, char[] input, int maxLength, boolean allowNull) throws ValidationException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- data to be returned as valid and printablemaxLength
- Maximum number of bytes stored in 'input'allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.char[] getValidPrintable(String context, char[] input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
IntrusionException
- Input likely indicates an attack.boolean isValidPrintable(String context, String input, int maxLength, boolean allowNull) throws IntrusionException
input
is valid.
Calls getValidPrintable(String, String, int, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.boolean isValidPrintable(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidPrintable(String, String, int, boolean)
and returns true if no exceptions are thrown.
IntrusionException
- Input likely indicates an attack.String getValidPrintable(String context, String input, int maxLength, boolean allowNull) throws ValidationException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- data to be returned as valid and printablemaxLength
- Maximum number of bytes stored in 'input' after canonicalizationallowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.String getValidPrintable(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
IntrusionException
- Input likely indicates an attack.boolean isValidRedirectLocation(String context, String input, boolean allowNull)
input
is valid.
Calls getValidRedirectLocation(String, String, boolean)
and returns true if no exceptions are thrown.
boolean isValidRedirectLocation(String context, String input, boolean allowNull, ValidationErrorList errorList)
input
is valid,
any validation exceptions are added to the supplied errorList
.
Calls getValidRedirectLocation(String, String, boolean)
and returns true if no exceptions are thrown.
String getValidRedirectLocation(String context, String input, boolean allowNull) throws ValidationException, IntrusionException
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- redirect location to be returned as valid, according to encoding rules set in "ESAPI.properties"allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.ValidationException
- Input is invalid.IntrusionException
- Input likely indicates an attack.String getValidRedirectLocation(String context, String input, boolean allowNull, ValidationErrorList errorList) throws IntrusionException
errorList
.
IntrusionException
- Input likely indicates an attack.String safeReadLine(InputStream inputStream, int maxLength) throws ValidationException
inputStream
- The InputStream from which to read datamaxLength
- Maximum characters allowed to be read in per lineValidationException
- Input is invalid.boolean isValidURI(String context, String input, boolean allowNull)
context
- A descriptive name of the parameter that you are validating (e.g., LoginPage_UsernameField).
This value is used by any logging or error handling that is done with respect to the value passed in.input
- redirect location to be returned as valid, according to encoding rules set in "ESAPI.properties"allowNull
- If allowNull
is true then an input that is NULL or an empty string will be legal.
If allowNull
is false then NULL or an empty String will throw a ValidationException.Copyright © 2022 The Open Web Application Security Project (OWASP). All rights reserved.