com.neurosys.cluzo.adapters

Class WhiteBlackExpressionSecurityAdapter

java.lang.Object

com.neurosys.cluzo.adapters.WhiteBlackExpressionSecurityAdapter

All Implemented Interfaces:

SecurityAdapter<String>

Direct Known Subclasses:

RedundantFileExtSecurityAdapter, XSSPersistSecurityAdapter, XSSUrlParamSecurityAdapter

public abstract class WhiteBlackExpressionSecurityAdapter
extends Object
implements SecurityAdapter<String>

Define Black & White lists based on regular expressions for each. This also decodes/canonalizes the input so the expressions can focus on the core logical aspect than have to worry about encoding and double encoding issues.
While Black RegEx is applied to match any part of the input, White RegEx is matched over the exact match. (logical inversion in application)

The class also has Support for URL based strings & params.
Note: A emptry string based RegEx is same as No RegEx = null

Author:

Arjun Dhar

Field Summary

Fields

Modifier and Type	Field and Description
protected Pattern	blackRegExPattern
protected Pattern	whiteRegExPattern

Fields inherited from interface com.neurosys.cluzo.domain.SecurityAdapter

REGEX_PROP_FILE

Constructor Summary

Constructors

Constructor and Description
WhiteBlackExpressionSecurityAdapter()
WhiteBlackExpressionSecurityAdapter(Pattern blackRegExPattern, Pattern whiteRegExPattern)
WhiteBlackExpressionSecurityAdapter(String blackRegEx, String whiteRegEx)

Method Summary

Modifier and Type	Method and Description
Pattern	getBlackRegExPattern()
Pattern	getWhiteRegExPattern()
protected void	processInvalidQuery(Data<String> input)
protected void	processNameValue(String name, String value) Used by processParams(Data)
protected void	processParams(Data<String> input) If there are param pairs then process them pair wise
Data<String>	sanitize(Data<String> input) Sanitize content, from malicious to harmless.
void	setBlackRegExPattern(Pattern blackRegExPattern)
void	setWhiteRegExPattern(Pattern whiteRegExPattern)
void	validate(Data<String> input) Check if the input is safe or not When used in a chained or a SecurityContext with other SecurityAdapters then the Adapters throwing a OperationNotSupportedException will be ignored.
protected void	validateAgainstBlackRegEx(Data<String> input)
protected void	validateAgainstWhiteRegEx(Data<String> input)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

blackRegExPattern

protected Pattern blackRegExPattern

whiteRegExPattern

protected Pattern whiteRegExPattern

Constructor Detail

WhiteBlackExpressionSecurityAdapter

public WhiteBlackExpressionSecurityAdapter()

WhiteBlackExpressionSecurityAdapter

public WhiteBlackExpressionSecurityAdapter(String blackRegEx,
                                           String whiteRegEx)

WhiteBlackExpressionSecurityAdapter

public WhiteBlackExpressionSecurityAdapter(Pattern blackRegExPattern,
                                           Pattern whiteRegExPattern)

Method Detail

sanitize

public Data<String> sanitize(Data<String> input)
                      throws org.owasp.validator.html.ScanException,
                             org.owasp.validator.html.PolicyException,
                             OperationNotSupportedException

Description copied from interface: SecurityAdapter

Sanitize content, from malicious to harmless. An adapter may or may not choose to support a Sanitization method. In the event it does not support it, it should throw a OperationNotSupportedException. When used in a chained or a SecurityContext with other SecurityAdapters then the Adapters throwing a OperationNotSupportedException will be ignored. Any other exception will be thrown if there is an issue in the executionof the sanitization process.

Specified by:

sanitize in interface SecurityAdapter<String>

Returns:

Throws:

org.owasp.validator.html.ScanException

org.owasp.validator.html.PolicyException

OperationNotSupportedException

validate

public void validate(Data<String> input)
              throws SecurityException,
                     IOException

Description copied from interface: SecurityAdapter

Check if the input is safe or not
When used in a chained or a SecurityContext with other SecurityAdapters then the Adapters throwing a OperationNotSupportedException will be ignored.

Specified by:

validate in interface SecurityAdapter<String>

Parameters:

input - as Data

Throws:

SecurityException - is its is not safe. This is to provide additional details about the failure that te return param cannot.

IOException - for any type of setup, reading, infra related issue with files/configs

validateAgainstBlackRegEx

protected void validateAgainstBlackRegEx(Data<String> input)
                                  throws SecurityException,
                                         IOException

Throws:

SecurityException

IOException

validateAgainstWhiteRegEx

protected void validateAgainstWhiteRegEx(Data<String> input)
                                  throws SecurityException,
                                         IOException

Throws:

SecurityException

IOException

processParams

protected void processParams(Data<String> input)
                      throws SecurityException,
                             IOException

If there are param pairs then process them pair wise

Parameters:

input -

Throws:

SecurityException

IOException

processNameValue

protected void processNameValue(String name,
                                String value)
                         throws SecurityException,
                                IOException

Used by processParams(Data)

Parameters:

name -

value -

Throws:

SecurityException

IOException

processInvalidQuery

protected void processInvalidQuery(Data<String> input)
                            throws SecurityException,
                                   IOException

Throws:

SecurityException

IOException

getBlackRegExPattern

public Pattern getBlackRegExPattern()

setBlackRegExPattern

public void setBlackRegExPattern(Pattern blackRegExPattern)

getWhiteRegExPattern

public Pattern getWhiteRegExPattern()

setWhiteRegExPattern

public void setWhiteRegExPattern(Pattern whiteRegExPattern)