From e744a153e6f6993a852876abcb4e3f1810fb2628 Mon Sep 17 00:00:00 2001 From: Marek Goldmann <goldmann@fedoraproject.org> Date: Wed, 14 Nov 2012 10:04:21 +0100 Subject: [PATCH] Remove validator implementation bsed on Antisammy --- .../owasp/esapi/reference/DefaultValidator.java | 28 +---- .../reference/validation/HTMLValidationRule.java | 129 --------------------- .../org/owasp/esapi/reference/ValidatorTest.java | 62 ---------- 3 files changed, 3 insertions(+), 216 deletions(-) delete mode 100644 src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java index 85c3343..ced7747 100644 --- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java +++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java @@ -43,7 +43,6 @@ import org.owasp.esapi.errors.ValidationAvailabilityException; import org.owasp.esapi.errors.ValidationException; import org.owasp.esapi.reference.validation.CreditCardValidationRule; import org.owasp.esapi.reference.validation.DateValidationRule; -import org.owasp.esapi.reference.validation.HTMLValidationRule; import org.owasp.esapi.reference.validation.IntegerValidationRule; import org.owasp.esapi.reference.validation.NumberValidationRule; import org.owasp.esapi.reference.validation.StringValidationRule; @@ -307,25 +306,14 @@ public class DefaultValidator implements org.owasp.esapi.Validator { * {@inheritDoc} */ public boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws IntrusionException { - try { - getValidSafeHTML( context, input, maxLength, allowNull); - return true; - } catch( Exception e ) { - return false; - } + return false; } /** * {@inheritDoc} */ public boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException { - try { - getValidSafeHTML( context, input, maxLength, allowNull); - return true; - } catch( ValidationException e ) { - errors.addError(context, e); - return false; - } + return false; } /** @@ -334,23 +322,13 @@ public class DefaultValidator implements org.owasp.esapi.Validator { * This implementation relies on the OWASP AntiSamy project. */ public String getValidSafeHTML( String context, String input, int maxLength, boolean allowNull ) throws ValidationException, IntrusionException { - HTMLValidationRule hvr = new HTMLValidationRule( "safehtml", encoder ); - hvr.setMaximumLength(maxLength); - hvr.setAllowNull(allowNull); - hvr.setValidateInputAndCanonical(false); - return hvr.getValid(context, input); + return ""; } /** * {@inheritDoc} */ public String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException { - try { - return getValidSafeHTML(context, input, maxLength, allowNull); - } catch (ValidationException e) { - errors.addError(context, e); - } - return ""; } diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java deleted file mode 100644 index e08e2b0..0000000 --- a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java +++ /dev/null @@ -1,129 +0,0 @@ -/** - * OWASP Enterprise Security API (ESAPI) - * - * This file is part of the Open Web Application Security Project (OWASP) - * Enterprise Security API (ESAPI) project. For details, please see - * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>. - * - * Copyright (c) 2007 - The OWASP Foundation - * - * The ESAPI is published by OWASP under the BSD license. You should read and accept the - * LICENSE before you use, modify, and/or redistribute this software. - * - * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a> - * @created 2007 - */ -package org.owasp.esapi.reference.validation; - -import java.io.IOException; -import java.io.InputStream; -import java.util.List; - -import org.owasp.esapi.errors.ConfigurationException; -import org.owasp.esapi.ESAPI; -import org.owasp.esapi.Encoder; -import org.owasp.esapi.Logger; -import org.owasp.esapi.StringUtilities; -import org.owasp.esapi.errors.ValidationException; -import org.owasp.validator.html.AntiSamy; -import org.owasp.validator.html.CleanResults; -import org.owasp.validator.html.Policy; -import org.owasp.validator.html.PolicyException; -import org.owasp.validator.html.ScanException; - - -/** - * A validator performs syntax and possibly semantic validation of a single - * piece of data from an untrusted source. - * - * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a - * href="http://www.aspectsecurity.com">Aspect Security</a> - * @since June 1, 2007 - * @see org.owasp.esapi.Validator - */ -public class HTMLValidationRule extends StringValidationRule { - - /** OWASP AntiSamy markup verification policy */ - private static Policy antiSamyPolicy = null; - private static final Logger LOGGER = ESAPI.getLogger( "HTMLValidationRule" ); - - static { - InputStream resourceStream = null; - try { - resourceStream = ESAPI.securityConfiguration().getResourceStream("antisamy-esapi.xml"); - } catch (IOException e) { - throw new ConfigurationException("Couldn't find antisamy-esapi.xml", e); - } - if (resourceStream != null) { - try { - antiSamyPolicy = Policy.getInstance(resourceStream); - } catch (PolicyException e) { - throw new ConfigurationException("Couldn't parse antisamy policy", e); - } - } - } - - public HTMLValidationRule( String typeName ) { - super( typeName ); - } - - public HTMLValidationRule( String typeName, Encoder encoder ) { - super( typeName, encoder ); - } - - public HTMLValidationRule( String typeName, Encoder encoder, String whitelistPattern ) { - super( typeName, encoder, whitelistPattern ); - } - - /** - * {@inheritDoc} - */ - @Override - public String getValid( String context, String input ) throws ValidationException { - return invokeAntiSamy( context, input ); - } - - /** - * {@inheritDoc} - */ - @Override - public String sanitize( String context, String input ) { - String safe = ""; - try { - safe = invokeAntiSamy( context, input ); - } catch( ValidationException e ) { - // just return safe - } - return safe; - } - - private String invokeAntiSamy( String context, String input ) throws ValidationException { - // CHECKME should this allow empty Strings? " " us IsBlank instead? - if ( StringUtilities.isEmpty(input) ) { - if (allowNull) { - return null; - } - throw new ValidationException( context + " is required", "AntiSamy validation error: context=" + context + ", input=" + input, context ); - } - - String canonical = super.getValid( context, input ); - - try { - AntiSamy as = new AntiSamy(); - CleanResults test = as.scan(canonical, antiSamyPolicy); - - List<String> errors = test.getErrorMessages(); - if ( !errors.isEmpty() ) { - LOGGER.info( Logger.SECURITY_FAILURE, "Cleaned up invalid HTML input: " + errors ); - } - - return test.getCleanHTML().trim(); - - } catch (ScanException e) { - throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input: context=" + context + " error=" + e.getMessage(), e, context ); - } catch (PolicyException e) { - throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input does not follow rules in antisamy-esapi.xml: context=" + context + " error=" + e.getMessage(), e, context ); - } - } -} - diff --git a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java index 9402630..fbb19f7 100644 --- a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java +++ b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java @@ -34,7 +34,6 @@ import org.owasp.esapi.errors.ValidationException; import org.owasp.esapi.filters.SecurityWrapperRequest; import org.owasp.esapi.http.MockHttpServletRequest; import org.owasp.esapi.http.MockHttpServletResponse; -import org.owasp.esapi.reference.validation.HTMLValidationRule; import org.owasp.esapi.reference.validation.StringValidationRule; import javax.servlet.http.Cookie; @@ -273,40 +272,6 @@ public class ValidatorTest extends TestCase { // instance.getValidRedirectLocation(String, String, boolean, ValidationErrorList) } - public void testGetValidSafeHTML() throws Exception { - System.out.println("getValidSafeHTML"); - Validator instance = ESAPI.validator(); - ValidationErrorList errors = new ValidationErrorList(); - - // new school test case setup - HTMLValidationRule rule = new HTMLValidationRule("test"); - ESAPI.validator().addRule(rule); - - assertEquals("Test.", ESAPI.validator().getRule("test").getValid("test", "Test. <script>alert(document.cookie)</script>")); - - String test1 = "<b>Jeff</b>"; - String result1 = instance.getValidSafeHTML("test", test1, 100, false, errors); - assertEquals(test1, result1); - - String test2 = "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>"; - String result2 = instance.getValidSafeHTML("test", test2, 100, false, errors); - assertEquals(test2, result2); - - String test3 = "Test. <script>alert(document.cookie)</script>"; - assertEquals("Test.", rule.getSafe("test", test3)); - - assertEquals("Test. <<div>load=alert()</div>", rule.getSafe("test", "Test. <<div on<script></script>load=alert()")); - assertEquals("Test. <div>b</div>", rule.getSafe("test", "Test. <div style={xss:expression(xss)}>b</div>")); - assertEquals("Test.", rule.getSafe("test", "Test. <s%00cript>alert(document.cookie)</script>")); - assertEquals("Test. alert(document.cookie)", rule.getSafe("test", "Test. <s\tcript>alert(document.cookie)</script>")); - assertEquals("Test. alert(document.cookie)", rule.getSafe("test", "Test. <s\tcript>alert(document.cookie)</script>")); - // TODO: ENHANCE waiting for a way to validate text headed for an attribute for scripts - // This would be nice to catch, but just looks like text to AntiSamy - // assertFalse(instance.isValidSafeHTML("test", "\" onload=\"alert(document.cookie)\" ")); - // String result4 = instance.getValidSafeHTML("test", test4); - // assertEquals("", result4); - } - public void testIsInvalidFilename() { System.out.println("testIsInvalidFilename"); Validator instance = ESAPI.validator(); @@ -913,33 +878,6 @@ public class ValidatorTest extends TestCase { // isValidRedirectLocation(String, String, boolean) } - public void testIsValidSafeHTML() { - System.out.println("isValidSafeHTML"); - Validator instance = ESAPI.validator(); - - assertTrue(instance.isValidSafeHTML("test", "<b>Jeff</b>", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. <script>alert(document.cookie)</script>", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. <div style={xss:expression(xss)}>", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. <s%00cript>alert(document.cookie)</script>", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. <s\tcript>alert(document.cookie)</script>", 100, false)); - assertTrue(instance.isValidSafeHTML("test", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false)); - - // TODO: waiting for a way to validate text headed for an attribute for scripts - // This would be nice to catch, but just looks like text to AntiSamy - // assertFalse(instance.isValidSafeHTML("test", "\" onload=\"alert(document.cookie)\" ")); - ValidationErrorList errors = new ValidationErrorList(); - assertTrue(instance.isValidSafeHTML("test1", "<b>Jeff</b>", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test2", "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test3", "Test. <script>alert(document.cookie)</script>", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test4", "Test. <div style={xss:expression(xss)}>", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test5", "Test. <s%00cript>alert(document.cookie)</script>", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test6", "Test. <s\tcript>alert(document.cookie)</script>", 100, false, errors)); - assertTrue(instance.isValidSafeHTML("test7", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false, errors)); - assertTrue(errors.size() == 0); - - } - public void testSafeReadLine() { System.out.println("safeReadLine");