Sophie

Sophie

distrib > Fedora > 20 > x86_64 > by-pkgid > 57b99cd81fe87689326d977e0e316586 > files > 1

owasp-esapi-java-2.1.0-2.fc20.src.rpm

From e744a153e6f6993a852876abcb4e3f1810fb2628 Mon Sep 17 00:00:00 2001
From: Marek Goldmann <goldmann@fedoraproject.org>
Date: Wed, 14 Nov 2012 10:04:21 +0100
Subject: [PATCH] Remove validator implementation bsed on Antisammy

---
 .../owasp/esapi/reference/DefaultValidator.java    |  28 +----
 .../reference/validation/HTMLValidationRule.java   | 129 ---------------------
 .../org/owasp/esapi/reference/ValidatorTest.java   |  62 ----------
 3 files changed, 3 insertions(+), 216 deletions(-)
 delete mode 100644 src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java

diff --git a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java
index 85c3343..ced7747 100644
--- a/src/main/java/org/owasp/esapi/reference/DefaultValidator.java
+++ b/src/main/java/org/owasp/esapi/reference/DefaultValidator.java
@@ -43,7 +43,6 @@ import org.owasp.esapi.errors.ValidationAvailabilityException;
 import org.owasp.esapi.errors.ValidationException;
 import org.owasp.esapi.reference.validation.CreditCardValidationRule;
 import org.owasp.esapi.reference.validation.DateValidationRule;
-import org.owasp.esapi.reference.validation.HTMLValidationRule;
 import org.owasp.esapi.reference.validation.IntegerValidationRule;
 import org.owasp.esapi.reference.validation.NumberValidationRule;
 import org.owasp.esapi.reference.validation.StringValidationRule;
@@ -307,25 +306,14 @@ public class DefaultValidator implements org.owasp.esapi.Validator {
 	 * {@inheritDoc}
 	 */
 	public boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull) throws IntrusionException {
-		try {
-			getValidSafeHTML( context, input, maxLength, allowNull);
-			return true;
-		} catch( Exception e ) {
-			return false;
-		}
+		return false;
 	}
 
         /**
 	 * {@inheritDoc}
 	 */
 	public boolean isValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException {
-		try {
-			getValidSafeHTML( context, input, maxLength, allowNull);
-			return true;
-		} catch( ValidationException e ) {
-            errors.addError(context, e);
-			return false;
-		}
+    return false;
 	}
 
 	/**
@@ -334,23 +322,13 @@ public class DefaultValidator implements org.owasp.esapi.Validator {
 	 * This implementation relies on the OWASP AntiSamy project.
 	 */
 	public String getValidSafeHTML( String context, String input, int maxLength, boolean allowNull ) throws ValidationException, IntrusionException {
-		HTMLValidationRule hvr = new HTMLValidationRule( "safehtml", encoder );
-		hvr.setMaximumLength(maxLength);
-		hvr.setAllowNull(allowNull);
-		hvr.setValidateInputAndCanonical(false);
-		return hvr.getValid(context, input);
+		return "";
 	}
 
 	/**
 	 * {@inheritDoc}
 	 */
 	public String getValidSafeHTML(String context, String input, int maxLength, boolean allowNull, ValidationErrorList errors) throws IntrusionException {
-		try {
-			return getValidSafeHTML(context, input, maxLength, allowNull);
-		} catch (ValidationException e) {
-			errors.addError(context, e);
-		}
-
 		return "";
 	}
 
diff --git a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java b/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
deleted file mode 100644
index e08e2b0..0000000
--- a/src/main/java/org/owasp/esapi/reference/validation/HTMLValidationRule.java
+++ /dev/null
@@ -1,129 +0,0 @@
-/**
- * OWASP Enterprise Security API (ESAPI)
- * 
- * This file is part of the Open Web Application Security Project (OWASP)
- * Enterprise Security API (ESAPI) project. For details, please see
- * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
- *
- * Copyright (c) 2007 - The OWASP Foundation
- * 
- * The ESAPI is published by OWASP under the BSD license. You should read and accept the
- * LICENSE before you use, modify, and/or redistribute this software.
- * 
- * @author Jeff Williams <a href="http://www.aspectsecurity.com">Aspect Security</a>
- * @created 2007
- */
-package org.owasp.esapi.reference.validation;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.List;
-
-import org.owasp.esapi.errors.ConfigurationException;
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.Encoder;
-import org.owasp.esapi.Logger;
-import org.owasp.esapi.StringUtilities;
-import org.owasp.esapi.errors.ValidationException;
-import org.owasp.validator.html.AntiSamy;
-import org.owasp.validator.html.CleanResults;
-import org.owasp.validator.html.Policy;
-import org.owasp.validator.html.PolicyException;
-import org.owasp.validator.html.ScanException;
-
-
-/**
- * A validator performs syntax and possibly semantic validation of a single
- * piece of data from an untrusted source.
- * 
- * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) <a
- *         href="http://www.aspectsecurity.com">Aspect Security</a>
- * @since June 1, 2007
- * @see org.owasp.esapi.Validator
- */
-public class HTMLValidationRule extends StringValidationRule {
-	
-	/** OWASP AntiSamy markup verification policy */
-	private static Policy antiSamyPolicy = null;
-	private static final Logger LOGGER = ESAPI.getLogger( "HTMLValidationRule" ); 
-	
-	static {
-        InputStream resourceStream = null;
-		try {
-			resourceStream = ESAPI.securityConfiguration().getResourceStream("antisamy-esapi.xml");
-		} catch (IOException e) {
-			throw new ConfigurationException("Couldn't find antisamy-esapi.xml", e);
-	            }
-        if (resourceStream != null) {
-        	try {
-				antiSamyPolicy = Policy.getInstance(resourceStream);
-			} catch (PolicyException e) {
-				throw new ConfigurationException("Couldn't parse antisamy policy", e);
-		        }
-			}
-		}
-
-	public HTMLValidationRule( String typeName ) {
-		super( typeName );
-	}
-	
-	public HTMLValidationRule( String typeName, Encoder encoder ) {
-		super( typeName, encoder );
-	}
-
-	public HTMLValidationRule( String typeName, Encoder encoder, String whitelistPattern ) {
-		super( typeName, encoder, whitelistPattern );
-	}
-	
-    /**
-     * {@inheritDoc}
-     */
-	@Override
-	public String getValid( String context, String input ) throws ValidationException {
-		return invokeAntiSamy( context, input );
-	}
-		
-    /**
-     * {@inheritDoc}
-     */
-	@Override
-	public String sanitize( String context, String input ) {
-		String safe = "";
-		try {
-			safe = invokeAntiSamy( context, input );
-		} catch( ValidationException e ) {
-			// just return safe
-		}
-		return safe;
-	}
-
-	private String invokeAntiSamy( String context, String input ) throws ValidationException {
-		// CHECKME should this allow empty Strings? "   " us IsBlank instead?
-	    if ( StringUtilities.isEmpty(input) ) {
-			if (allowNull) {
-				return null;
-			}
-			throw new ValidationException( context + " is required", "AntiSamy validation error: context=" + context + ", input=" + input, context );
-	    }
-	    
-		String canonical = super.getValid( context, input );
-
-		try {
-			AntiSamy as = new AntiSamy();
-			CleanResults test = as.scan(canonical, antiSamyPolicy);
-			
-			List<String> errors = test.getErrorMessages();
-			if ( !errors.isEmpty() ) {
-				LOGGER.info( Logger.SECURITY_FAILURE, "Cleaned up invalid HTML input: " + errors );
-			}
-			
-			return test.getCleanHTML().trim();
-			
-		} catch (ScanException e) {
-			throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input: context=" + context + " error=" + e.getMessage(), e, context );
-		} catch (PolicyException e) {
-			throw new ValidationException( context + ": Invalid HTML input", "Invalid HTML input does not follow rules in antisamy-esapi.xml: context=" + context + " error=" + e.getMessage(), e, context );
-		}
-	}
-}
-
diff --git a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
index 9402630..fbb19f7 100644
--- a/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
+++ b/src/test/java/org/owasp/esapi/reference/ValidatorTest.java
@@ -34,7 +34,6 @@ import org.owasp.esapi.errors.ValidationException;
 import org.owasp.esapi.filters.SecurityWrapperRequest;
 import org.owasp.esapi.http.MockHttpServletRequest;
 import org.owasp.esapi.http.MockHttpServletResponse;
-import org.owasp.esapi.reference.validation.HTMLValidationRule;
 import org.owasp.esapi.reference.validation.StringValidationRule;
 
 import javax.servlet.http.Cookie;
@@ -273,40 +272,6 @@ public class ValidatorTest extends TestCase {
         // instance.getValidRedirectLocation(String, String, boolean, ValidationErrorList)
     }
 
-    public void testGetValidSafeHTML() throws Exception {
-        System.out.println("getValidSafeHTML");
-        Validator instance = ESAPI.validator();
-        ValidationErrorList errors = new ValidationErrorList();
-
-        // new school test case setup
-        HTMLValidationRule rule = new HTMLValidationRule("test");
-        ESAPI.validator().addRule(rule);
-
-        assertEquals("Test.", ESAPI.validator().getRule("test").getValid("test", "Test. <script>alert(document.cookie)</script>"));
-
-        String test1 = "<b>Jeff</b>";
-        String result1 = instance.getValidSafeHTML("test", test1, 100, false, errors);
-        assertEquals(test1, result1);
-
-        String test2 = "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>";
-        String result2 = instance.getValidSafeHTML("test", test2, 100, false, errors);
-        assertEquals(test2, result2);
-
-        String test3 = "Test. <script>alert(document.cookie)</script>";
-        assertEquals("Test.", rule.getSafe("test", test3));
-
-        assertEquals("Test. &lt;<div>load=alert()</div>", rule.getSafe("test", "Test. <<div on<script></script>load=alert()"));
-        assertEquals("Test. <div>b</div>", rule.getSafe("test", "Test. <div style={xss:expression(xss)}>b</div>"));
-        assertEquals("Test.", rule.getSafe("test", "Test. <s%00cript>alert(document.cookie)</script>"));
-        assertEquals("Test. alert(document.cookie)", rule.getSafe("test", "Test. <s\tcript>alert(document.cookie)</script>"));
-        assertEquals("Test. alert(document.cookie)", rule.getSafe("test", "Test. <s\tcript>alert(document.cookie)</script>"));
-        // TODO: ENHANCE waiting for a way to validate text headed for an attribute for scripts
-        // This would be nice to catch, but just looks like text to AntiSamy
-        // assertFalse(instance.isValidSafeHTML("test", "\" onload=\"alert(document.cookie)\" "));
-        // String result4 = instance.getValidSafeHTML("test", test4);
-        // assertEquals("", result4);
-    }
-
     public void testIsInvalidFilename() {
         System.out.println("testIsInvalidFilename");
         Validator instance = ESAPI.validator();
@@ -913,33 +878,6 @@ public class ValidatorTest extends TestCase {
         //		isValidRedirectLocation(String, String, boolean)
     }
 
-    public void testIsValidSafeHTML() {
-        System.out.println("isValidSafeHTML");
-        Validator instance = ESAPI.validator();
-
-        assertTrue(instance.isValidSafeHTML("test", "<b>Jeff</b>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <script>alert(document.cookie)</script>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <div style={xss:expression(xss)}>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <s%00cript>alert(document.cookie)</script>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <s\tcript>alert(document.cookie)</script>", 100, false));
-        assertTrue(instance.isValidSafeHTML("test", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false));
-
-        // TODO: waiting for a way to validate text headed for an attribute for scripts
-        // This would be nice to catch, but just looks like text to AntiSamy
-        // assertFalse(instance.isValidSafeHTML("test", "\" onload=\"alert(document.cookie)\" "));
-        ValidationErrorList errors = new ValidationErrorList();
-        assertTrue(instance.isValidSafeHTML("test1", "<b>Jeff</b>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test2", "<a href=\"http://www.aspectsecurity.com\">Aspect Security</a>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test3", "Test. <script>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test4", "Test. <div style={xss:expression(xss)}>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test5", "Test. <s%00cript>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test6", "Test. <s\tcript>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue(instance.isValidSafeHTML("test7", "Test. <s\r\n\0cript>alert(document.cookie)</script>", 100, false, errors));
-        assertTrue(errors.size() == 0);
-
-    }
-
     public void testSafeReadLine() {
         System.out.println("safeReadLine");

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional