You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@struts.apache.org by lu...@apache.org on 2014/05/21 09:04:11 UTC
[4/5] git commit: Defines new service to check accepted patterns
Defines new service to check accepted patterns
Project: http://git-wip-us.apache.org/repos/asf/struts/repo
Commit: http://git-wip-us.apache.org/repos/asf/struts/commit/b140faad
Tree: http://git-wip-us.apache.org/repos/asf/struts/tree/b140faad
Diff: http://git-wip-us.apache.org/repos/asf/struts/diff/b140faad
Branch: refs/heads/feature/exclude-object-class
Commit: b140faad2813809c132ef75e4459f6dbbee664b8
Parents: 97ef7b5
Author: Lukasz Lenart <lu...@apache.org>
Authored: Wed May 21 09:03:30 2014 +0200
Committer: Lukasz Lenart <lu...@apache.org>
Committed: Wed May 21 09:03:30 2014 +0200
----------------------------------------------------------------------
.../security/AcceptedPatternsChecker.java | 82 ++++++++++++++++++
.../DefaultAcceptedPatternsChecker.java | 88 ++++++++++++++++++++
2 files changed, 170 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/struts/blob/b140faad/xwork-core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
new file mode 100644
index 0000000..6ea9ec9
--- /dev/null
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/AcceptedPatternsChecker.java
@@ -0,0 +1,82 @@
+package com.opensymphony.xwork2.security;
+
+import java.util.Set;
+import java.util.regex.Pattern;
+
+/**
+ * Used across different interceptors to check if given string matches one of the excluded patterns.
+ */
+public interface AcceptedPatternsChecker {
+
+ /**
+ * Checks if value matches any of patterns on exclude list
+ *
+ * @param value to check
+ * @return object containing result of matched pattern and pattern itself
+ */
+ public IsAccepted isAccepted(String value);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param commaDelimitedPatterns comma delimited string with patterns
+ */
+ public void addAcceptedPatterns(String commaDelimitedPatterns);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param additionalPatterns array of additional excluded patterns
+ */
+ public void addAcceptedPatterns(String[] additionalPatterns);
+
+ /**
+ * Allows add additional excluded patterns during runtime
+ *
+ * @param additionalPatterns set of additional patterns
+ */
+ public void addAcceptedPatterns(Set<String> additionalPatterns);
+
+ /**
+ * Allow access list of all defined excluded patterns
+ *
+ * @return set of excluded patterns
+ */
+ public Set<Pattern> getAcceptedPatterns();
+
+ public final static class IsAccepted {
+
+ private final boolean accepted;
+ private final Pattern acceptedPattern;
+
+ public static IsAccepted yes(Pattern acceptedPattern) {
+ return new IsAccepted(true, acceptedPattern);
+ }
+
+ public static IsAccepted no() {
+ return new IsAccepted(false, null);
+ }
+
+ private IsAccepted(boolean accepted, Pattern acceptedPattern) {
+ this.accepted = accepted;
+ this.acceptedPattern = acceptedPattern;
+ }
+
+ public boolean isAccepted() {
+ return accepted;
+ }
+
+ public Pattern getAcceptedPattern() {
+ return acceptedPattern;
+ }
+
+ @Override
+ public String toString() {
+ return "IsAccepted {" +
+ "accepted=" + accepted +
+ ", acceptedPattern=" + acceptedPattern +
+ " }";
+ }
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/struts/blob/b140faad/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java
----------------------------------------------------------------------
diff --git a/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java
new file mode 100644
index 0000000..fa1b8e1
--- /dev/null
+++ b/xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultAcceptedPatternsChecker.java
@@ -0,0 +1,88 @@
+package com.opensymphony.xwork2.security;
+
+import com.opensymphony.xwork2.XWorkConstants;
+import com.opensymphony.xwork2.inject.Inject;
+import com.opensymphony.xwork2.util.TextParseUtil;
+import com.opensymphony.xwork2.util.logging.Logger;
+import com.opensymphony.xwork2.util.logging.LoggerFactory;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+public class DefaultAcceptedPatternsChecker implements AcceptedPatternsChecker {
+
+ private static final Logger LOG = LoggerFactory.getLogger(DefaultAcceptedPatternsChecker.class);
+
+ public static final String[] ACCEPTED_PATTERNS = {
+ "\\w+((\\.\\w+)|(\\[\\d+\\])|(\\(\\d+\\))|(\\['(\\w|[\\u4e00-\\u9fa5])+'\\])|(\\('(\\w|[\\u4e00-\\u9fa5])+'\\)))*"
+ };
+
+ private Set<Pattern> acceptedPatterns;
+
+ public DefaultAcceptedPatternsChecker() {
+ acceptedPatterns = new HashSet<Pattern>();
+ for (String pattern : ACCEPTED_PATTERNS) {
+ acceptedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ @Inject(value = XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, required = false)
+ public void setOverrideAcceptedPatterns(String acceptablePatterns) {
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Overriding [#0] with [#1], be aware that this can affect safety of your application!",
+ XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, acceptablePatterns);
+ }
+ acceptedPatterns = new HashSet<Pattern>();
+ for (String pattern : TextParseUtil.commaDelimitedStringToSet(acceptablePatterns)) {
+ acceptedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ @Inject(value = XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, required = false)
+ public void setOverrideExcludePatterns(String acceptPatterns) {
+ if (LOG.isWarnEnabled()) {
+ LOG.warn("Overriding [#0] with [#1], be aware that this can affect safety of your application!",
+ XWorkConstants.OVERRIDE_ACCEPTED_PATTERNS, acceptedPatterns);
+ }
+ acceptedPatterns = new HashSet<Pattern>();
+ for (String pattern : TextParseUtil.commaDelimitedStringToSet(acceptPatterns)) {
+ acceptedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ public void addAcceptedPatterns(String commaDelimitedPatterns) {
+ addAcceptedPatterns(TextParseUtil.commaDelimitedStringToSet(commaDelimitedPatterns));
+ }
+
+ public void addAcceptedPatterns(String[] additionalPatterns) {
+ addAcceptedPatterns(new HashSet<String>(Arrays.asList(additionalPatterns)));
+ }
+
+ public void addAcceptedPatterns(Set<String> additionalPatterns) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("Adding additional excluded patterns [#0]", additionalPatterns);
+ }
+ for (String pattern : additionalPatterns) {
+ acceptedPatterns.add(Pattern.compile(pattern));
+ }
+ }
+
+ public IsAccepted isAccepted(String value) {
+ for (Pattern acceptedPattern : acceptedPatterns) {
+ if (acceptedPattern.matcher(value).matches()) {
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("[#0] matches accepted pattern [#1]", value, acceptedPattern);
+ }
+ return IsAccepted.yes(acceptedPattern);
+ }
+ }
+ return IsAccepted.no();
+ }
+
+ public Set<Pattern> getAcceptedPatterns() {
+ return acceptedPatterns;
+ }
+
+}