Class: Owasp::Esapi::Validator::StringRule

Inherits:
BaseRule
  • Object
show all
Defined in:
lib/validator/string_rule.rb

Overview

A validator performs syntax and possibly semantic validation of a single piece of string data from an untrusted source.

Instance Attribute Summary collapse

Attributes inherited from BaseRule

#allow_nil, #encoder, #name

Instance Method Summary collapse

Methods inherited from BaseRule

#safe, #valid?, #validate, #whitelist

Constructor Details

#initialize(type, encoder = nil, whitelist_pattern = nil) ⇒ StringRule

Create an instance of the String vlidator whitelist_pattern is an optionla white listing regex


14
15
16
17
18
19
20
21
22
# File 'lib/validator/string_rule.rb', line 14

def initialize(type,encoder = nil,whitelist_pattern = nil)
  super(type,encoder)
  @white_list = []
  @black_list = []
  @white_list << whitelist_pattern unless whitelist_pattern.nil?
  @min = 0
  @max = 0
  @canonicalize = false
end

Instance Attribute Details

#canonicalize=(value) ⇒ Object (writeonly)

Sets the attribute canonicalize

Parameters:

  • value

    the value to set the attribute canonicalize to.


10
11
12
# File 'lib/validator/string_rule.rb', line 10

def canonicalize=(value)
  @canonicalize = value
end

#max=(value) ⇒ Object (writeonly)

Sets the attribute max

Parameters:

  • value

    the value to set the attribute max to.


10
11
12
# File 'lib/validator/string_rule.rb', line 10

def max=(value)
  @max = value
end

#min=(value) ⇒ Object (writeonly)

Sets the attribute min

Parameters:

  • value

    the value to set the attribute min to.


10
11
12
# File 'lib/validator/string_rule.rb', line 10

def min=(value)
  @min = value
end

Instance Method Details

#add_blacklist(p) ⇒ Object

Add a blacklist regex

Raises:

  • (ArgumentError)

31
32
33
34
# File 'lib/validator/string_rule.rb', line 31

def add_blacklist(p)
  raise ArgumentError.new("Nil Pattern") if p.nil?
  @black_list << create_regex(p)
end

#add_whitelist(p) ⇒ Object

Add a whitelist regex

Raises:

  • (ArgumentError)

25
26
27
28
# File 'lib/validator/string_rule.rb', line 25

def add_whitelist(p)
  raise ArgumentError.new("Nil Pattern") if p.nil?
  @white_list << create_regex(p)
end

#check_black_list(context, input, original = nil) ⇒ Object

Checks input against blacklists.


68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# File 'lib/validator/string_rule.rb', line 68

def check_black_list(context,input,original = nil)
  original = input.dup if original.nil?
  @black_list.each do |p|
    if p.match(input)
      # format user msg
      user = "#{context}: Invalid input. Dangerous input matching #{p.to_s}"
      # format log message
      log = "Dangerous input: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
      log << ", input=#{input}, original=#{original}"
      # raise an error
      raise Owasp::Esapi::ValidationException.new(user,log,context)
    end
  end
  input
end

#check_empty(context, input, orig = nil) ⇒ Object


104
105
106
107
108
109
110
111
112
113
114
# File 'lib/validator/string_rule.rb', line 104

def check_empty(context,input,orig = nil)
  return nil if @allow_nil and input.nil?
  unless input.nil?
    original = input.dup if original.nil?
    return input unless input.empty?
  end
  user = "#{context}: Input required."
  log = "Input required: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
  log << ", input=#{input}, original=#{original}"
  raise Owasp::Esapi::ValidationException.new(user,log,context)
end

#check_length(context, input, original = nil) ⇒ Object

Checks input lengths


85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# File 'lib/validator/string_rule.rb', line 85

def check_length(context,input,original = nil)
  original = input.dup if original.nil?
  # check min value
  if input.size < @min
    user = "#{context}: Invalid input, The min length is #{@min} characters"
    log = "Input didnt meet #{@min} chars by #{input.size}: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
    log << ", input=#{input}, original=#{original}"
    raise Owasp::Esapi::ValidationException.new(user,log,context)
  end
  # check max value
  if input.size > @max and @max > 0
    user = "#{context}: Invalid input, The max length is #{@max} characters"
    log = "Input exceed #{@max} chars by #{input.size}: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
    log << ", input=#{input}, original=#{original}"
    raise Owasp::Esapi::ValidationException.new(user,log,context)
  end
  input
end

#check_white_list(context, input, original = nil) ⇒ Object

Checks input against whitelists.


49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/validator/string_rule.rb', line 49

def check_white_list(context,input,original = nil)
  original = input.dup if original.nil?
  @white_list.each do |p|
    match = p.match(input)
    if match.nil? or not match[0].eql?(input)
      # format user msg
      user = "#{context}: Invalid input. Conform to #{p.to_s}"
      user << " with a max length of #{@max}" unless @max == 0
      # format log message
      log = "Invalid input: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
      log << ", input=#{input}, original=#{original}"
      # raise an error
      raise Owasp::Esapi::ValidationException.new(user,log,context)
    end
  end
  input
end

#create_regex(p) ⇒ Object

Ensure we dont show the warnings to stderr, just fail the regexp


37
38
39
40
41
42
43
44
45
46
# File 'lib/validator/string_rule.rb', line 37

def create_regex(p) #:nodoc:
  output = StringIO.open('','w')
  $stderr = output
  begin
    r = /#{p}/
  ensure
    output.close
    $stderr = STDERR
  end
end

#sanitize(context, input) ⇒ Object

Remvoe any non alpha numerics form the string


117
118
119
# File 'lib/validator/string_rule.rb', line 117

def sanitize(context,input)
  whitelist(input,Owasp::Esapi::Ecnoder::CHAR_ALPHANUMERIC)
end

#valid(context, input) ⇒ Object

Parse the input, raise exceptions if validation fails see BaseRule


123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# File 'lib/validator/string_rule.rb', line 123

def valid(context,input)

  data = nil
  return nil if check_empty(context,input).nil?
  # check for pre-canonicalize if we are in sanitize mode
  check_length(context,input) if @canonicalize
  check_white_list(context,input) if @canonicalize
  check_black_list(context,input) if @canonicalize
  if @canonicalize
    data = encoder.canonicalize(input)
  else
    data = input
  end
  # no check again after we figured otu canonicalization
  return nil if check_empty(context,input).nil?
  check_length(context,input)
  check_white_list(context,input)
  check_black_list(context,input)
  data
end