Class: Owasp::Esapi::Validator::StringRule

Inherits:

BaseRule

• Object
• BaseRule
• Owasp::Esapi::Validator::StringRule

Defined in:

lib/validator/string_rule.rb

Overview

A validator performs syntax and possibly semantic validation of a single piece of string data from an untrusted source.

Instance Attribute Summary

• #canonicalize ⇒ Object writeonly

  Sets the attribute canonicalize.

• #max ⇒ Object writeonly

  Sets the attribute max.

• #min ⇒ Object writeonly

  Sets the attribute min.

Attributes inherited from BaseRule

#allow_nil, #encoder, #name

Instance Method Summary

• #add_blacklist(p) ⇒ Object

  Add a blacklist regex.

• #add_whitelist(p) ⇒ Object

  Add a whitelist regex.

• #check_black_list(context, input, original = nil) ⇒ Object

  Checks input against blacklists.

• #check_empty(context, input, orig = nil) ⇒ Object
• #check_length(context, input, original = nil) ⇒ Object

  Checks input lengths.

• #check_white_list(context, input, original = nil) ⇒ Object

  Checks input against whitelists.

• #create_regex(p) ⇒ Object

  Ensure we dont show the warnings to stderr, just fail the regexp.

• #initialize(type, encoder = nil, whitelist_pattern = nil) ⇒ StringRule constructor

  Create an instance of the String vlidator whitelist_pattern is an optionla white listing regex.

• #sanitize(context, input) ⇒ Object

  Remvoe any non alpha numerics form the string.

• #valid(context, input) ⇒ Object

  Parse the input, raise exceptions if validation fails see BaseRule.

Methods inherited from BaseRule

#safe, #valid?, #validate, #whitelist

Constructor Details

#initialize(type, encoder = nil, whitelist_pattern = nil) ⇒ StringRule

Create an instance of the String vlidator whitelist_pattern is an optionla white listing regex

# File 'lib/validator/string_rule.rb', line 14

def initialize(type,encoder = nil,whitelist_pattern = nil)
  super(type,encoder)
  @white_list = []
  @black_list = []
  @white_list << whitelist_pattern unless whitelist_pattern.nil?
  @min = 0
  @max = 0
  @canonicalize = false
end

Instance Attribute Details

#canonicalize=(value) ⇒ Object (writeonly)

Sets the attribute canonicalize

Parameters:

• value —

  the value to set the attribute canonicalize to.

# File 'lib/validator/string_rule.rb', line 10

def canonicalize=(value)
  @canonicalize = value
end

#max=(value) ⇒ Object (writeonly)

Sets the attribute max

Parameters:

• value —

  the value to set the attribute max to.

# File 'lib/validator/string_rule.rb', line 10

def max=(value)
  @max = value
end

#min=(value) ⇒ Object (writeonly)

Sets the attribute min

Parameters:

• value —

  the value to set the attribute min to.

# File 'lib/validator/string_rule.rb', line 10

def min=(value)
  @min = value
end

Instance Method Details

#add_blacklist(p) ⇒ Object

Add a blacklist regex

Raises:

• (ArgumentError)

# File 'lib/validator/string_rule.rb', line 31

def add_blacklist(p)
  raise ArgumentError.new("Nil Pattern") if p.nil?
  @black_list << create_regex(p)
end

#add_whitelist(p) ⇒ Object

Add a whitelist regex

Raises:

• (ArgumentError)

# File 'lib/validator/string_rule.rb', line 25

def add_whitelist(p)
  raise ArgumentError.new("Nil Pattern") if p.nil?
  @white_list << create_regex(p)
end

#check_black_list(context, input, original = nil) ⇒ Object

Checks input against blacklists.

# File 'lib/validator/string_rule.rb', line 68

def check_black_list(context,input,original = nil)
  original = input.dup if original.nil?
  @black_list.each do |p|
    if p.match(input)
      # format user msg
      user = "#{context}: Invalid input. Dangerous input matching #{p.to_s}"
      # format log message
      log = "Dangerous input: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
      log << ", input=#{input}, original=#{original}"
      # raise an error
      raise Owasp::Esapi::ValidationException.new(user,log,context)
    end
  end
  input
end

#check_empty(context, input, orig = nil) ⇒ Object

Raises:

• (Owasp::Esapi::ValidationException)

# File 'lib/validator/string_rule.rb', line 104

def check_empty(context,input,orig = nil)
  return nil if @allow_nil and input.nil?
  unless input.nil?
    original = input.dup if original.nil?
    return input unless input.empty?
  end
  user = "#{context}: Input required."
  log = "Input required: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
  log << ", input=#{input}, original=#{original}"
  raise Owasp::Esapi::ValidationException.new(user,log,context)
end

#check_length(context, input, original = nil) ⇒ Object

Checks input lengths

# File 'lib/validator/string_rule.rb', line 85

def check_length(context,input,original = nil)
  original = input.dup if original.nil?
  # check min value
  if input.size < @min
    user = "#{context}: Invalid input, The min length is #{@min} characters"
    log = "Input didnt meet #{@min} chars by #{input.size}: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
    log << ", input=#{input}, original=#{original}"
    raise Owasp::Esapi::ValidationException.new(user,log,context)
  end
  # check max value
  if input.size > @max and @max > 0
    user = "#{context}: Invalid input, The max length is #{@max} characters"
    log = "Input exceed #{@max} chars by #{input.size}: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
    log << ", input=#{input}, original=#{original}"
    raise Owasp::Esapi::ValidationException.new(user,log,context)
  end
  input
end

#check_white_list(context, input, original = nil) ⇒ Object

Checks input against whitelists.

# File 'lib/validator/string_rule.rb', line 49

def check_white_list(context,input,original = nil)
  original = input.dup if original.nil?
  @white_list.each do |p|
    match = p.match(input)
    if match.nil? or not match[0].eql?(input)
      # format user msg
      user = "#{context}: Invalid input. Conform to #{p.to_s}"
      user << " with a max length of #{@max}" unless @max == 0
      # format log message
      log = "Invalid input: context=#{context}, type=#{@name}, pattern=#{p.to_s}"
      log << ", input=#{input}, original=#{original}"
      # raise an error
      raise Owasp::Esapi::ValidationException.new(user,log,context)
    end
  end
  input
end

#create_regex(p) ⇒ Object

Ensure we dont show the warnings to stderr, just fail the regexp

# File 'lib/validator/string_rule.rb', line 37

def create_regex(p) #:nodoc:
  output = StringIO.open('','w')
  $stderr = output
  begin
    r = /#{p}/
  ensure
    output.close
    $stderr = STDERR
  end
end

#sanitize(context, input) ⇒ Object

Remvoe any non alpha numerics form the string

# File 'lib/validator/string_rule.rb', line 117

def sanitize(context,input)
  whitelist(input,Owasp::Esapi::Ecnoder::CHAR_ALPHANUMERIC)
end

#valid(context, input) ⇒ Object

Parse the input, raise exceptions if validation fails see BaseRule

# File 'lib/validator/string_rule.rb', line 123

def valid(context,input)

  data = nil
  return nil if check_empty(context,input).nil?
  # check for pre-canonicalize if we are in sanitize mode
  check_length(context,input) if @canonicalize
  check_white_list(context,input) if @canonicalize
  check_black_list(context,input) if @canonicalize
  if @canonicalize
    data = encoder.canonicalize(input)
  else
    data = input
  end
  # no check again after we figured otu canonicalization
  return nil if check_empty(context,input).nil?
  check_length(context,input)
  check_white_list(context,input)
  check_black_list(context,input)
  data
end